Risk management is a term of art used to describe complex activities where an organization identifies and assesses its risks and then creates a plan for addressing those risks. Risk management goals include protecting the organization's profitability (bottom line), ensuring that the organization meets its regulatory compliance requirements, and assuring that the organization can achieve its mission and key objectives. While IT organizations use risk management practices to address IT-related risks, these same practices can be applied to address any organizational activity that introduces business uncertainty.

Risk management practices generally fall into three basic steps.

1. Risk Assessment

Risk assessment refers to the process of identifying the threats and vulnerabilities that an organization faces (collectively called risks) and then assessing the organizational impact of those risks should they occur.¹ There are two main types of risk assessments. A quantitative risk assessment is one that uses real numbers to calculate risk and potential loss. In a quantitative risk assessment, risk is measured in terms of a percentage of likelihood of occurrence and the dollar value of any subsequent loss. A qualitative risk assessment is one that uses scenarios and rating systems (e.g., low, medium, and high) to calculate risk and potential harm. There are a number of different published methodologies for conducting both quantitative and qualitative risk assessments.²

2. Risk Response

Risk response is how an organization chooses to respond to its identified risks. Executive management usually determines the risk response. There are four basic risk responses:

* Avoidance: The organization adopts controls to completely eliminate an identified risk.

* Mitigation: The organization adopts controls to partially eliminate or reduce an identified risk.

* Transfer: The organization passes its risk to another entity (e.g., purchasing insurance is a common way of transferring risk).

* Acceptance: The organization intentionally and affirmatively takes no action against a potential risk. An organization may pursue this strategy when the cost of mitigating or transferring a risk is more than the anticipated loss of the risk actually occurring.

3. Continuous Monitoring

Continuous monitoring refers to the actions that an organization must take to continuously assess and address risk. Since technology, operating, and business conditions change rapidly, risk management is not a "one time" activity. Instead, an organization must always be mindful of the changing nature of the risks that it faces and must be willing to change its risk response as circumstances change.

In an IT organization, the risk management process can help identify, assess, prioritize, and address the major IT risks that, if realized, might keep an institution from accomplishing its goals of research, educating students, or community outreach. Ensuring that risk management activities aare a continual process, instead of a one-time project, makes sure that changing circumstances and environments don't inadvertently introduce new risks into operational activities.

Notes

* The IT Risk Register is a sortable checklist that identifies common strategic IT risks (those risks that, if realized, could impact an institution’s ability to achieve its mission) and catalogues those risks according to common risk types and IT domains. The risk register tool and the member advisory board that created it are part of the EDUCAUSE IT Governance, Risk, and Compliance program.

* The Information Security Guide chapter on Risk Management includes more information about qualitative and quantitative methodologies.

Also of interest:

* Charting Your InfoSec Data Roadmap

* Risk Management Through Security Planning: Lessons from a CIO and CISO

* Understanding IT GRC in Higher Education: IT Risk