We’ve delved into the realm of Enterprise Risk Management in previous blogs, and now its time to take a look at a subset of ERM: IT Risk Management (ITRM). The publication Risk IT by ISACA notes that ITRM covers both the negative impacts and benefits to operations/service delivery by missing the chance to utilize technology in enabling or enhancing business. In other words it is the practice of applying risk management to the information technology aspects of a business to mitigate IT risks which are on the rise due to the increasing reliance on technology. In this blog we will take a look at ITRM areas that can be missed by CIOs which can have a disastrous outcome.
I. Company mergers and acquisitions: When companies decide upon a merger or are bought out there is a flurry of activity going on for the parties involved. IT personnel are left with the daunting task of ensuring systems are merged together to work seamlessly which is easier said than done. Companies using legacy systems may need to be merged with systems that are incompatible, or completely different IT practices need to be melded to one. Failure to ensure that compliance standards are met can lead to loopholes in the system or worse complete loss of data.
On top of all the internal tasks involved, staff are left wondering if the merger will leave them out of a job or the inevitable they are actually laid off. CIOs and IT personnel have to keep track of such events to mitigate the possibilities of sensitive data being leaked, sabotage ( ranging from non-compliance with work practices all the way to malicious reworking of systems/data)
II. Vendor relationships: Data is vital, and vendors are responsible for providing you with tools and products to manage your company. When deals are made that span years, it is vital that companies understand their vendors and understand their intentions. Planning to mitigate risks such as vendors falling out of business (working on contingency vendors that support your systems, or forecasting a vendor’s financial stability), or vendor acquisitions (can lead to changes in products the vendor carry which can be detrimental to your future partnership) is a necessary step to take in ITRM. Steps such as clauses regarding the right to terminate will help in such cases.
III. Management of IT personnel: It may not seem like an area that can be prone to having high risk associated with it, but on the contrary appropriate management of IT skills is crucial. Every IT personnel has skills they bring to table that makes them sought out by project managers. What happens is there are times when a certain person’s skillset is required for project Y but the person is currently tasked with handling Project X. This leads to issues where projects are stalled due to a complete lack of the appropriate person, or project managers fill in the requirement with less experienced personnel increasing the overall risk of the project. Smaller issues such as the idea of employee favoritism and discontent amongst workers can arise through employee “hogging”.
IV. Outdated Disaster Recovery: As systems expand, and evolve involving more complexity; the necessity to have an up to date Disaster Recovery plan is vital. Ensuring that all aspects of the documentation is kept relevant through to making sure offsite locations are still viable to making sure the latest system hardware/software change is documented.
V. Risk management of Application Development: For any entity that works on developing applications (Proprietary software) the need to implement proper Risk Management during the SDLC is of the utmost importance. Especially in times where the demand for a product can force companies to fore-go thorough practices leading to backlashes from the end user(s).
In the graphic above, you can see that SecureState (A company specializing in information security and risk services) has developed a thorough set of practices (tools) for each stage of the SDLC to help seek out and mitigate and technical issues (that would be potential risks for the application).
As with ERM, ITRM has a host of beneficial aspects to ensuring it gets performed, and as companies are becoming ever more reliant on their IT Departments, the time is now to seize the opportunity to better implement IT risk management practices.