<<At Silicon Valley Bank, I actively work on increasing the risk awareness among our global workforce - specifically among those who work in IT. One of the methods I use to reach a large audience is by publishing a quarterly newsletter. Through surveys, we found that our audience prefers short and non-technical pieces. With that in mind, I wrote the following introductory article about IT risk management. I expect that I will follow up with another article that goes into further details about this topic.>>
We drive slower when it rains. We look both ways when we cross the street. We take medicine when we feel ill.
Risk management is simply a tool that helps us weigh options, consider alternatives and make decisions. The reason why we drive slower when it rains because we know it reduces the odds of us getting into an accident.
Is risk management all about trying to prevent “bad stuff” from happening?
Absolutely not…Risk management also enables us to better evaluate the upside of the options available to us and choose the one that is best in line with our goals.
Ok… But what about IT risk management?
It’s natural to wonder why we should care about IT Risk Management; understanding key concepts could help with that:
o IT Risk: Any risk stemming from the use of or exposure to information technology
o IT Risk Management: Processes and structures to identify, assess, report and address IT risk
o IT Controls: Activities we perform to mitigate one or more risks
Let’s explore why IT risk management is becoming more important every day.
Nowadays, it’s hard to imagine any company that does not use technology for most of its main processes, transactions and manufacturing. You probably heard the news about the well-publicized hacks, data losses, and system crashes impacting major companies. Evident from these events, inadequate IT Risk Management could result in lost revenues and business opportunities, inefficiencies, fraud/credit losses, damage to the company reputation and lost client relationships.
In IT, we have responsibilities ranging from keeping our technology systems up and running to implementing new systems and processes. We run majority of our technology related processes and controls (patching, backups etc.) ourselves in the background. In addition to these, many of the bank’s processes (reconciliations, dual signatures, authentication to systems etc.) have major dependencies on technology that we support.
To make the best risk-based decisions for our organization, all these activities should follow a certain rigor. Following our established processes and controls helps us effectively manage our risk. In that regard, we all contribute to managing our risk by following our processes, finding issues and addressing them.
The next time when you think about risk, just remember: You are a risk manager… We all are!