What is IT risk management?


What is IT risk management?

IT risk management is a subset of enterprise risk management (ERM), designed to align IT risks with an organization’s risk appetite. IT risk management (ITRM) encompasses the policies, procedures and technology needed to reduce threats and vulnerabilities, while maintaining compliance with applicable regulatory requirements. In addition, ITRM seeks to limit the consequences of destructive events, such as security breaches.

Typically, ITRM focuses on risk identification and analysis, risk assessment and prioritization, and risk mitigation. Because infrastructure, business priorities, and threats are constantly changing, IT risk management should be treated as an ongoing process.


How does IT risk management work?

Businesses today face a variety of risks. These include cyber risk, privacy, operational and compliance risk, as well as business reputation and bottom line risk. Although risk appetite and tolerance vary from company to company, every organization should develop a risk management strategy. For IT teams, it’s about aligning IT risk with operational and enterprise risk management, which is no easy task.

ITRM includes many moving parts. Typically, it follows these steps:

  • Collect the information needed to assess the risks
  • Identify valuable assets across the organization and determine potential consequences if assets are damaged by uncontrolled risk
  • Identify internal/external threats and vulnerabilities and assess the likelihood of these vulnerabilities being exploited
  • Analyze the effectiveness of existing controls and decide if additional controls are needed
  • Prioritize risks and remediation efforts
  • Recommend controls
  • Develop an IT infrastructure improvement strategy that will mitigate the most critical vulnerabilities
  • Define mitigation processes
  • Evaluate ITRM efforts and measure results

While the above steps are important, they can be time consuming and require extensive institutional knowledge to execute. IT teams can use frameworks to guide their efforts and achieve the best results. The frameworks provide a structured methodology for risk governance, assessment and response.

Popular frameworks include the following:

  • ISACA IT Risk Framework
  • COBIT (Control Objectives for Information and Related Technology) COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework
  • Information Risk Factor Analysis (FAIR)
  • ISO27005
  • ISO 31000
  • NIST SP 800-39

What are the pros and cons of IT risk management?

When organizations take a risk-based approach to IT compliance, Studies show they mitigate the likelihood of security incidents. This is just one reason why all organizations today should take IT risk management seriously.

Although ITRM frameworks provide helpful guidance, it’s easy for IT teams to suffer from “framework overload.” Veronica Rose, ISACA board director and information systems auditor at Metropol Corp. Ltd., recommends using a combination of frames for best results. For example, the ISACA Risk IT framework aligns well with the COBIT 2019 framework, Rose said.

The complicated nature of ITRM frameworks, however, has led to the rise of ITRM products. Many organizations choose to use tools and/or services based on one or more ITRM frameworks. These offers generally aim to control IT and cyber risks, comply with applicable regulations and integrate ITRM into ERM.

ITRM tools can provide the following functionality:

  • Automation and workflow management
  • Data integration and connectors
  • Discovery and inventory of information and assets
  • Identity and access management
  • Risk analysis
  • Regulatory and policy content mapping management
  • Threat and vulnerability management integrations
  • Incident management integration
  • Risk resolution life cycle
  • Data loss prevention capabilities
  • Real-time assessments

Some tools, like Allgress Insight Risk Management Suite, ZenGRC, ServiceNow GRC, and OneTrust GRC, focus narrowly on the governance, risk, and compliance (GRC) subset of ITRM, while others have applications wider. More comprehensive tools usually offer additional modules dedicated to specific areas of risk management. Popular ITRM tools for wide use include RSA Archer IT & Security Risk Management, ITRMBond from Diligent, IBM OpenPages with Watson, LogicManager, MetricStream, Lockpath Integrated Risk Management from NAVEX Global, and SAI360.

Whether organizations attempt to tackle ITRM internally using frameworks or deploying ITRM products, they should seek the same outcome: provide advanced asset monitoring, risk identification and mitigation. , compliance, performance, incident and business continuity management, and decision making.

Examples of IT risk management products

Below are five examples of organizations that have deployed ITRM products to achieve their risk management goals.

Gain visibility into risk and compliance practices: A bank with more than 22,000 employees, 1,200 branches and a range of banking, insurance, leasing and storage businesses needed better risk management and compliance practices than its spreadsheets and its existing internal systems could not support. The bank rolled out Archer’s operational risk management offering, followed by Archer Audit Management. By centralizing risk and compliance data on a single platform, the bank gained a consolidated, real-time view of risk and compliance across its entire business portfolio.

Align risk management with business objectives: A Fortune 500 company in a highly regulated industry needed to integrate its disparate risk management initiatives and align them with corporate goals. Using MetricStream’s enterprise-wide risk and internal control platform, as well as the platform’s compliance modules, the company identified and assessed key risk exposures. Additionally, the platform enabled measurement, monitoring and control of enterprise risk exposures at multiple organizational levels. The platform also validated the strength of internal controls and compliance with regulatory policies, while ensuring accountability by strengthening the flow of information and records.

Filling gaps in risk management and compliance: A P&C insurance company needed to understand gaps in its risk management and compliance program. The company started with LogicManager’s ERM offering, which aims to collect and share risk information, uncover risk root causes, and re-aggregate information. Using this ERM approach in combination with the gap analysis method recommended by the RIMS Risk Maturity Model, the insurance company could identify critical business needs and allocate resources accordingly.

Standardize risk management approach: A provider of green energy consulting and services needed a better way to stay on top of environmental, health, and safety (EHS) performance and risks across the organization. Its existing approach, which used spreadsheets, Word documents and an old incident management system, was inadequate to measure risk and understand liability. The company has implemented the SAI360 EHS and operational risk management platform. The platform included four modules: audit management, behavior-based security, incident management, and risk management. The combined modules have improved the planning and tracking of corporate audits; provided preventive safety reports; created a single source of truth to record and respond to incidents and events; and aligned the risk management process with established standards.

Improve overall CRM management: A global provider of analytics software and technology needed their global GRC management to comply with the terms of the EU General Data Protection Regulation and the ISO27001 information security standard. The company has implemented OneTrust GRC. The team could then link controls and risk mitigation efforts across standards and regulations, reducing the time and effort spent on risk management. Additionally, the platform’s audit management module helped the company prioritize actions and adopt a more risk-based approach to auditing.


About Author

Comments are closed.