Today’s businesses face many risks, including natural disasters, intentional and unintentional man-made disasters, and catastrophic systems failures. Any of these disasters can severely impact the information technology (IT) systems of an organization. Risk management is the process of managing and properly responding to those risks with the goal of maintaining business operations during an event that threatens the life of a company. A good risk management program can determine the true exposure to a company's information technology systems to a given set of risks and provide input for developing strategies to address the risks.
Risk management is part of a higher level process called business continuity planning, which encompasses a number of activities that all have the same goals: to protect the organization's ability to continue its business functions and to minimize the impact of a disruptive event. Most businesses of any size heavily rely on their IT systems, and these systems must be functioning to continue business operations. The risk management process necessarily encompasses IT and much of the risk management effort will be spent developing strategies to protect and recover information and technology systems.
Risk analysis is a vital part of a risk management program. The organization must identify, assess and assign a value to the occurrence of an event. This involves determining the actual likelihood of an event, then determining the impact to the business and assigning a dollar value to that impact. This helps to determine a strategy for addressing the risk. For instance, an electrical storm may disable a data center for an extended period of time, depending on the amount of damage. If the information systems are down, sales, customer service, communications and any number of business functions are negatively impacted. This translates to dollars lost to the company.
There are many risks that face any information technology group, and proper risk analysis seeks to ferret out all of them. From natural disasters to man-made disasters to catastrophic hardware and software failures, all potential risks must be documented and analyzed to determine the real probability of an occurrence.
Once the risks are identified, analyzed and evaluated, the organization must address the risk in some way. There are three basic responses to an identified risk: eliminate the risk; mitigate (or share) the risk; or accept the risk. The decision is heavily influenced by the cost of the strategy versus the dollar impact should the risk materialize in an event.
If the risk is high and the impact is high, the business may decide to invest heavily in eliminating or mitigating the risk. If the risk is low and the impact is low, the business may decide to accept the risk. For instance, if there is a high risk of tornadoes due to the geographic location of a business, there is a recognized threat to the data center which houses the information technology systems. The risk is high and the impact could be very costly. In this case, the company may decide to do several things: implement a good backup strategy with backup data moved off-site; subscribe to an alternate recovery site; and take out a business interruption insurance policy. Information technology systems strategies typically rely heavily on the ability to restore data from backups, so it is vital that the backup and restore strategy be tested several times per year.
An organization may mitigate or reduce the risk to its information systems in several ways. One is to implement controls that reduce the risk. For instance, if an identified risk involves the physical security of a server room, the company may choose to install card access or even biometric access doors. This action would greatly reduce the risk of a physical intrusion.
Cyber attack is another common risk. If a business is connected to the Internet, it is subject to cyber attack. The business may choose to reduce this risk by installing a firewall on the Internet connection to keep intruders out. These mitigation options are typically implemented as controls.
Risk controls for information technology include supportive, preventive and recovery controls. Support controls include hardware and software systems, user identification systems, cryptography and security administration tools. Preventive controls include physical security, intrusion protection systems, authentication and authorization systems, and access control systems. Recovery controls are in place to address an event that is in progress, or has already occurred. These tools include audits, intrusion detection systems, logging systems, and backup and restore systems.
In addition to these technical controls, a company may implement management controls, including separation of duties, training, disaster recovery exercises and periodic IT audits. All of these controls are critical and necessary for the protection of the company's information technology systems.