IT departments are constantly dealing with a range of priorities such as developing new systems, modernizing existing technologies, and sometimes just keeping the lights on.  Because of this, it is sometimes a challenge to ensure that all critical risks are being effectively managed.

This blog aims to provide some steps that IT leaders can undertake to implement a simple risk management strategy.

Setting things up

Responsibility:  Make someone responsible for risk management. I have found that appointing a risk manager who is close to the CIO or IT manager has the most benefit.  The responsible person should be well respected and liked by her/his colleagues.  It requires someone with the skills that will encourage participation in the risk process but has the backbone to push back when necessary.  It is an important role and identifying the appropriate person is pertinent for success.

Risk catalog: The next step is to develop a risk catalog listing the main risks facing the business. This is to create critical risk categories to ensure that significant aspects are covered. Drawing on experience from IT managers and the internal risk team is important in nailing down what is essential.  A simple list of 10 or so risk categories will go a long way to provide a list of risks to worry about.  Risk categories pertinent to IT departments could include strategic risk, infrastructure risk, information security risk, application risk, project risk, people risk, third-party risk, facilities risk, legal/compliance risk, etc.

The risk management process

Once responsibility for risk management is defined and a risk catalog established, the following simple process can be used to manage risk.

  1. Maintain a list of assurance: The risk manager should obtain a list of all assurance that was completed in the last say 3 years. This includes internal and external audits, management reviews, risk assessments, penetration tests, incident reports, etc. These reports will give an excellent view of the risk position of the organisation.
  2. Log results in a risk register: Issues identified in assurance should be logged in a risk register.  A spreadsheet should suffice for this purpose.  This will just be a list of issues identified that require remediation. It is good practice to map the issues against the risk categories and give each item a “risk rating” of high, medium, or low using the potential likelihood/impact of occurrence as a guide.
  3. Allocate responsibility to line management: Once all the issues are logged in the risk register the next step is to make a line manager responsible to remediate each item.  This will have to be agreed upon with the line manager in question.
  4. Prioritisation: The risk manager should then meet with the line managers to work on prioritising and planning remediation of issues in the risk register.  The risk ratings can be used as a guide for prioritising issues.  If possible, remediation of issues should be incorporated with other work that is already happening.  Another idea is to create a top 10 or 20 list of projects to highlight the remediation priorities.
  5. Remediate: The line managers will be responsible to remediate the issues.  The risk manager can assist by getting “buy-in” from senior management within the IT department to allow the line managers time and resources to remediate issues.
  6. Ongoing risk register review: The risk manager should establish regular catch-ups with the line managers and update the status of issues in the risk register.
  7. Plan assurance: Once a year, the risk manager should review the risk catalog and assurance done previously and plan assurance for the coming year.  From here the process above can be executed; namely, log the assurance results in the register, allocate responsibility, prioritise,  remediate and monitor issues.

Risk governance and reporting

Risk reporting: The last aspect of this simple risk management process is reporting the status of issues under remediation to management committees.  This forms an essential part of the risk management strategy.  If issues are not being resolved, it may become necessary to escalate to other appropriate forums.  Keeping the score of the number of issues open vs remediated will give management a view of how the organization is progressing to improve its risk position.

Conclusion

So that’s it, a simple risk management process, that can achieve quite a lot with limited resources. Fundamental to this process is to maintain a risk register and apply governance reporting over the issues.

This process can easily be executed as a “part-time job” by someone within an IT department.