The all-encompassing use of IT in today’s environment can provide significant benefits to an enterprise, but it also involves risk. IT risks need to be treated like other key business risks: strategic, environmental, market credit operational and compliance – all of which could result in failure to achieve strategic objectives. A comprehensive IT risk assessment should be able to answer the following questions:
- What kind of a role does technology play in your organization?
- How dependent is the organization on information technology services and data?
- Does the organization understand your technology risks and opportunities and how they could impact the organization?
- What technology opportunities exist in the marketplace that your organization has not taken advantage of?
- What is the quality of the organization’s current IT risk management processes?
An IT Risk Assessment can help you answer these questions – and be ready when the board asks them.
Like every business decision, IT risk management requires decision makers to balance risk and reward. Many organizations waste a large percentage of the investment they make in information security. This happens for several reasons; either they have not properly evaluated the cost/benefit of their mitigation strategy, or they try to apply a technology solution to a symptom rather than the root cause.
Our IT Risk Assessment approach is like no other in the market. First, we gather information about the organization’s environment from a diverse group of key stakeholders to identify technology risks and opportunities. A select group of senior management will participate in a workshop in which the risks will be discussed and adjusted as necessary. The workshop will conclude with the participants individually voting to rate each risk item based on “likelihood” and “significance.” The outcome of this process will be a “gross risk map” of your technology risks.
We assess the controls surrounding the risk areas, incorporating an evaluation of each control’s design and effectiveness. We benchmark to IT control frameworks such as COBIT, ISO 27000-series, NIST, CIS, etc. The resulting “net risk map” will provide the management team with a clear picture of the highest technology risk items within the corporation. Based on result we sit down with management and/or the board and define the organizations risk tolerance and acceptance.
The project will conclude with recommendations, suggested performance measurements and an IT risk management action plan for the management team to address the key gaps. The IT risk management plan will contain key tracks, investment estimates, and suggested timing. The management team, the audit committee, and your Board will be enlightened by the results! This will enable effective enterprise governance and management of IT risk.
Our methodology is based on the COBIT RISK-IT framework and ISO-31000. In addition, Eminere Group can assist to assess the quality of your current IT risk assessment process. This type of assessment will provide suggestions for improvements as well as a benchmark to best practice IT risk management. Furthermore, we can assist your organization in establishing and or improving your IT risk management processes.