Enterprise IT Risk Assessment: Streamline Risk Identification and Conduct Better Assessments, Faster

According to a Ponemon Institute study, about 76% of enterprises lack a clearly defined IT risk management strategy. As shocking as this might seem, it’s not all that surprising.

Enterprise IT Risk Assessment: Streamline Risk Identification and Conduct Better Assessments, Faster

We’ve put together this article to help you master the art of the enterprise IT risk assessment. It comes from years of experience running internal audits and risk management programs at enterprise businesses just like yours.

The process shouldn’t be so complicated. But it is. And the stakes are high. After all, one oversight and you could miss a risk that impacts your business. Nobody wants that. Which is why we’re here to help.

Read this article and learn how to:

  • Get executive buy-in by tying your risk assessment to real business objectives
  • Save time by focusing on risks that could actually impact your business
  • Conduct a top-down assessment, with a step-by-step guide written by experts who have over 100 combined years of experience in risk management

Content Summary

Introduction
Chapter 1: The IT Risk Assessment Process
Chapter 2: Establishing Your Risk Criteria
Chapter 3: Defining Your Project Scope
Chapter 4: Identifying Your Risks
Chapter 5: Assessing Your Risks
Conclusion

Risk management is a culture, not a cult. It only works if everyone lives it, not if it’s practiced by a few high priests. – Tom Wilson, Chief Risk Officer, Allianz

Introduction

About 76% of enterprises lack a clearly defined IT risk management strategy.

As shocking as this might seem, it’s not all that surprising. We talk to a lot of enterprises and while many do have a formalized IT risk management program, it’s often ad hoc, not optimized.

If you’re a CIO or have a senior role on your organization’s IT team, this probably doesn’t come as too much of a surprise to you. You understand just how challenging it can be to get your executive team bought into your risk management program.

As a result, there’s a good chance you’re carrying the burden of managing IT risk alone. Instead of being proactive, you might find yourself being reactive, assessing risks based on instinct and addressing them on an as-needed basis. When one functional group is fully accountable for risk, this can happen. That’s why organizational buy-in is so critical. It ensures your risk management strategy gets the support it needs and enables you to be proactive.

Our Labs team, which has over a hundred years of combined experience in security and compliance, put together this guide to help you master the art of the enterprise IT risk assessment. It comes from years of experience running internal audits and risk management programs at enterprise businesses just like yours. It’s a methodology we’ve used to build our software. And it informs how we run our own risk assessments.

In this guide, you’ll learn how to streamline your risk assessment process using a top-down approach. We’ll show you how to get executive buy-in and create a more effective risk management practice across your team and organization. There are many ways to conduct a risk assessment and many different methodologies. We have taken a pragmatic but responsible approach.

Keeping all of this in mind, let’s get started.

The bottom-up approach

The bottom-up approach, or asset-based risk assessment requires a list of every asset in your organization. You review each asset individually to determine threats, vulnerabilities and the effectiveness of existing controls. This approach is thorough but also time consuming and difficult to maintain. And it isn’t as efficient at quantifying risks associated with intangible assets like information, processes or people. Beyond that, it can be hard sharing results with executives across your organization, given how granular it is.

The top-down approach

By conducting a risk assessment that’s aligned to your organization’s strategic objectives, you can focus on what really matters to your business. This pragmatic approach ensures you apply resources efficiently. Plus, it’s scalable, making it ideal for enterprises. Finally, with an objective-based approach, you can identify non-technical risks that might impact your business, like information, processes or people. To be clear, this is the approach we’ll be taking in this guide.

Chapter 1: The IT Risk Assessment Process

Okay, now for an overview of the risk assessment process. All risk assessments follow the same general formula. Pretty straightforward, right?

All of this should look familiar to you. We’re going to tackle each step in this journey, focusing on its objectives, common hurdles and techniques for overcoming them. The aim is to make the process more efficient for you and your team.

To be clear, we won’t be covering risk treatment, which would typically come after you’ve conducted your risk assessment. That said, we’ll briefly touch upon it.

Step 1: Establish Risk Criteria

Step 2: Define Project Scope

Step 3: Identify Risks

Step 4: Assess Risks

Chapter 2: Establishing Your Risk Criteria

Risk assessment criteria outline events inside your organization that will require a risk assessment. They provide guidance to stakeholders and ensure risk assessments are conducted when they should be.

These events can vary, depending on your business. That said, we’ve compiled a pretty exhaustive list, covering most of the situations that would trigger an IT risk assessment. You can check it out in the sidebar.

You probably have a list of criteria that looks alot like the one to the right. But if that list hasn’t been socialized with your executive team, there’s a pretty good chance your program won’t be as effective at managing your risks. Which is a problem.

So anything you can do to educate stakeholders is key. And that doesn’t just mean outlining your criteria and making them accessible. It means tying the risk assessment and your larger risk management program to actual business outcomes.

That way, individual stakeholders can understand exactly how your program enables them to meet their own business goals.

Naturally, this is easier said than done. It requires an in-depth understanding of each business function and the KPIs they’re accountable for. That said, if there’s anyone who’s equipped for the job, it’s you.

Risk assessment triggers

  • The initial establishment of a risk management program
  • A periodic refresh of a risk management program
  • The start of a new project
  • A merger, acquisition, divestiture or major restructuring
  • Before new processes or activities are introduced
  • Before significant changes are introduced to existing processes, activities or products
  • For any changes in legislation, regulations or contractual obligations
  • For any changes in the business model or organizational structure
  • For any changes in suppliers
  • For any major technological changes
  • Following an incident that has significantly impacted the organization and its customers
  • Following results from internal audit activities (if required)

Chapter 3: Defining Your Project Scope

When one of the triggering events noted in the previous chapter happens, it’s time to conduct a risk assessment.

And the first step of any risk assessment is…

Defining your project scope.

The whole point of a scope is to identify how an event might impact your business’s security objectives, like protecting customer data against threats and vulnerabilities. Most reading this will have defined their business security objectives already. But if you haven’t, you can get a better understanding of which objectives apply to you by doing the following:

  • Interviewing management, data owners and other employees
  • Analyzing your systems and infrastructure
  • Reviewing documentation across different functional areas

Once you’ve determined which objectives are in scope for your assessment, you can begin to identify your risks.

Your strategic objectives ensure your organization’s long-term success. Outlining these objectives can be difficult, which is why our risk experts have put together a list to help you out.

Customer objectives:

  • Ensure customer success and communication
  • Maintain integrity of customer data and information
  • Meet contractual obligations and customer commitments

Governance objectives:

  • Identify and mitigate risks that threaten the achievement of security objectives
  • Identify and resolve incidents that threaten the achievement of security objectives
  • Leadership commitment to achieving security objectives

People objectives:

  • Attract, encourage and retain key talent
  • Embed corporate ethics, diversity and inclusion into organizational culture
  • Meet security commitments

Regulatory objectives:

  • Maintain data privacy commitments
  • Maintain compliance with legal, contractual and regulatory requirements
  • Maintain compliance with payment card standards

Resilience objectives:

  • Maintain capacity and performance management
  • Maintain continuity of information and services

Technology objectives:

  • Establish and maintain a monitoring system
  • Maintain security or confidentiality of information and systems
  • Ensure new developments and changes to existing systems align with security objectives

Vendor management objectives:

  • Ensure vendor’s compliance with contractual obligations
  • Ensure vendor onboarding and offboarding are aligned with company’s security objectives

To be clear, the strategic objectives included here might not all apply to your project. You might even have some of your own. By all means, feel free to add them to the list we provided under the appropriate category. And feel free to add new categories if you need them.

Remember, the catalyst for the risk assessment is a specific event. Any of the objectives above that apply to that event should be used as a point of entry into understanding your total risk profile.

Did you know?

Boards only devote about 9% of their meeting time to risk management.

Nearly 60% of executives consider cyber a top five risk, if not the first.

Chapter 4: Identifying Your Risks

The 7 Risk Categories

  1. Customer: Inadequate customer service and relationship management poses various risks, including insufficient privacy and protection of customers’ personal data, increased customer churn rates, low customer satisfaction and contract risk. These risks directly affect your organization’s operational efficiency, reputation and profitability.
  2. Governance: Weaknesses in corporate governance practices expose an organization to legal, regulatory and reputational risks, among others.
  3. People: People are the most valuable asset in any business, but they’re also the most vulnerable. Employees must follow your organization’s procedures, practices and rules to avoid impacting the business’ performance and reputation. This risk directly affects your culture, reputation, operational efficiency and profitability.
  4. Regulatory: Failure to comply with legal and contractual requirements can increase financial, reputational and operational risks.
  5. Resilience: Business resilience is the ability to adapt to disruptions while maintaining continuous business operations and safeguarding people assets, and company reputation. Having a strong business continuity plan in place is critical to avoid financial and reputational risks.
  6. Technology: Technology risks include hardware and software failure, human error, spam, viruses and malicious attacks, as well as natural disasters. Poor technology risk management can lead to operational, financial and regulatory risks.
  7. Vendor Management: It’s essential that your organization manages and remediates risks associated with third-party products and services. The goal of vendor risk management is to reduce the likelihood of data breaches, costly operational failures, vendor bankruptcy and to meet regulatory requirements.

Once you’ve listed out the risk categories; in the next column, outline strategic objectives that are in scope and that correspond to each category. Again, feel free to repurpose the list of strategic objectives that was provided in the previous chapter.

Finally, in the last column, write down specific risk events. These are what you’ll be managing. The intention here isn’t to be exhaustive. Instead, it’s to provide prompts. And remember, they should be relevant to your strategic objectives. So, for example, if one of your strategic objectives is to ensure customer success and communication, a risk could be having a lack of customer support tools to report issues.

  • Risk Category: High-level taxonomy of IT risks.
  • Strategic Objectives: The intended business outcome of your risk management program.
  • Risks: Specific vulnerabilities and threats.

When you have your prompt ready, it’s time to conduct a risk workshop.

When you have your prompt ready, it’s time to conduct a risk workshop.

In-Person Risk Workshop

First, ensure one person is running your risk meeting and facilitating conversation with your group. Start with your first risk category and corresponding objectives. Write them on a whiteboard for your team to see. Brainstorm risk events and be exhaustive. But stick to realistic and relevant events. Typically, each objective warrants an hour of time. Once the team has worked through each strategic objective in a category, take a picture of your work and move on to the next category.

Virtual Risk Workshop

In a remote setting, you’ll be using a video-conferencing tool and a shareable spreadsheet or document to work through your risk events.

Risk workshops can be time consuming. If you already have a mature program, they can take anywhere from 3-5 days to complete. If you’re building out your program for the first time or giving it an overhaul, they can take even longer. That’s why it’s so important to stay organized and efficient.

Once you’ve gathered data from the workshop, it’s time to consolidate it into a risk register. A risk register includes all relevant risk events. With all risks identified in a register, it’s time to carry out an assessment, the final step in the process.

Did you know?

Prioritize your risks, choose the right treatment option and assign risk owners to ensure mitigation. Tugboat Logic gives you an in-depth look into your risk management program in real time, so you can proactively address gaps and stay secure.

Chapter 5: Assessing Your Risks

The goal of this step is to assess your inherent risk level by evaluating the likelihood and impact of a risk event if it were to occur in the absence of controls.

The outcome of this exercise is a prioritized list of risks from most to least urgent. Not all risks are equal. In fact, some aren’t even worth addressing. By assessing inherent risk, you can focus on critical risks and ensure you’re optimizing for the best possible outcome.

Evaluation Criteria: When evaluating risks, it’s important that everyone across your organization applies the same methodology. Otherwise, you could end up with inconsistent results. Whether you choose a three-level, four-level or five-level rating system—it doesn’t matter, just as long as you’re consistent. The same goes for how you measure impact and likelihood of risks.

Risk rankings based on selected evaluation level

Impact: Organizations typically define impact across a number of different situations, as illustrated in the sidebar to the right. Certain risks may impact an organization financially while others may have a greater impact on reputation or operations. Always assign an impact rating to a risk where it has the greatest potential impact.

Operational Impact:

  • Low: Critical system issues actively impacting customers’ ability to use the product
  • Medium: Stability or minor customer-impacting issues that require immediate attention from service owners
  • High: Minor issues requiring action but not affecting customer ability to use the product

Financial Impact:

  • Low: Significant financial impact
  • Medium: Considerable financial impact
  • High: Minimal Financial Impact

Reputational Impact:

  • Low: International long-term negative publicity
  • Medium: National long-term negative publicity
  • High: Local reputational damage

Likelihood: Likelihood represents the possibility of a given event occurring. Similar to impact, organizations can customize their likelihood definitions. Sometimes enterprises describe likelihood in more personal and qualitative terms such as “event expected to occur several times over the course of a career” or “event not expected to occur over the course of a career.”

Low: Expected to occur on a rare basis

Medium: Expected to occur occasionally

High: Expected to occur often

Risk Rating: A risk rating (RR) is a function of the value assessed for identified IT and security risks by determining the impact and likelihood (i.e. probability of occurrence).

So, risk rating = Impact value x Likelihood

Once you’ve spent a couple minutes assessing each risk in your register, you’ll end up with a prioritized list. Now, it’s time to decide how you’d like to respond to each risk, top to bottom.

Risk treatment recommendations are a critical part of risk assessment. They ensure your organization has developed a plan for addressing risks without creating any new ones.

We recommend applying the necessary risk treatment to any identified risks that have a rating categorized as medium and above. The following includes risk treatment options that are available to your team.

Here, the objective is simple: To determine how you’ll respond to your risks. If your organization has zero tolerance for a risk, then you may choose to avoid it. If the risk exceeds your organization’s risk appetite, you may mitigate it to bring it within acceptable limits. Another option for responding to a risk is to transfer it to another party. Finally, you may choose to accept the risk if the cost of mitigation is higher than the damage itself.

Risk treatment options:

  • Accept: To acknowledge the risk but decide that any actions to avoid or mitigate it would be too costly or time-consuming.
  • Transfer: To take action by transferring the risk to another entity (e.g. an insurance company).
  • Mitigate: To take actions that will minimize the potential impact of a risk by implementing mitigating controls.
  • Avoid: To take actions that will eliminate the risk in its entirety.

Did you know?

You don’t have to waste time and energy ensuring your team are using the same impact and risk criteria. With Tugboat Logic, we’ve standardized everything for you. Or you can customize criteria and apply standards that meet your own preferences.

Conclusion

IT risk assessments can be thorough without being complicated. In fact, to socialize your risk practice across your organization, they can’t be needlessly complex. The point of this guide is to provide you with a practical approach to conducting risk assessments.

Our approach is practical because it focuses on what matters most to your business instead of being unnecessarily exhaustive. Plus, it ensures your risk management program is tied to key business objectives, so that stakeholders can understand how it’s relevant to them.

By practicing some of the techniques we’ve outlined here, you can master the art of the IT risk assessment.