Risk Assessment for Information Technology
Information technology (IT) systems represent the backbone of a corporation's operational infrastructure. Accordingly, a company's top management typically ensures that computer software and hardware mechanisms are adequate, functional and in adherence with regulatory guidelines and industry practices. A risk assessment initiative for IT systems generally helps management understand areas in which significant losses may arise.
Other People Are Reading
-
Information Technology Risk Defined
-
IT risk consists of breakdowns in computer hardware or IT staff's lack of expertise in a specific field. IT risk also may relate to risk of loss resulting from theft of corporate data or customer information. As an illustration, assume a hacker accesses a bank customer information database. If the bank's IT staff and top leadership do not quickly implement adequate firewall protection measures, the bank may incur losses. IT risk also may be the risk of loss that originates from computer software malfunction, such as a manufacturer's software license expiration or glitches, and how it affects corporate activities.
Risk and Control Assessment
-
A corporation's top management periodically instructs department heads and segment employees to prepare risk and control self-assessment (RCSA) reports. An RCSA is a document that notes risks and controls related to a process or an area. A control is a set of instructions that a company's management establishes to prevent losses due to technological breakdowns. Employees review IT controls to ensure they are adequate or functional, and then rate risks as "tier 1," "tier 2" and "tier 3" based on loss expectations.
-
Time Frame
-
A corporation's senior management typically reviews risk assessment results on a quarterly and annual basis. RCSA and internal audit reports are usually issued every quarter, whereas external auditors present testing results to the board of directors at the end of the year. For example, an IT auditor may review the sales processing and customer service department's internal controls. He may rank risks inherent in the department's activities as "tier 2," or "medium," risks and notify senior management at the end of the quarter.
Tier 1 Risk
-
"Tier 1" risk, also called "high" risk, is the risk of loss that may emanate from computer system breakdowns in a large business unit. A company's top management typically reviews "tier 1" risks and provides corrective measures. To illustrate, assume a large insurance company cannot process premium payments because IT systems are not functional. The company's board of directors and senior management may hire a consulting firm to remedy the situation or provide temporary mitigating solutions.
Tier 2 and Tier 3 Risks
-
"Tier 2" and "tier 3" risks are also referred to as "medium" and "low" risks. These risks cause losses in a department's processes or a segment's IT infrastructure. Departmental heads and segment employees typically review "tier 2" and "tier 3" risk events to ensure internal controls are functional and preventing losses. For example, if an insurance company's premium processing department's IT problems only relate to life insurance policies, and the life insurance business unit only contributes 35 percent of total revenues, the company may face a "tier 2" or "tier 3" risk.
-
References
- National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems
- Commonwealth of Virginia: Information Technology Risk Management Guideline
- "The Journal of Issues in Informing Science & Information Technology;" Risk Assessment of Information Technology Systems; Božo Nikolić and Ljiljana Ružić-Dimitrijević; 2009
- Photo Credit computers image by Orlando Florin Rosu from Fotolia.com
