Here’s 3 simple checks to gauge how well you’ve set up your IT Risk Register.
Firstly – have you got an IT Risk Register?
If not, then you really ought to set one up.
If you have got an IT Risk Register, try these two:
- Have you got Cyber Security listed as a Risk?
- Have you got more than 2 dozen Risks on your IT Risk Register?
If you answered ‘yes’ to either of those, it sounds like you need help
Risk Management is both an art and a science
An art – to write those risks in a clear and simple language that makes it easy for them to be understood by everyone in your IT division. Risk Management comes down to some specific terminology and semantics, so it’s best to get your head around the key terms.
A science – because it requires a probing, logical mind to identify where your risks are, what impact they would cause to the business, and what the likelihood of occurrence would be.
A scientific approach is also needed to minimise the number of risks that you record in your Risk Register – not because you want to hide anything, it’s just far simpler to manage a smaller number of composite risks as I explain below.
Why shouldn’t I have Cyber as one of my risks?
There are weaknesses in the security of my IT systems and the business may come under a cyber attack.
So what? That in itself doesn’t cause your business any damage at all. The fact is you are probably suffering thousands of attempts to hack into your systems every day. You have to step through the scenario until you identify something that can do positive harm to your business. Usually that will be one of the following:
- Your data is compromised (corrupted, stolen/copied, deleted, encrypted, …)
- Your systems are brought down (eg: denial of service)
- One of your staff is tricked into doing something wrong (eg making a false payment)
If we take the first one, it is clear to see that a hit on your data could have significant impact on your business. But think about it – that situation could be brought about by a variety of causes, many of which have nothing to do with a cyber attack.
The risk you need to record is one about the data compromise affecting your business.
A cyber attack should be treated as a threat, not a risk. Your cyber security would go down in the Register as a control, against which you record the weaknesses / issues.
It wouldn’t surprise me if you identified up to a dozen potential ways in which a data incident could arise (malpractice, database software malfunction, etc etc). Each would drive you to identify controls (processes, tooling, training, for example) for the overall data risk.
Why should I have such a small number of Risks?
Following on from above, you will have multiple controls for the data risk. If you had written down every issue or threat as a risk, you would be sitting with 12 data related risks and a similar number of controls.
So what? I hear you ask.
Well, the risk register starts to become more like a cat’s cradle because many of those controls will apply to multiple risks. Instead of a 1 risk to many controls, you have built a Risk Register in which the relationship is many risks to many controls – and that is far more complicated to manage.
The other reason for keeping the numbers down is simply one of representation to outside bodies. Your industry sector is likely to have a regulatory body. The regulatory body would be alarmed to hear that you have identified and registered 147 risks in your IT division alone.
What difference will it make?
It is hard to engage all the IT team in Risk Management because they often see it as an administrative overhead. A chore that seems unrelated to their day-to-day responsibilities. It becomes even harder if the job of drawing up the IT Risk Register is done badly.
If the job is done well, it can make all the difference. It can be a major tool to help you improve the management processes and disciplines that you use to build and run your systems, and in turn that will drive up the quality of the service you deliver to your business.
If you’re interested in hearing more about how to transform your IT Risk Register from being a necessary chore into a valuable tool, please feel free to make contact with us at BLMS on 0114 398 4344.
Brian Lancaster is a Director at BLMS Consulting