An intro to risk management

Everybody's talking about risk management, but do you know what it really means and how to implement it within your IT organization? If you plan ahead, you can create a risk management plan that will accommodate your company's needs regardless of its size and growth.

Risk management is
a popular buzzword in today’s business world, but many IT administrators have
only a vague idea of what it means and how it fits into their job descriptions.
Risk management is a fairly simple concept; it refers to the process of making
decisions based on an evaluation of the factors that present a threat to the
business. In IT, that means assessing your network’s vulnerabilities and threat
exposure, and taking the steps necessary to mitigate them.

There are several different components to risk management,
then:

A
risk management framework that describes areas of responsibility and the
stream of accountability within the organization or department.
Risk
analysis, a process of identifying vulnerabilities and calculating
financial and loss expectancy metrics.
A
risk management plan, which lays out the way specific tools
will be used to reduce the risks to an acceptable level.

If all this sounds like a bunch of MBA mumbo-jumbo to you,
you’re not alone.

Tips in your inbox

TechRepublic’s free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

Risk management in plain English

The steps involved in performing a risk analysis can be
broken down into a few categories:

Identifying
the risks (in this case, the risks to your organization that are presented
by your network).
Determining
the potential impact of the threats.
Weighing
the cost of safeguards against the impact of the threats.
Making
the decision on how to address risks effectively and cost efficiently.
Implementing
risk controls.
Assessing
effectiveness.

A risk can be to the company’s assets (a risk that can
result in financial loss, such as the exposure of the company’s trade secrets
to a competitor, or violation of regulatory statutes such as HIPAA or the GLB
Act, which would result in fines and possibly other penalties). Some risks are
to the company’s mission (risks that interfere with employees’ performance of
their jobs, such as a denial of service attack that brings down the network).
Of course, these categories can overlap; a single vulnerability may threaten
both assets and mission.

The impact refers to the severity of the threat and the
probability of a loss resulting from it. Probability x severity = the risk
exposure.

The next step is to determine the cost/benefit ratio of the
various measures you can take to reduce or eliminate the risk, and making
decisions based on that information. Risk management formulae can tell you how
much you can expect to lose per year to a specific threat. This gives you an idea of how much you can cost effectively spend on a
specific threat.

Risk management software

Of course, all of this calculation can be done manually but
it’s much easier to let software do it for you. Some popular enterprise level
packages include:

Some of these and other risk management software packages
provide evaluation versions or “lite” versions.
However, commercial risk assessment software tends to be expensive. For example,
Enterprise Risk Assessor (ERA) Lite costs over $5000.

Starting small

But what if your company is still small? Does that mean you
don’t need a risk management program? On the contrary, because small businesses
usually operate on tighter budgets, with less surplus funds, it’s more
difficult for your small company to absorb a large loss than for a large
organization. Thus, identifying and managing your risks is, in many ways, even
more important. But your needs are different, and so is your ability to fund a
risk management program.

No matter what size your business is, you should have a
written business plan. Risk management should be a part of that plan, rather
than a standalone project. And it should be looked at as an ongoing process,
rather than a short-term project. Risks, especially in the IT area, are
constantly changing.

Even if your organization can’t afford a complex commercial
risk management solution or the high per-hour rates of professional risk
management consultants, there are tools available that you can use to make risk
assessment and control easier. Microsoft provides a free, comprehensive
Security Risk Management Guide on the TechNet Website that can help get you
started, at no cost. The file is a bit over 2 MB.

EDITOR’S NOTE: You
can download Microsoft’s Security Risk Management Guide at http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/default.mspx.

The guide is not specific to Microsoft products; it is, in
their words, “technology agnostic.” It’s a 139 page document in PDF format, and
covers risk management concepts, risk management practices and comparison of
different approaches (reactive vs. proactive, quantitative vs. qualitative),
phases of the risk management process, details of risk assessment, how to
conduct the decision support phase, tips for implementing control solutions,
and how to measure the effectiveness of the program.

The download is more than a “how to” guide. It also includes
XLS tools for gathering data, summarizing and prioritizing risk, as well as a
sample project schedule.

These tools can be used by organizations in any industry,
and of any size.

Scaling risk management

The basic concepts of risk management don’t change as your
business grows, but your implementation of risk controls probably will. Your
security risk management “team” may start out as one person; as the organization
grows, so should the team. The risk management process evolves along with your
overall security framework.

Free tools can remain useful even if you decide to implement
more sophisticated software solutions. The software simply makes the process more
automated. Building a solid knowledge of risk management practices while the
organization is small will help you to retain control over the process when it
becomes more automated, rather than simply relying on the software to do
everything for you.

Even if your company can’t afford a risk management package
now, you should plan ahead as you begin to formulate your initial risk
management plan, so that you’ll already know which package is right for you
when the time comes and what’s required to implement it. That will make the
transition much smoother.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE Recruiting a community engagement manager with the right combination of experience and communication skills will require a comprehensive screening process. This hiring kit from TechRepublic Premium provides a flexible framework your business can use to find, recruit and ultimately hire the right person for the job. From the hiring kit: DETERMINING FACTORS, DESIRABLE PERSONALITY ...

PURPOSE Successful chief experience officers combine excellent communications skills with an intimate knowledge of customer expectations, company operations and industry standards. This hiring kit from TechRepublic Premium provides a workable framework you can use to find, recruit and ultimately hire the best candidate for CXO of your organization. From the hiring kit: DUTIES AND RESPONSIBILITIES ...

An intro to risk management