Summary:
Each company needs to asses and prioritize different risks involved in IT domains. They need to establish the data safety policy describing the accepted level of security and continuity for each section of their business and different level of data access. Also they have to monitor and re-assess the risks continuously.
Analysis:
Doing business is always involves taking risks and each organization needs to balance potential rewards against potential risks. As Part of the business, IT also has its own risks which they can make serious problems if they are not managed correctly. IT problems are special because they can take down the whole business.
IT risk management is the strategic process of administering the assessed risk. While risk assessment focuses on identifying, quantifying, and prioritizing risks, the goal of risk management is to manage the risks across the agency. Risk management is an ongoing process and consists of multiple phases. Senior management presence and direction are strongly recommended during the risk management phase. Once risks have been identified, they can be accepted, avoided, mitigated, or simply transferred. Risk acceptance warrants accepting the potential loss from the risk; on the other hand, risk avoidance signifies eliminating the risk by not performing the activity that could carry a risk. (Wikipedia, 2016)
IT risk management can be considered a component of a wider enterprise risk management system. First, Company needs to set its strategic directions and define and maintain an IT safety and security plan. Then company should conduct vulnerability assessment and find what is the possible weak points in their IT system. Next Step would be to do the risk analysis and determine which risk has higher impact on the business. Then they can assess the investment risks and eliminate the potential risks by choosing the right IT investment. Risk management is an ongoing process so company needs to ensure that the IT risk management has implemented correctly for all projects and it is maintained over the time. So they need to establish and maintain procedures for maintaining and monitoring the sensitive data and risk management process.
One can reduce the probability of the risks but the chance of those risks to be happen is never zero. Beside the mitigation actions which can reduce the risk and its consequences, the other way to handle risk consequences is to transfer them to another risk carrier. For example, we can use insurance to reduce the risk costs.
In one hand we have intolerable risk which the need to be addresses immediately. Some of those issues needs long-term investment and some of them have a quick mitigation solution. On other hand we have tolerable risks, which company can bear with them but the organization should be aware of this fact that if some problem happens, this was the company decision to accept the risk consequences and not the IT managers fault.
Recommendation:
In managing risks associated with IT, the security related items are the most important issues which they need to be addressed immediately. IVK needs to establish a general policy describing the required level of business continuity and accessibility. this policy also should describe the appropriate level of data and system security. The current system IVK system is based on categorizing and classic authentication and authorisation. Although it is a simple and accepted method but it opens the door for employees’ misuse of those privileges and possible hacker attacks. We suggest IVK to invest in changing their data safety mechanism and implement a multi-level safety mechanism which supports data level protection. So with this strategy they can have a better control over their sensitive data. Also if any security attack happens, the most sensitive data has the highest level of the security and it can reduce the potential attack costs. Company also needs to monitor the risk assessment and management procedure continuously and update the policies according to new business and technology changes.
Expected Outcome:
Establishing a safety and risk management policy will give the company a guideline to deal with feature risks. If any security issue happens company can adjust its level of safety and security by changing the safety policy and no one will blame the CIO solely.
Implementing information protection at data level needs a closer control over privileged staff. This can raise some objections from employees for a while and company needs to invest in making this concept accepted by all employees.
In long term, this will align “IT” more with business values and it will reduce unexpected outcome from risks and crisis.
Conclusion:
IT risk management should be part of the company general Risk management process. We recommend that the company to establish the general risk management policies describing different degrees of risk they would like to take according to their core business values and considering the possible effect of those risks on their business values and business continuity.
In business world there is always different risks. What is important is to identify the risks and invest on mitigating the high priority and intolerable risks, whenever it is possible. In some cases, we can use other risk barriers to carry the risk costs such as insurer.