Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
An introduction to risk management

By Deb Shinder, TechRepublic
November 29, 2005
URL: http://www.zdnet.com.au/jobs/resources/soa/An-introduction-to-risk-management/0,130056675,139224708,00.htm


TechRepublic
Everybody's talking about risk management, but do you know what it really means and how to implement it within your IT organisation?

Risk management is a popular buzzword in today's business world, but many IT administrators have only a vague idea of what it means and how it fits into their job descriptions. Risk management is a fairly simple concept; it refers to the process of making decisions based on an evaluation of the factors that present a threat to the business. In IT, that means assessing your network's vulnerabilities and threat exposure, and taking the steps necessary to mitigate them.

There are several different components to risk management, then:

  • A risk management framework that describes areas of responsibility and the stream of accountability within the organisation or department.
  • Risk analysis, a process of identifying vulnerabilities and calculating financial and loss expectancy metrics.
  • A risk management plan, which lays out the way specific tools will be used to reduce the risks to an acceptable level.

If all this sounds like a bunch of MBA mumbo-jumbo to you, you're not alone.

Risk management in plain English
The steps involved in performing a risk analysis can be broken down into a few categories:

  • Identifying the risks (in this case, the risks to your organisation that are presented by your network).
  • Determining the potential impact of the threats.
  • Weighing the cost of safeguards against the impact of the threats.
  • Making the decision on how to address risks effectively and cost efficiently.
  • Implementing risk controls.
  • Assessing effectiveness.

A risk can be to the company's assets (a risk that can result in financial loss, such as the exposure of the company's trade secrets to a competitor, or violation of regulatory statutes such as HIPAA or the GLB Act, which would result in fines and possibly other penalties). Some risks are to the company's mission (risks that interfere with employees' performance of their jobs, such as a denial of service attack that brings down the network). Of course, these categories can overlap; a single vulnerability may threaten both assets and mission.

The impact refers to the severity of the threat and the probability of a loss resulting from it. Probability x severity = the risk exposure.

The next step is to determine the cost/benefit ratio of the various measures you can take to reduce or eliminate the risk, and making decisions based on that information. Risk management formulae can tell you how much you can expect to lose per year to a specific threat. This gives you an idea of how much you can cost effectively spend on a specific threat.

Risk management software
Of course, all of this calculation can be done manually but it's much easier to let software do it for you. Some popular enterprise level packages include:

Some of these and other risk management software packages provide evaluation versions or "lite" versions. However, commercial risk assessment software tends to be expensive. For example, Enterprise Risk Assessor (ERA) Lite costs over US$5000.

Starting small
But what if your company is still small? Does that mean you don't need a risk management program? On the contrary, because small businesses usually operate on tighter budgets, with less surplus funds, it's more difficult for your small company to absorb a large loss than for a large organisation. Thus, identifying and managing your risks is, in many ways, even more important. But your needs are different, and so is your ability to fund a risk management program.

No matter what size your business is, you should have a written business plan. Risk management should be a part of that plan, rather than a standalone project. And it should be looked at as an ongoing process, rather than a short-term project. Risks, especially in the IT area, are constantly changing.

Even if your organisation can't afford a complex commercial risk management solution or the high per-hour rates of professional risk management consultants, there are tools available that you can use to make risk assessment and control easier. Microsoft provides a free, comprehensive Security Risk Management Guide on the TechNet Website that can help get you started, at no cost. The file is a bit over 2 MB.

EDITOR'S NOTE: You can download Microsoft's Security Risk Management Guide here.

The guide is not specific to Microsoft products; it is, in their words, "technology agnostic." It's a 139 page document in PDF format, and covers risk management concepts, risk management practices and comparison of different approaches (reactive vs. proactive, quantitative vs. qualitative), phases of the risk management process, details of risk assessment, how to conduct the decision support phase, tips for implementing control solutions, and how to measure the effectiveness of the program.

The download is more than a "how to" guide. It also includes XLS tools for gathering data, summarising and prioritising risk, as well as a sample project schedule.

These tools can be used by organisations in any industry, and of any size.

Scaling risk management
The basic concepts of risk management don't change as your business grows, but your implementation of risk controls probably will. Your security risk management "team" may start out as one person; as the organisation grows, so should the team. The risk management process evolves along with your overall security framework.

Free tools can remain useful even if you decide to implement more sophisticated software solutions. The software simply makes the process more automated. Building a solid knowledge of risk management practices while the organisation is small will help you to retain control over the process when it becomes more automated, rather than simply relying on the software to do everything for you.

Even if your company can't afford a risk management package now, you should plan ahead as you begin to formulate your initial risk management plan, so that you'll already know which package is right for you when the time comes and what's required to implement it. That will make the transition much smoother.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2005 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.