What Is IT Risk?
Information technology (IT) risk is any potential threat to business data, critical systems and business processes. It is the risk associated with the use, operation, involvement, influence, ownership and adoption of IT within an organization or business. IT risk can potentially damage business value and often come from poor management of organizational processes and events.
Categories of IT Risk
IT risk covers a range of business-critical areas. It is important to be cognizant of all the different types of IT risks that could potentially affect an organization.
IT risk can be generally separated into four broad categories, as follows:
- Security: The data within an organization is compromised because of unauthorized access or use.
- Compliance: There is failure on the part of one or multiple employees to abide by established laws and regulations, such as data protection.
- Availability: There are challenges related to the ability to access an organization’s IT systems, needed to carry out its operations.
- Performance: Productivity is reduced because of slow or delayed access to IT systems.
Potential Impacts of IT Risk
Events or incidents that compromise IT can cause many problems, particularly for a business that relies on technology to carry out its day-to-day operations. In today’s tech-heavy environment, practically all organizations of any size or sector would benefit from robust IT risk management.
A security breach can result in the following problems:
- Identity fraud and/or theft
- Financial fraud and/or theft
- Damage to brand
- Damage to the organization's physical assets
- Leaking or releasing of classified information or intellectual property
- Drop in company valuation
Failure of IT systems due to downtime or outages can result in further damaging and diverse consequences, including the following:
- Lost sales and customers
- Reduced staff, morale and/or business productivity
- Drop in customer loyalty and satisfaction
- Impaired relationships with partners, suppliers and other stakeholders
- Loss of competitive advantage
Should IT failure affect an organization’s ability to comply with laws and regulations, it could further result in:
- Breach of legal duties
- Breach of client confidentiality
- Penalties, fines and litigation
- Reputational damage
- Increased insurance costs
- Higher borrowing rates from lenders
Managing and mitigating IT risk should be a core concern for any business, irrespective of size and sector. Technology serves to connect and communicate with customers, suppliers, partners and business information; thus, adhering to IT risk best practices is crucial to the success of any business.
What Is an IT Risk Assessment?
In an IT risk assessment, IT risks need to be methodically identified, measured, managed and mitigated. The IT risk assessment process aims to accomplish this, by identifying security risks, determining their probability of occurring, and estimating the threat they pose. Once risks are identified and measured, they should be managed and mitigated through a comprehensive and detailed IT risk management process.
When conducting an IT risk assessment, it helps to gather detailed data and information on the IT systems, processes and users. There are two primary inputs to the risk assessment:
- Knowledge of the IT environment gained through working with the current systems: The results of gathering and analyzing IT data are that it provides insight into many key IT processes, such as managing logical access, managing application changes and performing data backups.
- Interviews with key IT personnel: Interviews are a productive means of gathering additional insights into other risks, including planned IT projects. The insight gained from interviews of key individuals can be used to evaluate and address the risks within the organization and to define the scope of IT audits in each process area. Professional judgment and discussions with the internal audit director can be used to calibrate the IT audit plan.
With the data gathered from fact-finding and interviews, an internal audit can catalog the inherent risks identified with each IT process area and rate them on both relevance and probability. At this stage, the organization is ready to produce an audit report with its findings.
The IT Audit Report
The IT audit report outlines findings from a high-level IT risk assessment of the company. It begins with the background and reasons for the assessment selection. For example, the rationale for the assessment selection could be the following:
- Assist management in obtaining a better understanding of the technology risk impacting the organization.
- Prioritize the technology risk areas.
- Develop a three-year IT audit plan.
Each assessment should be paired with a projected time frame and the due date for its completion. This gives all participants a gauge to schedule their tasks and workflow. The timeline could change based on the IT department and internal audit activities. It is advisable to keep track of the time spent on each task as this will help to measure the required time needed for audits going forward. Tasks that took longer than anticipated can be divided into subtasks while those that took less than the anticipated time may be combined with other tasks.
Risk ratings of the IT processes can help define the rotational coverage of a multiyear IT audit plan. Depending on the size and complexity of the organization, an audit plan can take place more frequently than three years and should re-occur after a major change in systems, technology or business structure. For example, high-risk processes can be covered every one to two years of the plan, medium-risk processes every three years, and low-risk processes can only be covered if a specific project or reason for focus arises in a particular year.
The audit report provides perspective on how often additional IT audit work should be performed to address other IT risks not covered (or not covered in sufficient depth) through the current audit. An IT process-centric risk assessment approach can help to clarify whether the process needs to further refine the assessment or to gain additional input from business executives.
The IT Process Overview
The audit report should include an IT process overview. This is a detailed list of all of the IT processes in an organization and their descriptions. Below is a sample list:
- Manage Security and Privacy
- Manage IT Infrastructure
- Ensure Continuity
- Manage IT Assets
- Support End Users
- Deploy and Maintain Solutions
- Define IT Strategy and Organization
Other factors considered in developing the plan may include:
- Regulatory or other compliance requirements
- Results from previous audits of the area
- Length of time since the last audit of the area
- Complexity of the audit and budget considerations
The plan should be reviewed and discussed in detail with the director of internal audit services. Scheduling individual audits should be closely coordinated with the IT department.
Where to Start
Going through the process of conducting an IT risk assessment and audit may sound daunting and time-consuming, particularly for tech-heavy organizations with multiple divisions and/or locations. No doubt there is a plethora of information on the subject of IT risk, albeit, because technology is ever-changing, much of the information and resources are outdated and are no longer practical or applicable. Additionally, not all businesses face the same IT risks as they can vary by sector, level of internal IT expertise, specialization and location-specific regulatory requirements and/or restrictions.
Here are just a few examples of the IT risk content available on KnowledgeLeader:
- IT Risk Assessment Questionnaire: This tool includes risk assessment questions for both IT management and executive IT management.
- What Is Internal Audit’s Role in Cybersecurity?: We explore internal audit’s place in the cybersecurity process, including how internal audit can contribute to the five key components crucial to cyber preparedness.
- Enterprise Risk Planning (ERP) Integration Architecture Audit Work Program: This work program template provides steps organizations can take to perform an enterprise risk planning (ERP) integration architecture audit.
- IT Asset Management Guide: This guide focuses on improvements organizations can make to effectively perform their IT asset management process.
In addition to the above, KnowledgeLeader offers IT risk management frameworks, IT risk tools, IT risk templates, newsletters, charters and booklets, with detailed and applicable information and advice on carrying out the IT risk assessment and audit. Browse our IT Risk Topic Page to explore all of our IT risk resources.