Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.
Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.
Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.
Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
To assess current risk management maturity, develop goals, and establish IT risk governance.
Identified obstacles to effective IT risk management.
Established attainable goals to increase maturity.
Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.
1.1 Assess current program maturity
1.2 Complete RACI chart
1.3 Create the IT risk council
1.4 Identify and engage key stakeholders
1.5 Add organization-specific risk scenarios
1.6 Identify risk events
Maturity Assessment
Risk Management Program Manual
Risk Register
Identify and assess all IT risks.
Created a comprehensive list of all IT risk events.
Risk events prioritized according to risk severity – as defined by the business.
2.1 Identify risk events (continued)
2.2 Augment risk event list using COBIT 5 processes
2.3 Determine the threshold for (un)acceptable risk
2.4 Create impact and probability scales
2.5 Select a technique to measure reputational cost
2.6 Conduct risk severity level assessment
Finalized List of IT Risk Events
Risk Register
Risk Management Program Manual
Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.
Risk monitoring responsibilities are established.
Risk response strategies have been identified for all key risks.
3.1 Conduct risk severity level assessment
3.2 Document the proximity of the risk event
3.3 Conduct expected cost assessment
3.4 Develop key risk indicators (KRIs) and escalation protocols
3.5 Root cause analysis
3.6 Identify and assess risk responses
Risk Register
Risk Management Program Manual
Risk Event Action Plans
Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.
Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
Authoritative risk response recommendations can be made to senior leadership.
A finalized Risk Management Program Manual is ready for distribution to key stakeholders.
4.1 Identify and assess risk responses
4.2 Risk response cost-benefit analysis
4.3 Create multi-year cost projections
4.4 Review techniques for embedding risk management in IT
4.5 Finalize the Risk Report and Risk Management Program Manual
4.6 Transfer ownership of risk responses to project managers
Risk Report
Risk Management Program Manual
3 Executive Brief
4 Analyst Perspective
5 Executive Summary
19 Phase 1: Review IT Risk Fundamentals & Governance
43 Phase 2: Identify and Assess IT Risk
74 Phase 3: Monitor, Communicate, and Respond to IT Risk
102 Appendix
108 Bibliography
Valence Howden Principal Research Director, CIO Practice |
Brittany Lutes Senior Research Analyst, CIO Practice |
Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.
Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.
This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.
IT has several challenges when it comes to addressing risk management:
Many IT organizations realize these obstacles:
IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.
58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)
Cognyte, a vendor hired to be a cybersecurity analytics company, had over five billion records exposed in Spring 2021. The data was compromised for four days, providing attackers with plenty of opportunities to obtain personally identifying information. (SecureBlink., 2021 & Security Magazine, 2021) | Facebook, the world’s largest social media giant, had over 533 million Facebook users’ personal data breached when data sets were able to be cross-listed with one another. (Business Insider, 2021 & Security Magazine, 2021) | In 2020, over 10.6 million customers experienced some sort of data being accessible, with 1,300 having serious personally identifying information breached. (The New York Times, 2020) |
By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.
Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)
IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk. |
Start Here |
PHASE 1Review IT Risk Fundamentals and Governance |
PHASE 2Identify and Assess IT Risk |
PHASE 3Monitor, Report, and Respond to IT Risk |
|||
1.1Review IT Risk Management Fundamentals |
1.2Establish a Risk Governance Framework |
2.1Identify IT Risks |
2.2Assess and Prioritize IT Risks |
3.1Monitor IT Risks and Develop Risk Responses |
3.2Report IT Risk Priorities |
Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.
Risk Drivers
|
Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) | 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) | Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) | 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021) | |
1. Assess Enterprise Risk Maturity | 3. Build a Risk Management Program Plan | 4. Establish Risk Management Processes | 5. Implement a Risk Management Program | ||
2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020) |
|||||
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.
Governance and related decision making is optimized with integrated and aligned risk data. |
ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach. |
Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action. |
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:Risk Management Program ManualUse the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk. |
Integrated Risk Maturity Assessment
Assess the organization's current maturity and readiness for integrated risk management (IRM). |
Centralized Risk Register
The repository for all the risks that have been identified within your environment. |
||
Risk Costing Tool
A potential cost-benefit analysis of possible risk responses to determine a good method to move forward. |
Risk Report & Risk Event Action Plan
A method to report risk severity and hold risk owners accountable for chosen method of responding. |
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
COSO’s Enterprise Risk Management — Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. (COSO) |
ISO 31000
Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000) |
COBIT 2019’s IT functions were used to develop and refine our Ten IT Risk Categories used in our top-down risk identification methodology. (COBIT 2019) |
A strong risk management foundation is valuable when building your IT risk management program.This research covers the following IT risk fundamentals:
|
Drivers of Formalized Risk Management: |
|
Drivers External to IT | ||
External Audit | Internal Audit | |
Mandated by ERM | ||
Occurrence of Risk Event | ||
Demonstrating IT’s value to the business | Proactive initiative | |
Emerging IT risk awareness | ||
Grassroots Drivers |
IT Benefits
|
Business Benefits
|
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 3 to 6 months.
What does a typical GI on this topic look like?
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
Activities | Review IT Risk Fundamentals and Governance1.1 Assess current program maturity 1.2 Complete RACI chart 1.3 Create the IT risk council 1.4 Identify and engage key stakeholders 1.5 Add organization-specific risk scenarios 1.6 Identify risk events |
Identify IT Risks2.1 Identify risk events (continued) 2.2 Augment risk event list using COBIT5 processes 2.3 Determine the threshold for (un)acceptable risk 2.4 Create impact and probability scales 2.5 Select a technique to measure reputational cost 2.6 Conduct risk severity level assessment |
Assess IT Risks3.1 Conduct risk severity level assessment 3.2 Document the proximity of the risk event 3.3 Conduct expected cost assessment 3.4 Develop key risk indicators (KRIs) and escalation protocols 3.5 Perform root cause analysis 3.6 Identify and assess risk responses |
Monitor, Report, and Respond to IT Risk4.1 Identify and assess risk responses 4.2 Risk response cost-benefit analysis 4.3 Create multi-year cost projections 4.4 Review techniques for embedding risk management in IT 4.5 Finalize the Risk Report and Risk Management Program Manual 4.6 Transfer ownership of risk responses to project managers |
Next Steps and Wrap-Up (offsite)5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
Outcomes |
|
|
|
|
|
Phase 1
|
Phase 2
|
Phase 3
|
Step 1.1 | Step 1.2 |
Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:
Core Responsibilities | With an ERM | Without an ERM |
|
Senior Leadership Team | Senior Leadership Team |
|
ERM | IT Risk Management |
|
IT Risk Management | |
Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
Con: IT may lack autonomy to implement IT risk management best practices. |
Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
Con: Lack of clear reporting procedures and mechanisms to share accountability with the business. |
Risk Governance
|
Risk Identification
|
|
Risk Response
|
Risk Assessment
|
Risk management benefits | To engage the business... |
IT is compliant with external laws and regulations. | Identify the industry or legal legislation and regulations your organization abides by. |
IT provides support for business compliance. | Find relevant business compliance issues, and relate compliance failures to cost. |
IT regularly communicates costs, benefits, and risks to the business. | Acknowledge the number of times IT and the business miscommunicate critical information. |
Information and processing infrastructure are very secure. | Point to past security breaches or potential vulnerabilities in your systems. |
IT services are usually delivered in line with business requirements. | Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality. |
IT related business risks are managed very well. | Make it clear that with no risk tracking process, business processes become exposed and tend to slow down. |
IT projects are completed on time and within budget. | Point out late or over-budget projects due to the occurrence of unforeseen risks. |
Input: List of IT personnel and business stakeholders
Output: Buy-in from senior leadership for an IT risk management program
Materials: Risk Management Program Manual
Participants: IT executive leadership, Business executive leadership
The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:
Record the results in the Risk Management Program Manual.
Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.
Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization. |
Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.
Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.
1-4 hours
Input: List of IT personnel and business stakeholders
Output: Maturity scores across four key risk categories
Materials: Integrated Risk Maturity Assessment Tool
Participants: IT executive leadership, Business executive leadership
This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.
How to Use This Assessment:
Record the results in the Integrated Risk Maturity Assessment.
Integrated Risk Maturity Categories |
1 |
Context & Strategic Direction | Understanding of the organization’s main objectives and how risk can support or enhance those objectives. | |
2 |
Risk Culture and Authority | Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture. | ||
3 |
Risk Management Process | Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization. | ||
4 |
Risk Program Optimization | Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise. |
Review IT Risk Fundamentals and Governance
Step 1.1 | Step 1.2 |
Challenges:
|
Key metrics:
|
Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.
Support and sponsorship from senior leadership
IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative. Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership. |
Risk culture and awareness
A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk. An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization. Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities. |
Organization size
Smaller organizations can often institute a mature risk management program much more quickly than larger organizations. It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management. Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities. |
1-4 hours
Input: Integrated Risk Maturity Assessment
Output: Obstacles and pain points identified
Materials: IT Risk Management Success Factors
Participants: IT executive leadership, Business executive leadership
Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.
Instructions:
Replace the example pain points and opportunities with real scenarios in your organization.
Pain Points/Obstacles
|
Opportunities
|
Risk Tolerant
|
Moderate
|
Risk Averse
|
One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite. | |
Risk tolerant
Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks. |
Risk averse
Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk. |
The other component of risk culture is the degree to which risk factors into decision making. | |
Risk conscious
Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks. |
Unaware
Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere. |
Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.
1-4 hours
Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities
Output: Goals for the IT risk management program
Materials: Risk Management Program Manual
Participants: IT executive leadership, Business executive leadership
Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.
Instructions:
Record the results in the Risk Management Program Manual.
Ensure that all success metrics are SMART | Instructions
|
|
Strong | Make sure the objective is clear and detailed. | |
Measurable | Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective. | |
Actionable | Objectives become actionable when specific initiatives designed to achieve the objective are identified. | |
Realistic | Objectives must be achievable given your current resources or known available resources. | |
Time-Bound | An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline. |
Replace the example metrics with accurate KPIs or metrics for your organization.
Sample MetricsName | Method | Baseline | Target | Deadline | Checkpoint 1 | Checkpoint 2 | Final |
Number of risks identified (per year) | Risk register | 0 | 100 | Dec. 31 | |||
Number of business units represented (risk identification) | Meeting minutes | 0 | 5 | Dec. 31 | |||
Frequency of risk assessment | Assessments recorded in risk management program manual | 0 | 2 per year | Year 2 | |||
Percentage of identified risk events that undergo expected cost assessment | Ratio of risks assessed in the risk costing tool to risks assessed in the risk register | 0 | 20% | Dec. 31 | |||
Number of top risks without an identified risk response | Risk register | 5 | 0 | March 1 | |||
Cost of risk management program operations per year | Meeting frequency and duration, multiplied by the cost of participation | $2,000 | $5,000 | Dec. 31 |
Responsibilities of the ITRC:
|
Must be on the ITRC:
Must be on the ITRC:
|
1-4 hours
Input: List of IT personnel and business stakeholders
Output: Goals for the IT risk management program
Materials: Risk Management Program Manual
Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations
Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.
Instructions:
Record the results in the Risk Management Program Manual.
RACI is an acronym made up of four participatory roles: | Instructions
|
|
Responsible | Stakeholders who undertake the activity. | |
Accountable | Stakeholders who are held responsible for failure or take credit for success. | |
Consulted | Stakeholders whose opinions are sought. | |
Informed | Stakeholders who receive updates. |
Stakeholder Coordination | Risk Identification | Risk Thresholds | Risk Assessment | Identify Responses | Cost-Benefit Analysis | Monitoring | Risk Decision Making | |
ITRC | A | R | I | R | R | R | A | C |
ERM | C | I | C | I | I | I | I | C |
CIO | I | A | A | A | A | A | I | R |
CRO | I | R | C | I | R | |||
CFO | I | R | C | I | R | |||
CEO | I | R | C | I | A | |||
Business Units | I | C | C | C | ||||
IT | I | I | I | I | I | I | R | C |
PMO | C | C | C |
Legend: | Responsible | Accountable | Consulted | Informed |
Phase 1
| Phase 2
| Phase 3
|
Step 2.1 | Step 2.2 |
|
Key metrics:
|
What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.
Benefits of obtaining business involvement during the risk identification stage:
Executive Participation:
| Prioritizing and Selecting Stakeholders
Info-Tech InsightWhile IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process. |
Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.
A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.
Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. | Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. | Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples. |
Risk Category |
Risk Scenario |
Risk Event |
Compliance | Regulatory compliance | Being fined for not complying/being aware of a new regulation. |
Externally originated attack | Phishing attack on the organization. | |
Operational | Technology evaluation & selection | Partnering with a vendor that is not in compliance with a key regulation. |
Capacity planning | Not having sufficient resources to support a DRP. | |
Third-Party Risk | Vendor management | Vendor performance requirements are improperly defined. |
Vendor selection | Vendors are improperly selected to meet the defined use case. |
IT Reputational
|
IT Financial
|
IT Strategic
|
Operational
|
Availability
|
Performance
|
Compliance
|
Security
|
Third Party
|
Digital
|
Input: IT risk categories
Output: Risk events identified and categorized
Materials: Risk Register Tool
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)
Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.
Instructions:
Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.
Record the results in the Risk Register Tool.
|
|
Consider the External Environment – PESTLE Analysis
Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises. Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified. |
Avoid “Groupthink” – Nominal Group Technique
The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.
Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise. |
|
List the following factors influencing the risk event:
|
Identify and Assess IT Risk
Step 2.1 | Step 2.2 |
|
Key metrics:
|
Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.
In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.
How much you expect a risk event to cost if it were to occur:
Likelihood of Risk Impact e.g. $250,000 or “High” |
X |
Calibrated by how likely the risk is to occur:
Likelihood of Risk Occurrence e.g. 10% or “Low” |
= |
Produces a dollar value or “severity level” for comparing risks:
Risk Severity e.g. $25,000 or “Medium” |
Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.
Risk Tolerance
|
CBA
Cost-benefit analysis |
1Engage the Business During Assessment ProcessAsking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO). Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk. |
2Verify the Risk Impact and AssessmentIf IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores. |
3Identify Where the Business Focuses AttentionWhile verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding. Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders. |
If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.
Review the two levels of risk assessment offered in this blueprint.
1 | Information Number of risks: Assess all risk events identified in Phase 1.
| Assess Likelihood Negligible
| X | Assess Likelihood Negligible
| = | Output Moderate |
2 | Information Number of risks: Only assess high-priority risks revealed by severity-level assessment.
| Assess Likelihood15%Moderate | X | Assess Likelihood$100,000High | = | Output $15,000Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business. |
For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.
Why conduct expected cost assessments?
|
Why is expected cost assessment optional?
|
Input: Risk events, Risk appetite
Output: Threshold for risk identified
Materials: Risk Register Tool, Risk Management Program Manual
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
There are times when the business needs to know about IT risks with high expected costs.
This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.
If your organization has ERM, adopt the existing acceptability threshold.
Record this threshold in section 5.3 of the Risk Management Program Manual
1-4 hours
Input: Risk events, Risk threshold
Output: Financial impact scale created
Materials: Risk Register Tool, Risk Management Program Manual
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual
Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.
Project Overruns | |||||
Project |
Time (days)20 days |
Number of employees8 |
Average cost per employee (per day)$300 |
Estimated cost$48,000 |
|
Service Outages | |||||
Service |
Time (hours)4 hours |
Lost revenue (per hour)$10,000 |
Estimated cost$40,000 |
Impact scaleLow |
Reputational cost can take several forms, including the internal and external perception of:
Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment. |
Technique #1 – Use financial indicators:
For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue. If possible, use these measures to put a price on reputational loss:
Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
|
It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
|
Technique #2 – Calculate the value of avoiding reputational cost:
For example: A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:
|
If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.
Technique #3 – Create a parallel scale for reputational impact:
Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:
Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
|
Example:
|
1-3 hours
Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual |
Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.
6-10 hours
Input: Risk events identified
Output: Assessed the likelihood of occurrence and impact for all identified risk events
Materials: Risk Register Tool
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
Record results in the Risk Register Tool
Instructions (continued):
|
Tips for Selecting Likelihood Values:
Does ~10% sound right? Test a likelihood estimate by assessing the truth of the following statements:
|
Consider how IT is already addressing key risks.
Tactical controls
Apply to individual risks only. Example: A tactical control for backup/replication failure is faster WAN lines. |
Tactical risk control | Strategic controls
Apply to multiple risks. Example: A strategic control for backup/replication failure is implementing formal DR plans. |
Strategic risk control | |
Risk event | Risk event | Risk event |
Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.
Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.
Selecting the Appropriate Risk Owner
Use the following considerations to determine the best owner for each risk:
|
Risk Owner Responsibilities
Risk ownership means that an individual is responsible for the following activities:
|
Select risks with these characteristics:
Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria. The risk:
|
Determine which risks require a deeper assessment:
Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register. Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business. Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment Record the list of risk events requiring second-level assessment in the Risk Costing Tool.
|
Instructions:
|
Who should participate?
|
Intersubjective likelihood The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact. By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion. Example: The Delphi MethodThe Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.
| Justifying Your Estimates: When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.
Info-Tech InsightThe underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all. Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important. |
Phase 1
| Phase 2
| Phase 3
|
Monitor, Respond, and Report on IT Risk
Step 3.1 | Step 3.2 |
Risk Event Action Plan |
Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.
Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.
The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.Instructions:
Note: Examples of KRIs can be found on the following slide. |
What are KRIs?
|
Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.
Reporting | Risk Event |
Weekly reports to ITRC | |
Bi-weekly reports to ITRC | |
Monthly reports to ITRC | |
Report to ITRC only if KRI thresholds triggered | |
No reports; reassessed bi-annually |
1(Mandatory) | Tool | Information
|
2(Optional) | Tool | Information
|
Determine the root cause of IT risksRoot cause analysisUse the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event. Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses. Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue. |
What factors matter?
Identify relevant actors and assets that amplify or diminish the severity of the risk. Actors
Assets/Resources
|
Develop risk responses that target contributing factors. | ||
Root cause:
Business units rely on “real-time” data gathered from latency-sensitive applications Actors: Enterprise App users (Finance, Product Development, Product Management) Asset/resource: Applications, network Risk response:
XDecreasing the use of key apps contradicts business objectives. |
Contributing factors:
Unreliable router software Actors: Network provider, router vendor, router software vendor, IT department Asset/resource: Network, router, router software Risk response:
✓Replacing the vendor would reduce network outages at a relatively low cost. |
Symptoms:
Network outage Actors: All business units, network provider Asset/resource: Network, business operations, employee productivity Risk response:
XReplacing legacy systems would be too costly. |
Instructions:
Complete the following steps for each risk event.
|
Document the following in the Risk Event Action Plan for each risk event:
|
Record the results in the Risk Event Action Plan.
Risk Avoidance
Example Risk event: Information security vulnerability from third-party cloud services provider.
|
Example 1
Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact. Example Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.
|
Example 2
However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact. Example Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.
|
Example 3
Others will reduce the potential impact without decreasing its likelihood of occurring. Example Mitigation: Use robust encryption for all sensitive data.
|
Process Improvement
Key processes that would most directly improve the risk profile:
|
Infrastructure Management
|
Personnel
|
Rationalization and Simplification
This is a foundational activity, as complexity is a major source of risk:
|
Insurance
The most common form of risk transfer is the purchase of insurance.
Not all risks can be insured. Insurable risks typically possess the following five characteristics:
|
Other Forms of Risk Transfer
Other forms of risk transfer include:
|
Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.
You may choose to accept a risk event for one of the following three reasons:
Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.
This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.
Instructions:
|
Record the results in the Risk Costing Tool. |
Instructions:
The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost |
Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.
Instructions: Calculate expected cost for multiple years using the Risk Costing Tool for:
Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event. | Record the results in the Risk Costing Tool. |
Monitor, Respond, and Report on IT Risk
Step 3.1 | Step 3.2 |
Communicate IT risk management in two directions:
|
Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.
Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively. A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication. The two primary goals of upward communication are:
Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication. The two primary goals of downward communication are:
|
Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.
By receiving a stamp of approval for each key risk from senior management, you ensure that:
|
Task:
All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.
The Risk Report contains:
|
The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.
Embed risk management in project planningMake time for discussing project risks at every project kick-off.
|
Embed risk management with employeeTrain IT staff on the ITRC’s planned responses to specific risk events.
|
Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.
If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.
Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.
Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.
Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.
The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.
Risk Management Program Manual |
“Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)
54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)
So you’ve identified the most important IT risks and implemented projects to protect IT and the business.
Unfortunately, your risk assessment is already outdated.
Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.
To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:
Revive Your Risk Management Program With a Regular Health Check
Risk | An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007). |
Threat | An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors). |
Vulnerability | A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes). |
Risk Management | The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007). |
Risk Category | Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks. |
Risk Event | A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks. |
Risk Appetite | An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk. |
Enterprise Risk Management | (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015). |
The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.
Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).
Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).
False Objectivity
While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.
Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.
Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.
Don’t just fixate on the most likely impact – be aware of high-impact outcomes.During assessment, risks are evaluated according to their most likely financial impact.
Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.
While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.
Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).
For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost. |
|
| Info-Tech InsightDon’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor. Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences. |
Info-Tech InsightSecurity risk management equals cost effectiveness. Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget. |
Sandi Conrad
Christine Coz
Milena Litoiu
Scott Magerfleisch
|
Aadil Nanji
Andy Neill
Daisha Pennie
Ken Piddington
|
Frank Sewell
Andrew Sharpe
Chris Warner
Sterling Bjorndahl
|
Ibrahim Abdel-Kader
Tamara Dwarika
Anne Leroux
|
Ian Mulholland
Michel Fossé
|
Petar Hristov
Steve Woodward
|
*Plus 10 additional interviewees who wish to remain anonymous.
“2021 State of the CIO.” IDG, 28 January 2021. Web.
“4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.
Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.
COBIT 2019. ISACA, 2019. Web.
“Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.
Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.
“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.
Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.
“Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.
Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.
“Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.
“Guidance on Enterprise Risk Management.” COSO, 2022. Web.
Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.
Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.
“Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.
“ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.
ISO 31000 Risk Management. ISO, 2018. Web.
Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.
Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.
Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.
“Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.
Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.
“Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.
Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.
“Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.
“Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.
Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.
Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.
Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.
“What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.
Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.