What is IT Risk Management?
IT risk management is a subset of enterprise risk management (ERM), designed to bring IT risk in line with an organization’s risk appetite. IT risk management (ITRM) encompasses the policies, procedures and technology necessary to reduce threats and vulnerabilities, while maintaining compliance with applicable regulatory requirements. In addition, ITRM seeks to limit the consequences of destructive events, such as security breaches.
Typically, ITRM focuses on risk identification and analysis, risk evaluation and prioritization, and risk mitigation. Because infrastructure, business priorities and threats are constantly evolving, IT risk management should be treated as a continuous process.
How Does IT Risk Management Work?
Today, businesses grapple with a variety of risks. Those include cyber, privacy, operational and compliance risks, as well as risks to corporate reputation and the bottom line. While the appetite and tolerance for risk vary from company to company, every organization must develop a risk management strategy. For IT teams, it’s about aligning IT risk with operational and enterprise risk management -- not an easy task.
ITRM includes many moving parts. Typically, it follows these steps:
- Collect information needed to assess risks
- Identify valuable assets across the organization and determine the potential consequences if assets are damaged by uncontrolled risk
- Identify internal/external threats and vulnerabilities and assess the likelihood of those vulnerabilities being exploited
- Analyze the effectiveness of existing controls and decide whether additional controls are needed
- Prioritize risks and remediation efforts
- Recommend controls
- Develop a strategy for IT infrastructure enhancements that will mitigate the most critical vulnerabilities
- Define mitigation processes
- Evaluate ITRM efforts and measure results
While the above steps are important, they can be time-consuming and require a breadth of institutional knowledge to execute. IT teams can use frameworks to guide their efforts and achieve the best results. Frameworks provide a structured methodology for risk governance, evaluation and response.
Popular frameworks include the following:
- ISACA’s Risk IT Framework
- COBIT (Control Objectives for Information and Related Technology)The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework
- Factor Analysis of Information Risk (FAIR)
- ISO 27005
- ISO 31000
- NIST SP 800-39
What Are the Benefits and Drawbacks of IT Risk Management?
When organizations take a risk-first approach to IT compliance, research shows they mitigate the likelihood of security incidents. That’s just one reason why all organizations today should take IT risk management seriously.
While ITRM frameworks provide useful guidance, it’s easy for IT teams to suffer from “framework overload.” Veronica Rose, ISACA board director and an information systems auditor at Metropol Corp. Ltd., recommends the use of a combination of frameworks to achieve the best results. For example, the ISACA Risk IT framework aligns well with the COBIT 2019 framework, Rose said.
The complicated nature of ITRM frameworks, however, has led to the rise of ITRM products. Many organizations opt to use tools and/or services based on one or more ITRM frameworks. These offerings typically aim to control IT and cyber risks, comply with applicable regulations, and integrate ITRM with ERM.
ITRM tools can provide the following features:
- Workflow automation and management
- Data integration and connectors
- Information and asset discovery and inventory
- Identity and access management
- Risk analysis
- Regulatory and policy content mapping management
- Threat and vulnerability management integrations
- Incident management integration
- Risk remediation lifecycle
- Data loss prevention capabilities
- Real-time assessments
Some tools, like Allgress Insight Risk Management Suite, ZenGRC, ServiceNow GRC and OneTrust GRC, focus narrowly on the governance, risk and compliance (GRC) subset of ITRM, while others have broader applications. More extensive tools usually offer additional modules dedicated to specific areas of risk management. Popular ITRM tools for broad use include RSA Archer IT & Security Risk Management, Diligent’s ITRMBond, IBM OpenPages with Watson, LogicManager, MetricStream, NAVEX Global’s Lockpath Integrated Risk Management, and SAI360.
Whether organizations attempt to tackle ITRM in house with the help of frameworks or deploy ITRM products, they should seek the same outcome -- achieving advanced asset oversight, risk identification and mitigation, compliance, performance, incident and business continuity management, and decision making.
Examples of IT Risk Management Products
Below are five instances of organizations that have deployed ITRM products to achieve their risk management goals.
Gain visibility into risk and compliance practices: A bank with more than 22,000 employees, 1,200 branches, and a slate of banking, insurance, leasing and storage businesses needed better risk and compliance management practices than its existing spreadsheets and homegrown systems could support. The bank deployed Archer’s operational risk management offering, followed by the Archer Audit Management. With risk and compliance data centralized on one platform, the bank gained a consolidated, real-time view of risk and compliance across its business portfolio.
Align risk management with corporate goals: A Fortune 500 company in a highly regulated industry needed to integrate its disparate risk management initiatives and align them with corporate goals. Using MetricStream’s enterprise-wide risk and internal controls platform, as well as the platform’s modules for compliance, the company identified and assessed key risk exposures. In addition, the platform made it possible to measure, monitor and control the company’s risk exposures at multiple organizational levels. The platform also validated the strength of internal controls and adherence to regulatory policies, while ensuring accountability by enforcing the flow of information and records.
Plug gaps in risk management and compliance: A property and casualty insurance company needed to understand gaps in its risk management and compliance program. The company started with LogicManager’s ERM offering, which aims to collect and share risk intelligence, uncover root causes of risks, and reaggregate information. Using this ERM approach in combination with the gap analysis method recommended by the RIMS Risk Maturity Model, the insurance company could identify critical business needs and allocate resources accordingly.
Standardize the risk management approach: A green energy consultancy and service provider needed a better way to stay on top of environmental, health and safety (EHS) performance and risk across the organization. Its existing approach, which used spreadsheets, Word documents and a legacy incident management system, was inadequate for measuring risk and understanding liabilities. The company implemented SAI360’s EHS and operational risk management platform. The platform included four modules: Audit Management, Behavioral-Based Safety, Incident Management and Risk Management. The combined modules improved the company’s audit planning and follow-up; provided preventative-based safety reporting; created a single source of truth for recording and responding to incidents and events; and aligned the risk management process with established standards.
Improve global GRC management: An international software and analytics technology vendor needed its global GRC management to meet the terms of the EU’s General Data Protection Regulation and the ISO 27001 information security standard. The company implemented OneTrust GRC. The team could then link controls and risk mitigation efforts across standards and regulations, reducing time and effort spent on risk management. In addition, the platform’s audit management module helped the company prioritize actions and take a more risk-based approach to auditing.