|
IsecT consultants employ a structured, proactive approach to risk management in the general context of IT. We prefer to follow a sequence similar to this:
-
Start with an impact assessment, deliberately taking the business perspective to identify major management concerns and issues. This step helps focus on the key risks while avoiding being sidetracked by lesser risks. In practical terms, we would typically facilitate a risk workshop involving senior people from IT and the business, the output being a business impact report.
-
The next step is a full risk analysis to identify potential threats and vulnerabilities relating to the most serious impacts previously identified. The output is a risk matrix showing key (worst case) threats, vulnerabilities and impacts on one axis and risk categories on the other ( e.g. to focus on information security risks, we explicitly use the ISO/IEC 27002 definition of security, namely confidentiality, integrity and availability, to examine the risks comprehensively).
-
The controls design step involves looking at the risk matrix from a practical point of view, reviewing the organization's existing security/controls already addressing the identified risks and specifically seeking evidence of control weaknesses. This step may involve specifying and cost-justifying additional controls. The output includes brief descriptions of existing or necessary additional controls in the risk matrix, and if necessary more detailed business proposals or specifications for any additional control requirements. We use standards such as ISO/IEC 27002 to guide this step, tempered by our consultants’ practical experience.
-
Risk mitigation involves addressing the control weaknesses by developing, testing and implementing security controls. We generally favour preventive controls and always seek cost-effective control measures, especially simple, cheap procedural controls rather than complex, expensive technological ‘solutions’ which themselves tend to introduce additional risks and dependencies!
-
Contingency planning: with the best will in the world, despite all the controls implemented already, some impacts are so severe, some threats so strong and some vulnerabilities so difficult to eliminate that the organization faces unacceptable residual risks. In IsecT’s methodology, contingency planning is an integral part of risk management not a separate activity. Wherever practicable, we prefer to help clients implement cost-effective controls to prevent risks, but detective and corrective controls (including contingency plans) are sometimes appropriate. How far we go along the road of specifying and developing contingency measures of course depends on the client’s wishes.
The most advanced organizations continually review and improve their control environments in order to respond quickly to new threats, vulnerabilities and impacts, and to confirm that controls remain effective in practice. Call IsecT for help to establish best-practice proactive risk management processes in your organization, including routine and ad hoc risk reviews, IT audit and information security management.
We can also help with the management of project risks. The following 21 project risk factors, identified by 30 years of international research, were prioritised by 1,500 IT project managers:
Most important
1. Lack of top management commitment
2. Misunderstanding of scope/objectives/requirements
3. Lack of client/end-user commitment/involvement
4. Changing scope/objectives
5. Poor planning/estimation
6. Inadequate project management
7. Failure to manage end-user expectations
8. Conflict among stakeholders
9. Change in senior management ownership
10. Lack of adequate change control
11. Shortage of knowledge/skills in the project team
12. Improper definition of rôles and responsibilities
13. Artificial deadlines
14. Specifications not frozen
15. New or radically redesigned business process/task
16. Employment of new technology
17. Poor control against targets
18. Number of organisational units involved
19. Lack of effective methodologies
20. Staff turnover
21. Multiple vendors
Least important
We have hands-on experience of dealing with all of these risks, and more besides. If you recognise your own problems on the list, call us for help!
|
