IT risk management

IT risk management process


In business, IT risk management entails a process of identifying, monitoring and managing potential information security or technology risks with the goal of mitigating or minimising their negative impact.

Examples of potential IT risks include security breaches, data loss or theft, cyber attacks, system failures and natural disasters. Anything that could affect the confidentiality, integrity and availability of your systems and assets could be considered an IT risk.

Steps in the IT risk management process

To manage IT risks effectively, follow these six steps in your risk management process:

1. Identify risks

Determine the nature of risks and how they relate to your business. Take a look at the different types of IT risk.

2. Assess risks

Determine how serious each risk is to your business and prioritise them. Carry out an IT risk assessment.

3. Mitigate risks

Put in place preventive measures to reduce the likelihood of the risk occurring and limit its impact. Find solutions in our IT risk management checklist.

4. Develop an incident response

Set out plans for managing a problem and recovering your operations. Devise and test your IT incident response and recovery strategy.

5. Develop contingency plans

Ensure that your business can continue to run after an incident or a crisis. Read about IT risk and business continuity.

6. Review processes and procedures

Continue to assess threats and manage new risks. Read more about the strategies to manage business risk.

IT risk controls

As part of your risk management, try to reduce the likelihood of risks affecting your business in the first place. Put in place measures to protect your systems and data from all known threats.

For example, you should:

  • Review the information you hold and share. Make sure that you comply with data protection legislation, and think about what needs to be on public or shared systems. Where possible, remove sensitive information.
  • Install and maintain security controls, such as firewalls, anti-virus software and processes that help prevent intrusion and protect your business online.
  • Implement security policies and procedures such as internet and email usage policies, and train staff. 
  • Use a third-party IT provider if you lack in-house skills. Often, they can provide their own security expertise. See how to choose an IT supplier for your business.

If you can't remove or reduce risks to an acceptable level, you may be able to take action to lessen the impact of potential incidents.

Mitigate IT risks

To mitigate IT risks, you should consider:

You can also use the National Cyber Security Centre's (NCSC) free Check your cyber security service to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

The NCSC also offer a free Cyber Action Plan. By answering a few simple questions, you can get a free personalised action plan that lists what you or your organisation can do right now to protect against cyber attack.