ICT Risk Management
Risk-Is an uncertain event.
Risk Management is a means of dealing with uncertainty by identifying source of uncertainty and the risks associated with the use, ownership, operation, involvement, influence and adoption of ICT in an enterprise.
Risk Management involves the following: –
I. Identifying the possible risk.
II. Risk Evaluation or analysis.
III. Risk Mitigation/Resolution.
6.0 RISK IDENTIFICATION
Means establishing exactly what is at risk by listing all possible risks. The list of potential risks that can affect the organization is endless and it is never guarantee that one would be able to capture all possible risks.
6.1 RISK ANALYSIS/EVALUATION
The output of the identification process should be a list of the key factors that could affect the success of the organization.
The objective of analyzing the risk is to estimate their potential impact and probability. Risk evaluation prioritizes the identify risk by the likelihood and the potential impact if the event happens.
After the potential risks have been identified, the project team then evaluates the risk based on the probability that the risk event will occur and the potential loss associated with the even. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk event can vary greatly.
After the potential risks have been identified, the project team then evaluates the risk based on the probability that the risk event will occur and the potential loss associated with the event. Not all risks are equal. Some risk events are more likely to happen than others and the cost of a risk event can vary greatly.
6.2 RISK MITIGATION
This involves the organization taking concrete against risk.
Most common methods of risk mitigation:
i. Risk Acceptance/tolerance-Accept the potential risk, continue operating with no controls, and absorb any damage that occur.
ii. Risk Limitation- Limit the risk by implementing controls that minimize the impact of threat. Some companies reduce risk by forbidding key executives or technology experts to ride on some airplane.
iii. Risk Transference- Transfer the risk by using other means to compensate for the loss, such as purchasing insurance.
iv. Treat the risk by taking corrective actions to reduce the probability or impact of the risk.
Contingency planning is the development of alternative plans to respond to the occurrence of a risk event.
6.3 BUSINESS CONTINUITY PLAN (BCP)
Business Continuity Planning is best described as the processes and procedures that are carried out by an organization to ensure that essential business functions continue to operate during and after disaster.
This enables an organization protect their mission critical services and give themselves their best chance of survival.
This type of planning enables the organization to re-establish services to a fully functional level as quickly and smoothly as possible. It generally covers most of an organization’s critical business processes and operation.
6.3.0 BUSINESS CONTINUITY PLANNING DEVELOPMENT STEPS
1. Risk Assessments
This involves identifying the most likely events that could have an impact on an organization. When conducting risk assessments, care needs to be taken to ensure that as many scenarios as possible are considered. It is most impossible to identify all possible risks that may threaten an organization.
2. Business Impact Analysis
The business Impact analysis identifies the critical processes and highlights the order in which recoveries needs to be prioritized. The business Impact Analysis (BIA) processes identifies the key business functions, financial exposures and the preferred timeframes in which services need to be re-established.
3. Developing the recovery strategy
The recovery strategy is developed once the risks, likely costs and critical business functions have been identified. Strategies developed must be realistic and achievable to the organization.
4. Documenting the plan.
Once the recovery steps are identified, plan can then be developed and documented.
Business Continuity Plan (BCP) is a special type of document that needs to concise and provide clear definitions of the actions that need to be taken.
5. Testing the plan
This involves evaluating the plan to ensure that it practical, meets the strategy criteria and can be eased followed by staff.
6. Maintaining the plan
A recovery plan is a living document; therefore, the plan must also be kept up to date i.e it must be maintained to reflect any changes that arise in the workplace. These changes would include new systems or business processes that have been implemented since the plan was originally developed and any organization or business re-engineering changes that may have altered the way the organization conducts business.
(adsbygoogle = window.adsbygoogle || []).push({});