Where Is Your Risk Assessment?

One of the few analyses that are overlooked in most IT departments is a comprehensive risk assessment.

A risk assessment should identify, analyze, and weigh all the potential risks, threats and hazards to a company’s internal and external business environment. 

The process of identifying risks/threats, probability of occurrence, the vulnerability to each risk/threat and the potential impact that could be caused, is necessary to prepare preventative measures and create recovery strategies.  Risk identification provides a number of other advantages to a company including: 

  • Exposes previously overlooked vulnerabilities that need to be addressed by plans and procedures
  • Identifies where preventative measures are lacking or need reevaluation
  • Can point out the importance of contingency planning to get staff and management on board
  • Will assist in documenting interdependencies and point out single points of failures

An effective risk management process is an important component of a company’s MIS department. The principal goal is to protect a company and its ability to perform its mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT, but as an essential management function of the organization.

Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This assessment provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help a company better manage IT-related mission risks.

Don’t Be Afraid of IT Audits

In this economy there will be more emphasis placed on audits. If you are working for a financial firm then you probably have an internal audit group. You are also audit by an external audit firm, maybe the Fed, and if you are an international firm-foreign regulatory agencies. In some firms, this leads to an environment of constant audits.

If you are a large IT shop then it makes sense to form an audit team comprised of your various department heads to work with and answer questions from the auditors. Keep it small. It is important to speak with one voice. This team should consist of one or two business leaders. During an audit, there will be times when some type of risk will be discovered that will lead to process or management change that has the potential to affect business operations.

If you are a smaller shop, then this process will fall upon the senior IT person. Again, some representation from the business should be included.

It is important for IT to document everything: every process, every procedure, and every diagram. If you have not already done so, do it now. If is just good due diligence. Auditors love documentation. The more you give the more they love it. It also keeps them occupied. Most audits only last for a specific period of time. How can anyone come and look at every aspect of your network? And discover everything. If you are a good administrator then you know were your risks are and you have taken steps to mitigate or removed them from your environment. In these environments, auditors will find very little if anything. And when they do it will be minor and easily correctable.