A guide to managing the risk assessment process

Risk management assessments in IT take on many different forms -- from data risk to project risk. Learn more about managing the risk assessment processes in your IT organization.

The goal of a risk assessment process is to minimize the effects of any type of risk -- including data and project risk -- on an organization. IT plays a key role in the risk management process and assessment by using technology initiatives to eliminate any unplanned losses in financial, strategic and operational initiatives.

Our guide, a risk assessment primer for midmarket CIOs, addresses the various types of risks within the IT department and how they can be mitigated. Learn more about how CIOs can address risk within disaster recovery, data management and project management, using the tools and resources available here.

For free advice and resources on more IT and business topics, visit our list of Midmarket CIO Briefings.

How to build (and sell your business on)

Be careful what you wish for. Now that security has the attention of business management and boards of directors, CIOs must learn how to translate an information security program into terms the business understands. The first rule of thumb? Focus on results, not details.

Gartner Inc. recommends five tips for linking security to corporate performance:

  • Formalize a risk and security program.
  • Map key risk indicators to key performance indicators.
  • Don't use operational metrics in executive communications.
  • Link risk initiatives to corporate goals.
  • Communicate to executives what works and what doesn't.

Find out more in "Using key risk indicators to sell your information security program." Also:

Quantifying and assessing risk

As many midmarket CIOs continue to face budget pressures, some are now slashing a mainstay of the IT budget: vendor maintenance contracts for software and hardware systems.

Hard-pressed to find more places to cut, CIOs are increasingly inclined to take the risks of going off vendor maintenance, or of moving to a cheaper third-party provider, interviews suggest. This is true even for mission-critical systems and even though it means forfeiting their rights to upgrade.

The surprising punch line? For CIOs who do not plan to upgrade a system soon, or carry more licenses than they now need because of layoffs, the gamble might be just the right thing to do.

Learn more in "CIOs taking risk of cutting vendor maintenance contracts to save money." Also:

Mitigating risk with information security basics

The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security.

Last month, the U.S. Secret Service underscored the cyber danger to small and medium-sized businesses (SMBs), testifying before the Senate Homeland Security and Government Affairs Committee that cybercriminals are increasingly targeting small and medium-sized businesses that do not update their computer security, according to a story by the Associated Press.

Most of the attacks are waged by overseas criminal groups looking to steal sensitive financial and personal information, said Michael Merritt, assistant director of the Secret Service's office of investigation.

Find out more in "10 must-have steps for an effective SMB information security program." Also:

Risk management strategies for disaster recovery, business continuity

His office is on the seventh floor of a building that's nowhere near a floodplain, so Robert Rosen had no particular fear of water damage to his IT equipment. But one weekend, in the office next door, the water filter in an office kitchen cracked, sending a stream of water onto the floor and under the wall into his facilities.

Although critical servers remained dry, the flood ruined equipment that was on the office floor, including 10 surge protectors, six uninterruptible power supplies, six power bricks and one PC. While things were drying out and a length of wallboard was replaced, Rosen implemented a disaster recovery plan that was crafted for an entirely different contingency.

Floods, fires, power failures and pandemic flu can happen. Every IT professional must envision the impact of such disasters on company operations and devise tactics to deal with them. But first, take a step back and start with a comprehensive assessment of all the risks your business faces, of which IT vulnerabilities are an important part.

Learn more about disaster recovery and risk management in "Applying risk assessment to your disaster recovery plan." Also:

Risk management strategies for disaster recovery, business continuity

Using formal risk management tools, companies can more accurately calculate "worst-case scenarios" in IT and the effect their potential loss or corruption will have on the business. So how should you begin your risk management assessment process?

To get you started, we've tracked down some free risk management tools, templates, instructions, calculators and informational guides from across the Web. These free resources offer tools for assessing disaster recovery, risk management and even data loss, including:

  • Risk management guidelines and procedures.
  • Risk management tools.
  • Disaster recovery and risk management assessments.

Go to "Free risk management tools and resources for the enterprise" to learn more. Also:

More resources

Next Steps

Action plan for finding vulnerabilities and preventing data hacks

This was last published in October 2009

Dig Deeper on Small-business IT strategy



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How have you updated risk assessment processes in your organization?
What other ways have people mitigated risks in your company?