Information Technology Reference
In-Depth Information
that it is just too expensive to have a spare plant as a way of treating the risk and opt to
accept the risk of the plant being rendered non-operational due to a disaster.
IT Risk Register
An enterprise will normally have a risk register which is used to record all risks identified
in the enterprise. Each identified risk would include information such as risk rating, prob-
ability, threats, vulnerabilities, impact, risk treatment, and risk owners. Many profession-
al organisations such as Project Management Institute and Prince2 Foundation provide re-
commendations as to what should be contained in the risk register. Enterprises are free to
decide the content of their risk register depending on their risk exposure.
There are many software tools available which can be used for developing and maintaining
risk registers. Use of software tools provides an easy way of managing and accessing risk
information by all stakeholders. A risk register software tool can be deployed on the en-
terprise network platform for easy access by management, risk management team, internal
auditors, and other external providers of assurance services. Using a risk register software,
it is easy to monitor IT risk and various users and risk specialists on their risk activities,
such as changes to IT systems or non-compliance to risk procedures.
A risk register will include a clear description of identified risks and linked to risk pro-
cedures. A link to risk procedures is helpful as it indicates what processes that particular
risk is related to. It is possible that the enterprise might link business processes to various
identified risk procedures and identified risks. A risk register should be updated often as
activities take place in the enterprise. It is recommended that a risk function or specialist
takes responsibility of updating the register as risks change every time due to interactions
with the business environment.
The risk register should have a risk rating for each risk. The rating can be high, moderate,
or low. Ratings will inform management or other users of this information on how to handle
the risk. It is particularly important information when determining how to treat risk.
Criticality of IT assets is also one piece of important information when identifying and
treating risks. Critical IT assets are high-value assets to the enterprise and are likely to have
a high risk rating.
The probability of a risk occurring should be indentified and included on the risk register
so that the enterprise can plan how to respond to such events. Where the risk is low, the
enterprise can decide to accept the risk.
Potential threats also need to be identified and included on the risk register. Where there are
risks but no threats, it is likely that the enterprise might choose to accept the risk. Potential
threats normally take advantage of vulnerabilities which exist in the systems.
Search WWH ::
Custom Search