Information technology is a new world entirely and it is so broad it is almost impossible to know all facets of it in depth. Information Technology is one of the branches of ICT. ICT includes digital media, telecommunication and information technology. Information technology has become a constant in everyday life and almost every individual and organization is involved to a certain degree. To this end, the surrounding risks around information Technology is a growing area of concern. This article will discuss information Technology risk, the relevance of information Technology risk, types of information technology risk and how information technology risk is managed.
What is Information Technology Risk?
Let’s explore what the term risk means. Risk in simple terms refers to a possible event that could cause loss or harm, hampering the ability to achieve set out objectives, be it individually or at the level of an organization. Having done justice to the idea behind the term risk, we can define Information Technology risk as a technology related event that inhibits achieving set out objectives.
There are myriad of technology related risks. We can safely assume that technology risks are directly proportional to the diverse technology areas, and interestingly, these risks are growing on a daily basis, as technology related knowledge increases or research in the field becomes advanced. In this article we are going to identify and discuss a few risk areas.
Organizations in the world are majorly reliant on information technology to drive the core and ancillary parts of their business, as it enables them to remain relevant in a highly competitive industry(Gartner Forecasts Worldwide IT Spending to Reach $4 Trillion in 2021). While some organizations are more reliant on technology than the others, considering the size, form, structure, industry and maturity profile, the place of technology in our world today cannot be overemphasized. With this in-view, it is imperative that organizations consider their level of technology adoption and underlining strategy, access the corresponding risks and build systems of control to detect, prevent or correct observed risks.
Below are examples of risks associated with technology:
- System Integration Risk
- Technology Architecture Risk
- Operational Risk
- Physical Security Risk
- Third party Risk
- Single Point of failure
System Integration Risk: System integration speaks to the connection of different parts of a system or subsystem or entirely different systems to achieve a goal that otherwise might not have been achievable in a single isolated system. This in itself poses a lot of risks on reliability and integrity of data flow between these systems, a risk that if not well controlled can have a dire impact on the bottomline of the business.
Technology/Enterprise Architecture Risk: This considers the entire span of the technology environment, to identify all technology enabled elements such as applications, servers, machines, services amongst others, to evaluate from a unified perspective the wholesome risk being carried by the organization and to treat them accordingly.
Operational Risk:The Basel Committee defines the operational risk as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.This is a serious risk organizations are facing, as it determines the continuity of the business to a certain extent.
Physical Security Risk: This is a major risk that considers the environmental controls (such as CCTV, mantrap doors, biometric enabled doors, physical verification amongst others) implemented to protect the digital assets such as the data centre, switchroom and other critical assets.
Third-party Risk: This risk type is also called vendor risk in some fora factors, parties external to an organization or technology environment and the possible impact they might have on the operations and the continuity of the business.
Single Point of Failure (SPOF): This refers to a flaw in the design and implementation of a system which results in a downtime with colossal effects on the business. In a fast paced and innovative environment which is majorly technology driven, SPOF is a risk businesses are always weary of as it leads to some other risk types such as reputational risk, operational risk amongst others when it crystallizes.
We have been able to touch base on some risk types, and it’s not just sufficient if we describe these risks and do explore the ways they can be managed. Basically, to manage risks, organizations adopt a product of policies, processes and procedures, to ensure that the possibility of loss is either reduced, managed, avoided, accepted or eliminated.
Below are the six steps of risk management processes:
- Risk Identification
- Risk Analysis
- Risk Prioritization
- Risk Assignment
- Risk Response
- Risk Monitoring
Risk Identification: This is the first step in the risk management process. To resolve or treat a risk, the risk must be identified, as controls cannot be proffered without a corresponding risk.
Risk Analysis: After the risk must have been identified, the subject matter experts should consider the likelihood that each identified risk will occur and the corresponding impact on the business. The output of this stage is included in the risk register of the organization.
Risk Prioritization: The risk prioritization efforts consider the severity of the risks in question and classify them based on different factors such as similarity, remediation efforts required, financial implication amongst others as it impacts the business.
Risk Assignment: In order to achieve ease of management, it is important to assign the risk to the person or business unit in question. This person or business unit will be responsible for the resolution or closure of the risk.
Risk Response: A mitigation strategy must be put in place for all risks identified based on priority. There are four basic ways to either manage or mitigate risks:
- Risk avoidance: This strategy is utilized when the organization decides to steer clear of the risk e.g an organization decides not to buy a software because it’s been embattled with some known vulnerabilities.
- Risk acceptance: This is employed when an organization is not taking any further action to reduce the identified risk, as they are ready or willing to bear the impact.
- Risk mitigation: Organizations employ risk mitigation by putting systems of controls in place which ensures that the risk is reduced.
- Risk transfer: This is a risk reduction method that acknowledges that a risk exists and transfers the risk to another party such as an insurance company.
Risk Monitoring: This is a continuous process implemented by the organization that ensures that all identified risks are closely monitored for changes and are addressed promptly.
That’s it for now guys, I hope it was an educative read?
Leave a Reply