Risk can be defined as the effect of uncertainty on objectives (whether positive or negative). Risk can also be defined as the negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk management can therefore be considered as the identification, assessment, and prioritization of risks followed by either acceptance of the risks or a judicious use of resources to mitigate, monitor, and control the probability and/or impact of the. In today’s era technology is prone to attacks and hence every organization has the responsibility to have systems in place to protect their information for better support of their missions. Here risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk. IT risks can come from in the form of, leak of confidential information, failure of critical IT component, and attack by viruses, hacking spoofing etc. An effective risk management process is an important component of a successful IT security program. The goal of a risk management process should not just be to protect the IT assets of the company. It should also contribute to help meet the company objectives.

Therefore, the Risk Management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an important management function in the organization. Other considerations that an organization must keep in mind are:

• Information Risk Management approach must be aligned with organizational goals.

• It must be understood and supported across the top management of the organization.

• Regular reporting to management is essential to demonstrate the value provided by effective Information Risk Management practices.

Risk Management should ideally focus on the below aspects:
Risk Assessment - Risk Assessment would simply consist of identifying all information assets and classifying them under various groups. The threats that can attack an asset, the vulnerability of the asset to that threat and the probability of the threat inflicting harm on the asset have to be identified and analyzed to arrive at a risk score.
Defining acceptable levels of Risk - Considering the fact that risks can never be completely eliminated and that the implementation of all mitigating controls have a cost and bearing on operational efficiency, an acceptable level of risk should be defined
Mitigating Controls - Identify the mitigating controls corresponding to each threat for the assets that have been identified and implemented. These controls are to be monitored on a continuous basis to ensure protection.
Reporting Structure - Regular reporting should cover the balance between the level of risk the organisation faces, its acceptable level of risk, and the efforts and resources being put into reducing the risks. More importantly the reporting should highlight to all stakeholders the effectiveness of the risk management efforts at achieving the desired ends and meeting strategic objectives.

A well implemented information risk management approach should:

• Support the organization in meeting its strategic objectives and not just be reduced to protecting IT assets

• Assist senior management is performing their risk management duties

• Act as a feedback mechanism to proactively highlight risks

Conclusion: 
Effective information risk management programmes contribute directly to successful organisational outcomes and sustainability. A risk management approach should have top management support in order to be effective and that will ensure that it returns value for money.

In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. A good information security system should be implemented by subject matter experts in information security – people who understand risk as well as the importance of using the right internal / external controls that will not only protect data but also contribute towards meeting organizational objectives. To be effective it is also important that the information security policy being implemented also has good management support. This is where the problem begins because many companies that have chosen to set up an expensive information security system but don’t always realize why or how they came to choose its implementation in the first place.

So why should a company measure the information security policy it has implemented. A few industry pointers are listed below:

• To show ongoing improvement,
• To show compliance (with Standards, contracts, SLAs, OLAs, etc),
• To justify any future expenditure (new security software, training, people,
• To identify where implemented controls are not effective in meeting their objectives, and
• To provide confidence to senior management and stakeholders that implemented controls are effective

While on the topic, organizations should also highlight to its stakeholders various advantages of measuring the effectiveness on the security policies which are;

• Proactive tools to measure can prevent problems arising at a later date (e.g. slow networks’, Denial of service, disk failures etc),
• Reduction of incidents,
• Staff motivation, and
• Visible  evidence to auditors, and assurance to senior management

Once organizations have defined the objective and realized that measuring the effectiveness of the security policies has advantages the question arises “What do I measure”

Again industry best practices would suggest that you can break down the information security implementation into the following categories:

1. Management Controls:
These would typically include the Security Policy and procedures IT Policies, and corporate strategy for information security and awareness, Business Objectives, Management Reviews.
2. Business Processes:
This would include conducting the actual risk assessment Risk Assessment & Risk mitigation measures that will be implemented and acceptable risk, as well as data retentions and disposal measures.
3. Operational Controls:
This consists of the Operational Procedures for providing support to the IT services being delivered. Hence processes like change, incident, availability management etc would be a part of the operational controls
4. Technical controls:
These would typically consist of activities like firewall configurations, AV updates, patch management, content filtering etc.

To measure the controls organizations can also have KPI’s defined for the controls so that the controls can also be mapped back to the organizational objectives.

Sometimes organizational security is one of the top victims of budget cutting in a cost cutting exercise. The most common logic is that although it costs money to implement a information security policy the benefits are not very tangible. This makes it difficult to justify the cost incurred. However organizations need to realize that information security benefits become visible only when a control fails. But when that happens the costs incurred may be too high. Hence the need to measure the controls implemented and presents the benefits to all stakeholders. This helps them understand the many benefits that it can bring to business and also help them understand how they can leverage a well implemented policy to drive the business and shape future organizational policies.