All organizations face uncertainty. The effect this uncertainty has on an organization’s objectives is referred to as “risk.” The challenge for management is to determine how much uncertainty or risk to accept and how to manage it to an acceptable level.
Traditionally, we have looked at risk as an event that results in harm or loss, to be addressed through insurance or a disaster recovery plan. Risk also means chance and opportunity. Risk management includes the strategies, processes, systems, and people directed toward the effective management of potential threats and opportunities. The goal of risk management is to provide stakeholders with reasonable assurance that your organization’s objectives will be achieved, opportunities will be identified and seized, and future risk response decisions are appropriate.
A risk management program can consider strategic, financial, operational, compliance, and knowledge management risks across all departments and functions within the organization. The program can also be applied at a department, business function (e.g., technology or similar operational area), or even at a project level.
Technology risk management
Operations staff may be asked to evaluate technology risks as part of a larger Enterprise Risk Management (ERM) effort. Regulators in highly regulated industries are also driving the requirements for focused technology risk management. Many regulators require that programs be in place, primarily to evaluate and manage risks associated with the security and privacy of sensitive customer (e.g., cardholder, customer, patient, student, etc.) information.
Consider the following:
- Disaster preparedness and recovery
- Data security
- Information privacy
- Compliance (with laws and regulations)
- System Development Life Cycle (software development) projects
- Large-scale system implementation and integration projects
- Management of vendor/servicer arrangements
Now consider the following questions regarding those efforts:
- What might go wrong?
- What might happen if it does go wrong?
- How do we prevent it from going wrong?
- How will we know if it does go wrong?
- What will we do when it goes wrong?
The answers to these questions form the basis of risk management, including risk identification and impact, remediation, and monitoring and response.
Risk management approach
Risk management is a rapidly developing discipline, and there are a number of “competing” standards describing the process. The ERM process should be managed like a project. It requires sponsorship and leadership along with a project plan, scope, and objectives.
It is also important to know what other risk management and governance projects are underway in your organization, what standards are in place, and how your efforts will fit in the overall structure. Most standards identify the following common tasks:
- Establishing scope and risk context
- Identifying and analyzing risks
- Designing risk management mitigation strategies
- Implementing the strategies
- Monitoring and measuring results
Scope and context
It is important to understand the organization’s objectives, philosophy and culture, strategies, and internal and external SWOTs (strengths, weaknesses, opportunities, and threats) to fully understand the potential risks and impact.
Unless there is a process in place, it may not be easy to determine top management’s risk management philosophy, risk appetite, commitment to competence, and ethical values. These should be understood so you have a general direction when considering risk management strategies later in the process.
Risk identification and analysis
Risk identification and analysis is the process of determining the likelihood and consequence (impact) of an event. The process should be structured to ensure all significant activities in the organization (or business unit, function, or project) are considered and all significant risks associated with these activities are identified. Facilitated group discussions may be an effective way to gather this information. Other risk identification techniques include:
- Questionnaires
- Industry benchmarking
- Scenario analysis
- Results of event tracking and historic trend analysis
Many organizations are comfortable using a simple low-medium-high or numeric value (1-3) to describe probability or impact. This should be an organization-wide standard if other risk management activities are underway.
The assessment should include quantitative factors such as dollars, percentages, time, and number of transactions. It is also common to include qualitative factors such as loss of customers and market share, damaged reputation, or loss of stakeholder confidence.
The final step in this phase is to identify and document the controls currently in place to manage the identified risks. The risks remaining after these controls are considered are referred to as residual risk and must be addressed while designing your strategies.
A spreadsheet or profile worksheet may be an appropriate tool to record an event and likelihood. The spreadsheet can be updated in later phases as impact, mitigating controls, residual risk, and action items are identified.
Designing risk strategies
When the risk analysis is completed, it is necessary to make decisions about the significance of the risks to your organization and whether risks should be accepted or treated. Risk mitigation (fixing the problem) is a common treatment. Other strategies include risk transfer (to a third party), risk financing (through insurance), risk avoidance (conscious decision not to proceed), and risk acceptance (deal with it when/if it happens). It may sound simple to accept risks that have a low likelihood and low potential impact. The same can be said about mitigating/fixing risks that have a high likelihood and high potential impact.
Developing sound strategies should help manage risks to an acceptable level. The goal is to mitigate risk up to the point where the cost of mitigation outweighs the potential benefit, not eliminate risk. This assumes that you have estimated the cost of addressing or not addressing the risk. Remember, someone has to pay for all of this. At a minimum, the risk treatment should ensure:
- Compliance with laws and regulations
- Effective system of internal controls
- Accurate financial reporting
- Effective response program for critical risks
Implementation
Implementation goes well beyond the treatment of a particular risk. Risk management is a continuous process that requires leadership and the authority to drive the program. Factors for success include:
- Determining roles and responsibilities for the Board, senior management, business units, internal audit
- Developing appropriate policies and procedures
- Building a risk-aware culture through on-going training
- Developing incident response policies and procedures, including contingency plans
- Developing performance metrics and reporting structure
Measuring and monitoring for success
An effective risk management program requires a reporting and review structure to ensure controls are operating effectively and changes in the organization are accounted for. Monitoring can be built into the organization’s existing governance structure. Consider how risk measurement and monitoring can be integrated:
- Internal audit program
- Governance, risk management, and compliance (GRC) programs
- Performance measurement and scorecard initiatives
- Independent Validation & Verification (IV&V) activities
- Customer and stakeholder surveys and feedback
- Senior management and Board reporting packets
- Strategy-setting procedures
We can help
With over 25 years of experience with IT audit, outsourced internal audit, and risk management, we are happy to answer any questions you may have. We can help you implement a complete technology risk management program or assist you with risk assessments, incident response programs, or business contingency planning.
Contact Mark Caiazzo or Chris Ellingwood.
Skip to Main Content