Risk Management

No doubt the potential of IT risk management is still a well-kept secret. Over the past few years, many organizations have increased the effectiveness of their IT controls or reduced their cost by employing sound risk-analysis and risk-management practices. When management has a representative view of organizational IT exposures, it can direct appropriate resources to mitigate the areas of highest risk rather than spending scarce resources in areas that provide little or no return on investment. The net result is a higher degree of risk reduction for every dollar spent. With few exceptions, whether related to financial, physical, or technological resources, different types of risk can be calculated using the same universal formula. Risk can be defined by the following calculation:

Risk = asset value × threat × vulnerability

Elements of Risk

• Assets (Normally represented as a monetary value, assets can be defined as anything of worth to an organization that can be damaged, compromised, or destroyed by an accidental or deliberate action. In reality, an asset’s worth is rarely the simple cost of replacement; therefore, to get an accurate measure of risk, an asset should be valued taking into account the bottom-line cost of its compromise. For example, a breach of personal information may not cause a monetary loss at first glance, but if it actually were realized, it likely would result in legal action, damage to the company’s reputation, and regulatory penalties. These consequences potentially would cause a significant financial loss. In this case, the asset-value portion of the equation would represent the personal information. The calculated value of the personal information would include an estimate of the cumulative dollar cost of the legal action, reputation damage, and regulatory penalties).
• Threats (A threat can be defined as a potential event that, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. Threats are generalized as a percentage, but two factors play into the severity of a threat: degree of loss and likelihood of occurrence. The exposure factor is used to represent the degree of loss. It is simply an estimate of the percentage of asset loss if a threat is realized).
• Vulnerabilities (Vulnerabilities can be defined as the absence or weakness of cumulative controls protecting a particular asset. Vulnerabilities are estimated as percentages based on the level of control weakness. We can calculate control deficiency (CD) by subtracting the effectiveness of the control by 1 or 100 percent).

IT Risk Management Life Cycle

As with most methodologies, risk management, when applied properly, takes on the characteristics of a life cycle. It can be broken out into several phases beginning with identification of information assets and culminating with management of residual risk.