Ensuring business continuity with a sustainable risk management process  

Due to the increasing pace of business change, risks are prone to modification as often as IT systems. IT risk management should not be a one-off project, but a continuous process targeting constantly changing IT risk and business environments, monitoring the risks and adjusting the risk management strategy accordingly.

With effective IT risk management processes in place, IT organizations are able to manage IT’s integrity with regard to applications, projects, data, systems, and employees to ensure business continuity. An additional benefit of IT risk management is that it improves operational performance by helping understand IT operational risk so you can implement mitigation measures. Thus the number of incidents can be lowered, fostering greater business satisfaction. Another reason for wanting to establish a continuous IT risk management process is compliance—the consistent enforcement of and compliance with standards and regulations, such as SOX, Dodd-Frank and data protection laws.

IT risk management comprises the inventorization and prioritization of applications to identify possible risks, the assessment of the risks identified and, of course, their mitigation in order to reduce the overall threat to the enterprise.

Read on to find out more about Software AG’s recommended approach to IT risk management and how it is supported by Alfabet for enterprise architecture, IT planning and portfolio management.  

The objective of this phase is to prepare a detailed listing of all applications as preparation for setting the scope of the risk assessment. This phase also includes description of the interdependencies between the business, applications and the infrastructure in order to establish a comprehensive inventory that can be re-used for future assessments.

When creating the inventory, it is important to keep the actual need for risk assessment in mind to avoid an unnecessarily large scope. Decide on the reach of the assessment (for example, company-wide, region-wide, organizational or domain-wide) and whether to apply quantitative or qualitative criteria for choosing which applications belong in the inventory for risk assessment. A quantitative assessment calculates different risk factors to understand how these contribute to an overall risk value. A qualitative assessment is more descriptive but in most cases sufficient to identify risk areas that need attention.

Roles:

• IT Compliance Manager, CISO

Activities:

• Inventorize applications, services, technologies, business capabilities and their relationships to each other
• Define metrics and aggregation rules

Deliverables:

• Documented IT scope for risk assessment

Best-practice recommendations:

• Define ownership and responsibility for the application information
• Define roles for quality control and escalation of issues
• Document roles in the IT inventory for transparency and to anchor governance
• Use workflows and wizards to support automation of inventory management and ensure high quality data
• Integrate to primary sources as available  

IT risk assessment is commonly carried out by multiple stakeholders and involves many objects—applications, processes, technologies, services—and a variety of risks that are to be assessed. Thus a clear focus should be set on only the relevant objects. This should be done in two phases.

First, identify the most risk-relevant applications—those which are most important to protect—and make them first priority. These will be applications that support business-critical capabilities or are subject to compliance regulations.

Second, perform a detailed risk and mitigation survey. The survey is to fine-tune the reasoning for an application being risk-relevant. This process and follow-up analyses can be automated by using workflows, calculation routines and reporting tools, thus making it less costly in terms of labor. The answers, for example, “major breach of law” for regulatory risk, can then be mapped to metrics reflecting the type of violation, such as confidentiality, integrity or availability. These metrics are then added up to provide a risk-relevance score for the application scope.

Decide on the reach of the assessment (for example, company-wide, region-wide, organizational or domain-wide) and whether to apply quantitative or qualitative criteria for choosing which applications belong in the inventory for risk assessment. A quantitative assessment calculates different risk factors to understand how these contribute to an overall risk value. A qualitative assessment is more descriptive but in most cases sufficient to identify risk areas that need attention.

Roles:

• IT Compliance Manager, CISO

Activities:

• Define questions and mappings to metrics
• Survey application owners
• Decide on prioritization

Deliverables:

• List of applications for risk assessment

Best-practice recommendations:

• Be pragmatic—pursue a qualitative approach directed at relevant stakeholders
• Use only a compact set of questions with simple answers
• Map the answers to numeric values for easier analysis

Assessing the risks to applications aims at understanding the risks an application is subject to and analyzing the relevant risk’s damage potential in order to be able to suggest and evaluate possible mitigations.

Risk catalogs support consistent risk assessment by providing sample categories for risks and sample risks in these categories (for example, willful act > manipulation of data or data theft). In the course of the assessment, each risk is assessed as to its probability and damage potential. Inventorizing possible mitigations for the risks in the catalog supports the standardization of the mitigation strategy and reduces the effort in risk assessments. When assessing the risk for an application, it is important to document the relevant mitigation and to what extent the proposed mitigation will change the risk’s probability and damage values in order to be able to identify the most effective mitigations.

Roles:

• IT Compliance Manager, CISO

Activities:

• Catalog risks
• Assess probability
• Assess potential damage
• Suggest mitigation and assess change to risk

Deliverables:

• Application risk portfolio

Best-practice recommendations:

• Use a risk catalog to standardize risks and their mitigations
• Use multiple-choice questions and simple answers for comparability, for example, risk: none, low, medium, high, very-high; damage: $3 million

Once identified and assessed, risks can be mitigated by initiating a project to support changes, or by implementing a control system in order to regularly check and ensure that all tasks are fulfilled appropriately.
Typically, internal control systems are a set of controls implemented to ensure that risk mitigations are performed according to plan. For example, if there is a risk of a system failure, a possible mitigation strategy is to provide a back-up instance of the system. Controls for this mitigation strategy could regularly check whether back-ups are made (for example, monthly), whether the restore procedure is documented (for example, yearly), and whether the restore procedure is tested (for example, bi-annually). Automating such control assessments delivers a substantial savings potential for the enterprise as it makes the process repeatable and also provides a basis for external and internal control audits, for example, as required by SOX. And finally, risk mitigation systematically reduces the extent of exposure to a risk and its probability.

Roles:

• IT Compliance Manager, CISO

Activities:

• Propose mitigation projects
• Propose controls

Deliverables:

• Reduced risk
• Documented controls

Best-practice recommendations:

• Formulate controls as questions
• Structure controls to address specific compliance topics
• Re-use controls to reduce effort

As IT tries to keep pace with the acceleration of the business environment, IT managers have to find that delicate balance between performance and risk. They need greater insight into their organization’s risk exposure to be able to understand what IT systems carry risk, what the implications of the risk are, and what kind of mitigation measures are needed.

Every company in every industry will have some risk management process in place. But what they need to be asking themselves is: Are the processes and tools we are using really helping to identify all of the risks the company is facing? Because in IT risk management it’s clear: What you don’t know WILL hurt you. A risk management program needs to ensure that:

ALL IT assets are being considered:

• “Invisible” assets relating to risk-loaded assets are identified
  
• Risk surveys are executed time- and cost-efficiently
  
• Resources for assessing risks and mitigation efforts are only used on assets that are truly critical
  
• Mitigation plans are actionable, effective and published
  
• Decisions to accept certain risks are communicated to senior management
  
• Risk management processes are repeatable and sustainable
  

Alfabet puts a best-practice methodology into your hands that will improve your company’s risk posture by identifying:

• Which projects and applications are risk-relevant
  
• What risks these projects and applications actually pose
  
• How risks can be effectively mitigated
  
• Which mitigations have not been implemented

Alfabet’s proven technology platform enables you to:

• Capture the assets to be evaluated
  
• Understand the structure and relationships of the assets
  
• Employ collaboration technology to ensure timely survey participation
  
• Automatically translate survey results into risk-relevance values
  
• Create reports for easy understanding and communication of the risk portfolio
  
• Know when, where and how to start mitigation 
  

Using Alfabet for a sustainable IT risk management program will reduce the chance of risk event loss and provide a basis for a cost-effective and sustainable risk management program.