Risk can be defined as the effect of uncertainty on objectives (whether positive or negative). Risk can also be defined as the negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk management can therefore be considered as the identification, assessment, and prioritization of risks followed by either acceptance of the risks or a judicious use of resources to mitigate, monitor, and control the probability and/or impact of the. In today’s era technology is prone to attacks and hence every organization has the responsibility to have systems in place to protect their information for better support of their missions. Here risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk. IT risks can come from in the form of, leak of confidential information, failure of critical IT component, and attack by viruses, hacking spoofing etc. An effective risk management process is an important component of a successful IT security program. The goal of a risk management process should not just be to protect the IT assets of the company. It should also contribute to help meet the company objectives.
Therefore, the Risk Management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an important management function in the organization. Other considerations that an organization must keep in mind are:
- Information Risk Management approach must be aligned with organizational goals.
- It must be understood and supported across the top management of the organization.
- Regular reporting to management is essential to demonstrate the value provided by effective Information Risk Management practices.
Risk Management should ideally focus on the below aspects:
Risk Assessment - Risk Assessment would simply consist of identifying all information assets and classifying them under various groups. The threats that can attack an asset, the vulnerability of the asset to that threat and the probability of the threat inflicting harm on the asset have to be identified and analyzed to arrive at a risk score.
Defining acceptable levels of Risk - Considering the fact that risks can never be completely eliminated and that the implementation of all mitigating controls have a cost and bearing on operational efficiency, an acceptable level of risk should be defined
Mitigating Controls - Identify the mitigating controls corresponding to each threat for the assets that have been identified and implemented. These controls are to be monitored on a continuous basis to ensure protection.
Reporting Structure - Regular reporting should cover the balance between the level of risk the organisation faces, its acceptable level of risk, and the efforts and resources being put into reducing the risks. More importantly the reporting should highlight to all stakeholders the effectiveness of the risk management efforts at achieving the desired ends and meeting strategic objectives.
A well implemented information risk management approach should:
- Support the organization in meeting its strategic objectives and not just be reduced to protecting IT assets
- Assist senior management is performing their risk management duties
- Act as a feedback mechanism to proactively highlight risks
Conclusion:
Effective information risk management programmes contribute directly to successful organisational outcomes and sustainability. A risk management approach should have top management support in order to be effective and that will ensure that it returns value for money.