IT risk assessment is not a one-way street. Understanding ways that technology can improve business operations means looking at IT-related risks from both sides — the risk that something bad will happen and the risk that you may not be leading. That requires a comprehensive IT risk assessment program.
The higher we go, the faster we travel, the more we risk. This is especially true in today's business environment when advances in information technology (IT) push businesses to greater heights at unprecedented speeds towards a seemingly endless horizon. As organizations evaluate and deploy new and emerging technologies to streamline internal business processes and interactions with customers and suppliers, they increase their dependence on, and the level of business risks related to, IT. It is true that risk, undetected and left uncontrolled, limits the value and usefulness of information and can damage a business's information, its resources, its reputation, even its existence. But in today's environment, organizations must also consider that the risk of not taking action means they may be left behind in the competitive marketplace.
The ability to assess and manage a balanced perspective on IT-related risk can give a business significant competitive advantage. It's not enough to simply address risks as they emerge or take action only when forced to. The key to unlocking the power of technology that can improve business performance is to develop and implement a comprehensive IT risk management strategy.
I use a Business Risk Model to identify, source and measure business risks associated with an organization's use of IT. This helps management understand and assess how IT impacts daily business activities as well as overall business strategy. Examples of the business risks that are considered include:
- Linkage of IT planning and strategy to business
- Access to business systems, networks and data
- Integrity of information, data and systems
- Relevance of systems and the information they generate
- Availability of business systems and data
- Performance and management of your IT infrastructure
- Cost of ownership and technology asset management
- Project prioritization and management
The model recognizes that IT-related business risks effect all aspects of business and that a comprehensive approach to risk management, one that examines all critical business processes, is required.
Comprehensive business risk management means first understanding the potential risks to your business and then determining what level of risk the organization is willing to accept. Since no two businesses are exactly alike, it is imperative that your risk management processes are designed to mitigate those unacceptable risks. Without this process, the costs of risk management can easily outweigh the benefits.
In my view, risk management should be driven by service level requirements and should be focused on delivery of appropriate levels of information availability. Delivering these requirements will be a fundamental principle of the enterprise risk management process, but he attaches equal importance in ensuring that the people/organisation and infrastructure/technology are in place to consistently deliver the requirements that an organization has set. To mitigate against unmanageable risk, there is still a need for a proven recovery strategy to be in place. I use a pragmatic approach to challenge assumptions and capabilities at all stages of the current risk management process to ensure that this process is sufficiently robust to meet expectations and client commitments.
My approach facilitates risk management by involving the people who understand the business, perform the business process and use the technology. It goes beyond conventional, controls-only methods by establishing consensus on the sources and impact of risk, and identifying management risk tolerance levels. Armed with this knowledge, you can define the right set of management processes and business controls that are balanced with the risks. BSA enables this by:
- Developing a common language for understanding IT-related business risks throughout the company.
- Aligning IT risk management strategies and tactics with the source of the IT-related business risk.
- Empowering process owners to share information and brainstorm solutions so they will work together and take steps to achieve positive change.
- Improving overall business performance through effective definition and management of IT-related business risks.
- Emphasizing the continuous assessment of key business risks and controls throughout the organization.
I can help you understand the source of technology risks and work with you to reduce them to an acceptable level. Years of cross-industry experience have brought me a wealth of expertise which I use to help improve your overall business performance. I can help you managing your IT risks. I use existing Risk Management frameworks in order to create a pragmatic and realistic risk approach and to evaluate the existing risk approach.
- COSO ERM
- OCEG GRC Red Book
- AS/NSZ 4360 Risk Management guidelines
- ISO 31000 Risk Management
- IIA GAIT