Optimizing business risks associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise is a key component in an enterprise’s ability to create value. This will allow the enterprise to reach the main objectives and it will most likely result in expansion.
Optimizing IT risks not only requires key practices of the company governance, such as the definition of risk appetite and policies, but also a continuous management process to identify, analyze, evaluate and treat IT risks covering the whole enterprise end-to-end.
However, a frequent issue is that organizations are limited in essential resources for IT risk management—for example, staff-related gaps (quantity and skills), lack of automated tools, restricted budget, incomplete inventories of IT assets and absence of historical data of loss events related with IT risks.
Although all these limitations are solvable, the solution may not come up immediately. As a result, an organization would still be exposed to unidentified IT risk scenarios that could overcome the established appetite or even the capacity to resist losses, compromising the sustainability of the company.
Therefore, the priority is to start as soon as possible by defining valid criteria to identify the IT risk scenarios and determine an optimized scope for the IT risk management process depending on the resources and capabilities available. To start the primary identification of the risk scenarios, the following eight steps are suggested:
- Consider internationally recognized standards and guidance, such as:
- Analyze business objectives of the organization to identify IT-related risks that could jeopardize its success.
- Collect the know-how of the experts within the organization scope (e.g., CISO, DBA and CTO) to engage them in the process of IT risk management.
- Assess news of vulnerabilities of the IT assets/resources adopted by the company.
- Apply “reverse engineering” over controls required by the ongoing regulations to infer/detect possible threats from those controls.
- Analyze the events of operational risk loss database to detect materialized IT risk scenarios.
- Once you have collected a considerable universe of scenarios, the organization´s possible scope of analysis should be formally defined. This will require a formal approval from the relevant bodies (e.g., risk committee).
- Approved register of IT risk scenarios should be enriched periodically, depending on: what actually happened about threats, updates of standards, new technological developments and improvement of the capacity level of the facilitators required for risk management.
Once the registry of risk scenarios is formally approved, the universe of assets/IT resources to analyze could be defined assigning priority to the most critical ones in terms of their support for the business processes. After this, the phase of IT risk analysis within the company could already be started with the most appropriate scope.
Franco Rigante, CISA, CRISC, PMP
IT – GRC Specialist
ISACA Communities Committee