Every organization, risk auditor or analyst, security pro or individual may come up with a different definition of IT risks. While all definitions would most probably fit in the IT risks universe, it is very important that there is a common understanding and terminology within an organization. In fact, we find structures or better frameworks that help organizations manage IT risks.
Frameworks help organizations build an underlying structure that deals with the strategy, the tactical and the operational aspects of security and risks. No single framework is a perfect match and hence, a better approach would be to review a couple of frameworks such as, Cobit, ISO or ITIL and use parts where appropriate. It is recommended to mix, match and personalize frameworks as to create your own structure. Common sense within a framework is necessary and will drive consistency.
IT risks must be put in the context of the big picture and not isolated from the rest of the organization. They may fall in different categories or levels but their impact is always linked directly or indirectly to the business. An organization must integrate risk management with IT Governance and compliance, whether they are external laws and regulations and/or internal corporate policies and procedures.
What kind of Risk levels we find in an organization?
Lowest level isolated type of risks may happen on a day-to-day basis. User errors are the most common, however, IT related risks may be present in badly configured servers or setups, insecure project tasks, etc. The lack of security awareness and education among the employees will increase the probability of risks. Various tools and controls can be used to minimize these risks.
A combination of low level risks would comprise the organization’s infrastructure security. The impact is higher as it starts disrupting business units. At this level of risks we find project failures, vulnerable infrastructure, violation of SLAs by vendors, etc. The implementation of adequate controls and standards is a must at this level.
A combination of failed projects, violated SLAs and infrastructure vulnerabilities will lead to enterprise level disruption. At this level, apart from the business disruption which means financial losses, the organization may suffer bad reputation as well!
At the highest level of risks we find elements tied to the business such as, market perception, strategic failures and regulatory compliance. The impact at this level is critical as an organization may lose its market share and ruin the business, can be fined and make it to the news headlines!
