IT risk management
Introduction to IT security and risk management, and the process you should follow to manage and mitigate technology risks in your business
The more your business relies on IT, the more important it is to identify and control the risks that could affect your IT systems. Threats ranging from equipment failure to malicious attacks by hackers have the potential to disrupt critical business systems or open up access to your confidential data.
This guide explains what is IT risk and the different types of IT risk that can affect you. It outlines how to carry out an IT risk assessment, and how to develop an effective IT risk management process.
It also explains the IT security management standards and policies, and the interconnected role of IT risks and business continuity. Finally, it gives you a simple IT risk management checklist to help you assess and address any technology risks in your business.
What is IT risk?
Introduction to information technology (IT) risk and its potential to damage or devalue your business
Information technology or IT risk is basically any threat to your business data, critical systems and business processes. It is the risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an organisation.
IT risks have the potential to damage business value and often come from poor management of processes and events.
Categories of IT risks
IT risk spans a range of business-critical areas, such as:
- security - eg compromised business data due to unauthorised access or use
- availability - eg inability to access your IT systems needed for business operations
- performance - eg reduced productivity due to slow or delayed access to IT systems
- compliance - eg failure to follow laws and regulations (eg data protection)
IT risks vary in range and nature. It's important to be aware of all the different types of IT risk potentially affecting your business.
Potential impact of IT failure in business
For businesses that rely on technology, events or incidents that compromise IT can cause many problems. For example, a security breach can lead to:
- identity fraud and theft
- financial fraud or theft
- damage to reputation
- damage to brand
- damage to your business physical assets
Failure of IT systems due to downtime or outages can result in other damaging and diverse consequences, such as:
- lost sales and customers
- reduced staff or business productivity
- reduced customer loyalty and satisfaction
- damaged relationship with partners and suppliers
If IT failure affects your ability to comply with laws and regulations, then it could also lead to:
- breach of legal duties
- breach of client confidentiality
- penalties, fines and litigation
- reputational damage
If technology is enabling your connection to customers, suppliers, partners and business information, managing IT risks in your business should always be a core concern.
Understand why IT risk management matters.
The National Cyber Security Centre offers detailed guidance to help organisations make decisions about cyber security risk.
Different types of IT risk
Your IT systems and the information that you hold on them face a wide range of risks. If your business relies on technology for key operations and activities, you need to be aware of the range and nature of those threats.
Types of risks in IT systems
Threats to your IT systems can be external, internal, deliberate and unintentional. Most IT risks affect one or more of the following:
- business or project goals
- service continuity
- bottom line results
- business reputation
Examples of IT risks
Looking at the nature of risks, it is possible to differentiate between:
- Physical threats - resulting from physical access or damage to IT resources such as the servers. These could include theft, damage from fire or flood, or unauthorised access to confidential data by an employee or outsider.
- Electronic threats - aiming to compromise your business information - eg a hacker could get access to your website, your IT system could become infected by a computer virus, or you could fall victim to a fraudulent email or website. These are commonly of a criminal nature.
- Technical failures - such as software bugs, a computer crash or the complete failure of a computer component. A technical failure can be catastrophic if, for example, you cannot retrieve data on a failed hard drive and no backup copy is available.
- Infrastructure failures - such as the loss of your internet connection can interrupt your business - eg you could miss an important purchase order.
- Human error - is a major threat - eg someone might accidentally delete important data, or fail to follow security procedures properly.
How to manage IT risks?
Managing various types of IT risks begins with identifying exactly:
- the type of threats affecting your business
- the assets that may be at risks
- the ways of securing your IT systems
The National Cyber Security Centre also offers detailed guidance to help organisations make decisions about cyber security risk.
IT risk assessment methodology
An effective IT risk assessment will look at risk based on the probability of it occurring, and the cost of impact and recovery
IT risk assessment is a process of analysing potential threats and vulnerabilities to your IT systems to establish what loss you might expect to incur if certain events happen. Its objective is to help you achieve optimal security at a reasonable cost.
There are two prevailing methodologies for assessing the different types of IT risk: quantitative and qualitative risk analysis.
Quantitative IT risk assessment
Quantitative assessment measures risk using monetary amounts. It uses mathematical formulas to give you the value of expected losses associated with a particular risk, based on:
- the asset value
- the frequency of risk occurrence
- the probability of associated loss
In an example of server failure, a quantitative assessment would involve looking at:
- the cost of a server or the revenue it generates
- how often does the server crash
- the estimated loss incurred each time it crashed
From these values, you can work out several key calculations:
- single loss expectancy - costs you would incur if the incident occurs once
- annual rate of occurrence - how many times a year you can expect this risk to occur
- annual loss expectancy - the total risk value over the course of a year
Find a formula to calculate annualised loss expectancy.
These monetary results could help you avoid spending too much time and money on reducing negligible risks. For example, if a threat is unlikely to happen or costs little or nothing to remedy, it probably presents low risk to your business.
However, if a threat to your key IT systems is likely to happen, and could be expensive to fix or likely to affect your business adversely, you should consider it high risk.
You may want to use this risk information to carry out a cost/benefit analysis to determine what level of investment would make risk treatment worthwhile.
Keep in mind that quantitative measures of risk are only meaningful when you have good data. You may not always have the necessary historical data to work out probability and cost estimates on IT-related risks, since they can change very quickly.
Qualitative IT risk assessment
Qualitative risk assessment is opinion-based. It relies on judgment to categorise risks based on probability and impact and uses a rating scale to describe the risks as:
- low - unlikely to occur or impact your business
- medium - possible to occur and impact
- high - likely to occur and impact your business significantly
For example, you might classify as 'high probability' something that you expect to happen several times a year. You do the same for cost/impact in whatever terms seem useful, for example:
- low - would lose up to half an hour of production
- medium - would cause complete shutdown for at least three days
- high - would cause irrevocable loss to the business
With your ratings determined, you can then create a risk assessment matrix to help you categorise the risk level for each risk event. This can, ultimately, help you decide which risks to mitigate using controls, and which to accept or transfer.
Read more about the different ways to evaluate business risks.
Use different types of information in IT risk assessments
Often, it may be best to use a mixed approach to IT risk assessments, combining elements of both quantitative and qualitative analysis.
You can use the quantitative data to assess the value of assets and loss expectancy, but also involve people in your business to gain their expert insight. This may take time and effort, but it can also result in a greater understanding of the risks and better data than each method would provide alone.
The National Cyber Security Centre (NCSC) recommends using different types of risk information in IT risk assessments. Drawing on a variety of information sources may reveal risks that would otherwise be missed.
IT risk management process
In business, IT risk management entails a process of identifying, monitoring and managing potential information security or technology risks with the goal of mitigating or minimising their negative impact.
Examples of potential IT risks include security breaches, data loss or theft, cyber attacks, system failures and natural disasters. Anything that could affect the confidentiality, integrity and availability of your systems and assets could be considered an IT risk.
Steps in the IT risk management process
To manage IT risks effectively, follow these six steps in your risk management process:
- Identify risks - determine the nature of risks and how they relate to your business. Take a look at the different types of IT risk.
- Assess risks - determine how serious each risk is to your business and prioritise them. Carry out an IT risk assessment.
- Mitigate risks - put in place preventive measures to reduce the likelihood of the risk occurring and limit its impact. Find solutions in our IT risk management checklist.
- Develop incident response - set out plans for managing a problem and recovering your operations. Form your IT incident response and recovery strategy.
- Develop contingency plans - ensure that your business can continue to run after an incident or a crisis. Read about IT risk and business continuity.
- Review processes and procedures - continue to assess threats and manage new risks.
Read more about the processes and strategies to manage business risk.
IT risk controls
As part of your risk management, try to reduce the likelihood of risks affecting your business in the first place. Put in place measures to protect your systems and data from all known threats.
For example, you should:
- Review the information you hold and share. Make sure that you comply with data protection legislation, and think about what needs to be on public or shared systems. Where possible, remove sensitive information.
- Install and maintain security controls, such as firewalls, anti-virus software and processes that help prevent intrusion. See how to protect your business online.
- Implement security policies and procedures such as internet and email usage policies, and train staff. Follow best practice in cyber security for business.
- Use a third-party IT provider if you lack in-house skills. Often, they can provide its own security expertise. See how to choose an IT supplier for your business.
Read more about the security measures in the National Cyber Security Centre's 10 steps to cyber security guidance.
Mitigate IT risks
If you can't remove or reduce risks to an acceptable level, you may be able to take action to lessen the impact of potential incidents. You should consider:
- setting procedures for detecting problems (eg a virus infecting your system) - read about cyber security breach detection
- getting insurance against the costs of security breaches - see cyber insurance
See also IT risk management policies.
ISO 27001 IT security management standard
ISO 27001 is an international standard that describes best practice for information security management systems. It belongs to a 27000 family of standards, all of which aim to help keep your business' information assets secure.
ISO 27001 controls
The standard specifies controls that are key to maintaining security. These cover (amongst other things):
- security policy - what an information security policy is, what it should cover and why your business should have one
- organisational security - how you should manage information security in a business.
- asset classification and control - eg how to audit and manage information itself, computers, software and services
- staff security - eg training, responsibilities, vetting procedures, and response to incidents
- physical and environmental security - eg keeping key locations secure as well as physical control of access to information and equipment
- communications and operations management - secure operation of information processing facilities during day-to-day activities, especially computer networks
- access control - right to use information and systems based on business and security needs, specifically controlling who can do what with your information resources
- system development and maintenance - if you develop your own software, you will need to consider its design and maintenance to keep it secure and maintain information integrity
- business continuity management - ie the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor local issues
- compliance - with relevant national and international laws
Like other ISO management system standards, you can certify your business to ISO/IEC 27001, but certification isn't mandatory.
You may choose to implement the standard in order to benefit from the best practice it contains, or you may wish to certify to reassure customers and clients that you follow information security management systems best practice.
See more on standards for best business practice.
IT risk management policy
IT policies and procedures explain why it is important to manage IT risks in business. You can have them as part of your risk management plans or business continuity strategy.
You should make them available to your staff and suppliers to help them understand:
- the risks to your IT systems and data
- procedures that are in place to mitigate them
- processes for handling common tasks
- managing changes to IT systems
- ways to respond to IT or data security incidents
- acceptable behaviours in relation to key IT issues, such as data protection and safe email use
You should develop a clear policy that takes account of common risks to your data. If you have yet to establish what the risks to your business are, see IT risk assessment.
What should an IT risk management policy contain?
It should, at the very least, specify security procedures and standards that will apply in your business, as well as any staff policies you wish to enforce.
IT security procedures
Technical controls, such as systems that limit access to sensitive data or installation of software, are an important part of most IT security systems. You will need policies and procedures to ensure that these controls are effective. See more on common cyber security measures and read about cyber security for business.
IT security standards
Standards are important when developing a secure IT environment. For example, agreed standards for the procurement of PCs, servers and firewalls will help to provide consistency. Find out more about ISO 27001 IT security management standard.
IT staff policies
You will also need policies to manage activities that could pose security threats. Consider putting in place an internet usage policy and an email usage policy to protect your systems. You can find examples of these documents in sample IT policies, disclaimers and notices.
IT incident response and recovery
Incident response is a way in which you manage the aftermath of an IT security breach or failure. It is vital to have a response plan in place before an incident occurs so that you can:
- limit the damage caused by the event
- reduce recovery time and costs for your business
What is an IT incident response plan?
An IT incident response plan is a set of written instructions that can help you respond to a number of potential scenarios, such as:
- information data breaches
- denial of service attacks
- firewall intrusion
- virus or malware infection
- insider threats
- damage to equipment or premises
- loss of power or other technology failures
Your incident response plan should identify key people who will act in case of an incident and describe their roles and responsibilities. It should also say who is responsible for testing the plan and putting it into action.
Your business' incident response plans should be based on thorough and comprehensive IT risk assessments.
See an example of a minimal Denial of Service attack response plan.
IT incident management process
The process of managing an IT incident typically consists of six steps:
- Prepare staff and managers how to handle potential incidents should they arise
- Determine if an event is an IT failure or a security incident
- Contain the incident and preventing further damage to systems and equipment
- Find the cause of the incident and removing the affected systems
- Recover those systems after removing the threats
- Document and analyse the situation to update, change or improve procedures
An IT incident can be isolated to one or more IT components of your business or it can be a part of a wider crisis (eg fire, flood or natural disaster). If a wider emergency occurs such as fire, the safety of staff and public are your first priority. You should include emergency response plans in your incident response strategy.
Read more about business continuity and crisis management.
IT incident recovery planning
How you respond to IT incidents will determine how well your business recovers from them. Planning can help you shorten recovery times and minimise losses.
A recovery plan could include your recovery time goals, as well as:
- strategies to recover your business activities in the quickest possible time
- a description of key resources, equipment and staff needed to recover your operations
It's essential to plan thoroughly to protect yourself from the impact of potential business crises brought on by IT failure or security breach.
To help you prepare for and plan your response to a cyber incident, see the National Cyber Security Centre's (NCSC) small business guide to response and recovery.
You can also test and practise your response to a cyber attack with the help of the NCSC's Exercise in a Box online training tool.
IT risk and business continuity
Business continuity planning is an essential part of managing IT risks. Planning can help you set out steps to minimise the potential impact of a business disaster - be it an equipment failure, a cyber attack or a simple power outage.
You may also need a business continuity plan to:
- reassure customers that you take risk and security issues seriously
- show effective risk management to insurers, helping to lower premiums
- meet regulatory requirements in certain industries, eg financial services
How to write a business continuity plan?
Your plan should take into account any disruptive events that could affect:
- your people
- IT systems and networks
- services such as power and telecommunications
- critical business processes
The plan should identify how you will know when to put the plan into action, what steps to take and what individuals' responsibilities are.
Measures that you may need to include in your business continuity plan are:
- a backup and data recovery strategy, including off-site storage
- the development of a resilient IT infrastructure with spare capacity in case of failure - eg mirrored central server computers sited in different locations
- the elimination of single points of failure, such as a single power supply
- secondary manual systems to use until you are able to restore IT services
- agreeing with another business to use each other's premises in the event of a disaster
- arranging to use third-party IT services and accommodation until yours are restored
Keep your plan clear and concise, so that people understand it. It is essential that everyone is aware of their responsibilities.
Remember to test your business continuity plan periodically. Review and update the plan as necessary - eg when people leave the business or you start using new IT systems.
See more on business continuity and crisis management.
IT risk management checklist
Risk management can be relatively simple if you follow some basic principles. To manage the IT risks to your business effectively, make sure that you do the following:
- Think about IT security from the start when you plan or update an IT system. Discuss your needs and potential problems with the system users.
- Actively look for IT risks that could affect your business. Identify their likelihood, costs and impact. Carry out a comprehensive IT risk assessment.
- Think about the opportunity, capability and motivation behind potential attacks. Understand the reasons for cyber attack.
- Assess the seriousness of each IT risk and focus on those that are most significant.
- Understand the relevant laws, legislations and industry guidelines, especially if you have to comply with the General Data Protection Regulation (GDPR).
- Configure your PCs, servers, firewalls and other technical elements of the system. Keep software and hardware equipment up-to-date. Put in place other common cyber security measures and read about securing your wireless network.
- Do not rely on just one technical control (eg a password). Use two-factor authentication to guarantee user identity - eg something you have (such as an ID card) and something you know (a PIN or password).
- Develop data recovery and backup processes and consider daily back-ups to offsite locations.
- Support technical controls with appropriate policies, procedures and training. Understand the most common insider threats in cyber security.
- Make sure that you have a business continuity plan. This should cover any serious IT risk that you cannot fully control. Regularly review and update your plan. Read about IT risk and business continuity.
- Establish an effective IT incident response and recovery measures, as well as a recording and management system. Simulate incidents to test and improve your incident planning, response and recovery.
- Develop and follow specific IT policies and procedures, such as on email and internet use, and make sure your staff know what falls under acceptable use. See sample IT policies, disclaimers and notices.
- Consider certification to the IT security management standards for your business and your trading partners.
The National Cyber Security Centre offers detailed guidance to help organisations make decisions about cyber security risk.
If you want to look at risks beyond IT, see how to manage business risks.