IT Governance – Risk Management
The third area of IT governance is risk management. This area will closely resemble the risk management we discussed in the enterprise risk management section. A vital aspect of risk management involves balancing the cost of risk reduction with the benefits gained from these costs. A company shouldn’t overspend on inconsequential risks or underspend on risks that could have damaging implications.
A business needs to establish its risk appetite regarding IT governance. How much risk is the company willing to take? Is it willing to spend less on IT and risk greater exposure to security breaches? Or would it prefer to invest more in minimizing its IT risks? An essential component of risk management involves questioning, “If this risk were to occur, how severe would the impact be, and what is the likelihood of its occurrence?” In simpler terms, what is the impact and probability of an adverse event?
Let’s consider a business that sells pet products online and handles a plethora of credit card information daily. One potential risk is unauthorized access to this credit card information, leading to fraudulent activity. This could result in customers losing trust in the business, potentially leading to lawsuits.
The business identifies the impact of potential risks: losing customers and facing lawsuits. But it also needs to determine the probability of this risk actually happening. If it trusts its credit card processing company, it may view it as a very low probability risk. Also, if the company has a high risk appetite and is comfortable facing the risks, it may choose not to invest any resources in mitigating the risk.
All this underscores that a business should consider its risk appetite, the potential impact of risks, and the likelihood of these risks occurring. Moreover, risk assessment cannot be a onetime process. We must continually ask, “Are there any new risks that we need to consider?”
Now, let’s consider potential risks in an IT environment. The first is the occurrence of a natural disaster. For example, a flood could destroy the data server room. In such an event, the company needs to have an effective disaster recovery plan to ensure the continuity of its operations as quickly as possible.
Next, there could be unintentional user errors where an individual uses a system and makes a mistake without any ill intention.
Another possibility is an intentional user error, which might lead to fraudulent transactions.
What happens if someone gains unauthorized access to a system? What if an individual can access a system, but the necessary information is unavailable to them?
Moreover, consider the impact of an inefficient system leading to non-compliance. Because of system inefficiency, a company might not be adhering to its HIPAA medical requirements, for example. These are some common challenges that can arise in an IT environment.