Managing IT Risk — Part 3


In a competitive business environment, every organisation operates in a climate of risk. It is never possible to remove all risk from a business, but it is important to assess and reduce risk to an acceptable level where possible.

In relation to Information Technology (IT), assessing and minimising risk has become increasingly important over the past decade and more, particularly for businesses that rely heavily on technology. Therefore, it’s vital that business owners understand, monitor and control risk — especially as the IT environment continues to change rapidly causing new IT-related risks to appear regularly.

Part 1 of this article will provide you with some examples of IT-related risks facing businesses today. Part 2 of this article will show you how to identify and assess the IT-related risks facing your business. This article will provide you with some ideas on how to reduce these risks and their potential impact to your business.

Risk mitigation — risk reduction

If your assessment shows that you have unacceptably high levels of risks to your business, then you need to take some action to counter them.

You could:

  • reduce the probability of the risk affecting your business.
  • limit the impact of the risk if it does occur.

In practice you will often wish to do both. However, generally you should try to reduce the probability of the risk affecting your business in the first place.

One way of doing this is risk avoidance, ie avoid doing the things that could lead to a problem occurring in the first place, such as not entering into a line of business, a particular deal or a new IT project, because it carries a risk.

However, this might mean that you end up not doing anything new, and hence not being able to benefit fully from business opportunities.

You could instead take a more positive approach by changing the way in which you carry out an activity. This is quite appropriate to IT-related risk, and usually involves adopting a best practice approach to acquiring or operating IT systems.

Risk mitigation — impact reduction

There are inevitably some risks to your business that you can neither eliminate nor reduce to an acceptable level.

For these, you can only mitigate those risks by assessing what might happen as a result of the problem and reducing their impact should they occur.

In many situations, the greatest damage can occur because no one fully understands the nature of the problem and instead you end up making it worse. This can be avoided by adopting common-sense procedures, which should be part of your risk mitigation approach:

  • Do not take any actions that could exacerbate the problem. For example, if there is a problem with accessing files from a back-up tape using a tape drive, you should investigate whether the problem is caused by the drive, rather than just assuming there is a problem with the tape and then potentially damaging other tapes by placing them in a faulty drive.
  • Implement documented procedures for dealing with likely threats, and train your staff in their use. For example, there are many ways that a virus can get into your system, so you should have plans for quarantining affected parts of the system so that the problem doesn’t spread.

An important part of impact reduction is the early detection of problems. Where you have a risk that you can’t eliminate, you should ensure that you have a fail-safe method of detecting the problem if and when it occurs.

Often failures are very obvious. However, occasionally, particularly in continuous or recurring processes, a failure may occur silently, and its impact will grow over time. If you identify this type of risk you should build in a periodic check to detect the problem as soon as possible.

Don’t forget that to reduce the cost impact of a problem should it occur, you could take out insurance. This is a form of risk transfer and is a normal part of doing business for most organisations nowadays.

Contingency Plans

A contingency plan is an impact-reduction measure. It should describe in detail what you and your staff will do if a particular problem impacts your business.

You may need a contingency plan when:

  • you identify a risk that you think has a high chance of happening and will have a high impact.
  • you try to find ways of reducing the likelihood of the event, but you cannot reduce the risk to an acceptable level.
  • the residual risk is still so large that you need to take a structured approach to reduce its likely impact.

The main considerations that you should address in a contingency plan are:

  • scope — what particular risk is the contingency plan designed for?
  • initiation — how you will know when to put the plan into action?
  • actions — what sequence of actions you will take in order to control the problem and minimise its impact?
  • roles and responsibilities — who will do what and when?

Good contingency plans are usually based on the shared experience of managers working together.

An important form of contingency plan is a business continuity plan (BCP). This is typically created to cover the most serious of problems, such as the complete loss of all your servers and network infrastructure due to a fire or natural disaster.

Such plans may involve planning for the rapid acquisition of temporary buildings, reciprocal arrangements with other organisations, special staffing arrangements, etc.

BCPs should be tested if possible. A test could be a simple paper exercise where different parts of the recovery procedure are run through by the people involved. This is adequate for simple plans.

A full test of a BCP requires a full exercise. This will usually involve many people and significant cost because it will disrupt normal activities. Therefore, any exercise of this type should be carefully planned and budgeted. Those firms who take risk seriously will likely perform a full BCP drill on an annual (if not bi-annual) basis.