The why and how of IT risk management.

• Author: Schafer, Steven L.
• Position: Cover story

[ILLUSTRATION OMITTED]

Risk is the effect of uncertainty on objectives. Risk management is a discipline for systematically calling out those things that can go wrong (or unexpectedly right) and then deciding what, if anything, to do with that information.

All organizations engage in risk management to some degree. Buying insurance, doing a background check on a potential employee, and conducting a security assessment are all examples of risk-management activities. The question is whether to formalize the risk-management function. The potential benefits from the extra effort to elevate risk management within an organization include: improving overall management, financial performance, regulatory compliance, governance, and internal controls; enhancing the reputation of the organization; and reducing losses. (1)

While developing and implementing a risk-management program may not be part of the official job description for the position of finance officer, he or she should promote a structured approach to managing risk. Risks usually have a financial component, which makes them directly relevant and important to the responsibilities of the IT financial manager.

INITIAL STEPS

Some preliminary work will set the stage for an effective IT risk-management program. This includes gathering strategic plans and objectives, inventorying existing risk-management activities, and understanding the organization's risk appetite. It's important to document this information to inform future efforts.

Step 1: Choose a Risk Management Framework. Like the columns and beams that hold a building together, a risk management framework offers the conceptual infrastructure for creating and carrying out risk-management activities. Using an established framework provides easy access to information, publications, and a community of experts regarding processes. An established framework also increases the legitimacy of the risk management initiative within an organization. Three frameworks that merit consideration are: "COBIT 5 for Risk," COSO's "Enterprise Risk Management," and ISO 31000 "Risk Management Principles and Guidelines."

As a practical matter, be prepared to borrow from all three, following the advice to adapt, not adopt. Integrating a framework with existing practices is essential; so is an iterative approach that builds on past efforts in manageable, incremental steps.

Step 2: Gather Strategic Plans and Objectives. An organization's strategic plan and the objectives it strives to achieve provide the context for its risk-management program. A solid understanding of strategic direction is essential to effective risk management. If a formal strategy does not exist, other documents might reflect goals and objectives. Places to look include annual reports, lists of major initiatives, budget documents, and even performance goals for employees. Statutes and ordinances for public agencies typically include a statement of purpose with a list of goals.

Step 3: Inventory Existing Risk-Management Activities. Taking stock of existing risk-management efforts within an organization avoids duplication and builds on existing support for risk management. This should include both the IT department and the whole enterprise. Places to look in the broader enterprise include the finance department, which understands and promotes internal controls to prevent fraud and accounting errors; the legal department, which is sensitive to potential legal issues; and the group that oversees the insurance program.

Most IT groups follow practices that fall into the general category of risk management. Back-up routines, redundant systems, disaster recovery, and business continuity planning all address the risk of being dependent on technology and the opportunity of using technology to mitigate the impact of a disaster on business operations. Change-management routines protect against unplanned downtime stemming from modifications introduced in the technical environment by multiple entities within the organization. Personnel practices such as background checks, non-compete clauses, and confidentiality statements shore up some of an organization's vulnerabilities stemming from the people it employs. Project management uses project charters to protect against scope creep and careful tracking of progress to flag potential problems early. Security officers are now common in IT organizations to focus more attention on cybersecurity. Testing saves time and resources by revealing problems when they are easier to fix and before they disrupt operations. Training helps maximize value by giving people the knowledge they need to make effective use of systems and procedures.

Step 4: Understanding and Communicating Risk Appetite. Risk appetite is "the amount of risk an entity is prepared to accept when trying to achieve its objectives." (2) Risk appetite reflects the enterprise's capacity to absorb loss (e.g., financial loss or reputational damage) and management's predisposition towards risk taking (which ranges from cautious to aggressive). Articulating and communicating risk appetite helps everyone in the organization know what types of consequences are acceptable.

An organization can ask itself questions in the following areas: (3)

* Corporate values--What risks will the organization not accept?

* Strategy--What risks does the organization need to take?

* Stakeholders--What risks are stakeholders willing to bear, and to what level?

* Capacity--What potential consequences can the entity afford, within its resources?

[ILLUSTRATION OMITTED]

Below are examples of risk appetite...