Risk Management in IT: Another step for Quality
What is Risk?
Risk is an uncertainty. Here, this pertains to a situation where It is difficult to decide that whether a particular event will occur or not. But if it occurs then what impact it will have on a project.
The measure of a IT risk can be determined as a product of threat, vulnerability and asset values:
Risk = Threat * Vulnerability * Asset
What is Risk Management?
As the name suggests, it is related to the management of the risks or the impact of risk so that they have a minimum or no effect on the project. Risk management is all about minimizing the impact and does not mean avoiding risk.
It is a recurrent activity that deals with the analysis, planning, implementation, control and monitoring of implemented measurements and the enforced security policy.
There are four simple steps required to be followed:
- Identify Risks:Identify any IT risks, and documenting each and very detail about them like their source and kind of risk, area of impact and probability calculations at a centralized location.
- Evaluate,Categorize and Prioritize risks: Evaluate the risks by performing IT risk assessments and computations based on proven methodologies. Next, would be to categorize them. Lastly, This enables managers to prioritize their response strategies.
- Develop and Implement Risk Response/Mitigation plans: Risk mitigation is a systematic methodology where Key Risk Indicators should be established that will help in predicting the risks and model the risk assessment.
Following are the options:
- Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
- Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence.
- Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability.
- Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes,implements, and maintains controls
- Research and Acknowledgement. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
- Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
- Monitor Risk Status: When a management process is applied, it is required to be regularly monitored so as the implemented security measures are regularly monitored and reviewed. We know that business requirements, vulnerabilities and threats can change over the time so this activity ensures that the measures work as planned and that changes in the environment will have no impact.
How SDLC is supported by Risk Management?
Risk Management in IT provides upward assurance to the organizations by increased network security, effective use of IT resources,reduced management costs and continuous improvement to achieve business goals and greater compliance.