Managing IT Risks Effectively

AN UNEXPECTED EMAIL

An email notification popped up on Jacob’s mobile with the object “Important: Audit on IT Risks kick-off meeting.”:

“Date: February, 14th 2022 Object: Important: Audit on IT Risks kick-off meeting To: The CTO and Risk Management Offices

We inform you that on February 21st, you are summoned to attend the kick-off meeting for the IT Risks audit, part of the audit plan for this year.

The audit has the following targets:

We kindly ask the CTO and Risk Management offices to submit to the writing function all relevant evidence about the last three months by February 18th.

Best Regards,

The IT Internal Audit Team”.

Jacob, the CTO, forwarded the email to his team called an urgent meeting.

“Hi everybody,” said John, “I assume you read the email from our Internal Audit. Paul, I ask you to act as our interface due to your reporting responsibilities. Can you please share our latest KRIs?”. Everyone was silent. Then Paul said: “Look, Jacob, I send all raw data to the Risk Management function each month, but we don’t check how KRIs are calculated, nor whether we have some issues or degradation.” Jacob was silent for a while, then added: “Ok, and how do we stand in terms of policies compliance?” Another silence and Paul again: “we honestly don’t know.”

Jacob started to understand how far from his top priorities these topics were and how remarkably wrong that was.

He then arranged a meeting with Jane, the head of Risk Management, to discuss the KRIs and policies compliance. He did not like the outcomes.

Four weeks later, the audit was finalized, and the results were pretty bad: “inadequacy” was the synthetic result sent to the CEO and board members. This result was associated both with IT and risk management functions, and they were asked to provide a remediation plan within three months.

Sophie, the CEO, called Jacob: “Hey Jacob, how’re you doing? I got this audit report which looks pretty bad. I’d like to hear your point of view on that”. “Sure, Jacob said.”

Jacob met Sophie the following day: “Listen, Sophie, to be honest, we’ve not viewed IT risks much relevant so far; we sent the data to the Risk Management, but we did not care about them. Not enough, at least. I know it’s wrong, but we all need a step ahead of our maturity here. I got it, and I will work with the team and risk management. You’ll see our joint plan in the upcoming weeks.” “I see,” replied Sophie, “and also wonder what the Risk Management doing beyond collecting data and measuring the KRIs. Thank you, Jacob, I will talk to Jane too.”

Jacob tasked Paul to define the plan, which should include the integration of KRIs and IT risks into their processes, and establish an effective collaboration with the IT Risk Management function.

Paul and the whole team worked on the plan, which brought to: Discuss monthly on KRIs trend and improvement actions and as a priority Bring IT Risks into the table in decision making (for instance, prioritization, initiatives approvals) Held quarterly meetings with the Risk Management function to discuss the KRIs trend, share plans, assess compliance versus Company policies, risks scenarios, IT mitigation measures adequacy, and discuss possible enhancements.

Jacob, Paul, and Jane met the CEO, sharing the plan. Sophie was pleased.

After that, Jacob, Jane, and Mark met the Internal Audit team: Jane shared the plan; the audit appreciated it, and after six months and implementation completion, the gap was closed. Sophie wrote to Jacob and Jane to congratulate, and they shared the good news with the teams.”

—-

WHY RISKS MANAGEMENT MATTER

This fictional story stresses how tech teams’ risk management can be underrated while representing a decisive decision-making factor.

Risk mitigation is a priority for each organization, not only for the more regulated ones.

Establishing a solid practice in tech team closely working with the IT relevant functions (typically IT Governance and IT Security) to bring effective risk management practices in their agendas is a fundamental step in maturity, not only to ensure compliance.

RISK MANAGEMENT PILLARS

The main aspects to be considered are:

  • The organization risk appetite, meaning how much risk levels an organization can accept, is usually defined in a policy or similar document (know as RAF- Risk Appetite Framework)
  • The organization risk management policy, which might have a specific declination of the IT Risks: here risks scenarios, controls, and measures help to determine how risks can be mitigated and if the residual risk can be acceptable (versus RAF framework) and to which extent financial measures should be taken to protect the organization when it becomes real
  • The risk culture in tech teams: bringing risks aspects and KRIs to their table means making more risk-aware decisions and often becoming more authoritative in terms of initiatives presentation when for instance, can reduce operative risks for the Company
  • A pragmatic and business-value driven approach to help focus on proper priorities and strengthen usefulness perception by tech teams, starting with manageable risks and mitigation measures and moving towards more mature levels progressively.

STANDARDS AND FRAMEWORKS

The most relevant standards and frameworks on (IT) risks management are:

HOW IT WORKS IN PRACTICE

Let’s consider one of the most usual risk scenarios, the unavailability of IT services:

  • IT Threats: cyberattack, IT operational incidents, IT change implementation
  • Probability: the risk occurrence is evaluated against historical data, IT assets specific aspects (vulnerabilities, for instance)
  • Financial Impact: economic value associated with a scenario related event (it can be penalties in case of SLA breach, for example)
  • Risk Evaluation: probability per impact value brings a classification (e.g., very high, high, medium, low); this can be applied to aggregated IT assets (those making up an application, for instance) or on a single IT element
  • IT Controls: proper IT mitigation measures are identified considering risk evaluation; in this example, we assume: cyberattacks protection measures, IT incident prevention and managing practices, IT change risk evaluation, and software testing practices
  • Mitigation Plan: IT Controls implementation/application plan and monitoring, including potential additional actions in case residual risks aren’t fitting with RAF
  • Residual Risk: the result of mitigation plan implementation and should be documented and formally accepted by IT services/assets owners, pushing awareness and (if considered proper according to RAF)
  • KRIs: monthly-based service unavailability hours, assets vulnerabilities, IT elements affected by cyberattacks (malware, for instance), failed or production severed changes.

Scenarios, IT threats, IT controls, and KRIs trends should all be part of a monitoring and reviewing regular process, which involves IT and risk management functions.

International standards and frameworks are also helpful in continuously gaining access to updated IT control libraries and IT threats.

Effective and pragmatic approach tips to ensure top impacting risks are evaluated:

  • Start considering just total unavailability events
  • Start with most critical assets/applications/services; how to define “critical? The CIA framework helps, or you can use your business impact analysis (BIA) outcomes to identify applications supporting critical business processes and thus most relevant IT assets
  • Start with the most elevated vulnerabilities severity
  • Consider changes that led to total unavailability and needed rollback
  • Set essential governance on KRIs trends analysis and definition, with risk evaluation process review, with the Risk Management function.

CONCLUSIONS

IT risk management matters in each organization, from the smallest to Corporations. Each business aims to protect itself from risks, and in a world where everything becomes more and more digital, IT risks play an even more crucial role.

Being effective makes a real difference in selecting relevant risks, wise and actionable mitigation initiatives, considering costs versus risks options and organization maturity, and building a dynamic relationship between IT and risk management functions.