Do you enjoy being a risk manager?

Risk management

Risk management - that sounds important, but what does this term actually mean? We clarify and explain everything you need to know about risk management in the following.

Definition of risk management: what is risk management?

Would you like a short definition of risk management? You will be happy to receive it: Risk management identifies, recognizes, monitors and evaluates risks that exist for IT throughout its entire life cycle. But that is only the first step, because in the second, risk management, also known as risk management, counteracts these risks with appropriate emergency plans and effective measures. The implementation of all these measures can then be referred to as a risk management process.

IT risk management process must become part of the company's goals

IT risk management must be part of the company's goals and implemented as a holistic risk management process. This means that risk management must be taken into hand by management at the operational level. At the same time, additional committees and responsible persons are set up to monitor the IT risk management measures and thus take on the task of strategic work. Risk managers must therefore be active on both levels and all necessary measures must be organized as a holistic risk management system.

Risk Management Objectives - Definition

There is no question that many corporate processes are based on functioning IT these days. As a result, IT is becoming more and more complex and therefore more and more fragile - it must therefore be protected. Many IT components are interrelated as entire IT systems, which in turn are essential for maintaining important business processes. If the company fails, there is a risk of massive damage. This is exactly where IT risk management comes in with its primary goal: It identifies risks, assesses their importance and prevents them from occurring.

Important for risk managers to know: What are the risks?

Everything must be included here that can happen to IT and thus also to related business processes. Many risks arise today from the Internet and also from the fact that so much is already taking place exclusively digitally. Hacker attacks, for example, are a real danger and related to espionage, data theft, data loss and misuse. Hardware failure and software errors must also be considered as serious risks.

Risk management process

Numerous scenarios for possible damage are therefore conceivable. At this point in the risk management process, measures are now being developed that deal with avoiding such damage scenarios by recognizing and controlling risks in advance. It is important to include every IT element, from minute one, as it is integrated into the company process and provides a service. As soon as an IT element is implemented, its risk management begins and is continued as long as this element is in operation and until it is finally "deactivated" and decommissioned.

The risk management system also applies to the level of physical security

The aspect of physical security should not be neglected as part of IT risk management. Unauthorized access as well as external threats from fire and the like also represent a risk for IT systems. In order to counter this risk, IT components must first be housed in a suitable location - and this is a "safe place" in the truest sense of the word. meant. Because in this way the risk of unauthorized access can be counteracted. In addition, cryptographic IT security procedures (encryption) can then be used, for example.

There are also risks for physical IT security, which are also assessed as part of IT risk management.

Risk management - Internet hazard The Internet is a major, brand-new source of danger, for example due to the threat of computer viruses, etc., as well as potential attacks from outside. Hacker attacks always pose a major threat to IT systems because they harbor the risk of data theft, manipulation and misuse. That is why holistic risk management naturally also starts here - risks are also contained in this area and potential negative effects limited. Optimal IT risk management has emergency measures and plans tailored to the relevant risk areas in the event of an emergency.

Risk Management Steps

The risk management process can be implemented in the following steps, for example:

  • Identify / recognize IT risk areas: Which systems are threatened? In this step, sensitive IT systems are identified and then the question is answered: How important are these systems?
  • Name risks: What can happen to these systems? What are their risks? Now it is identified as exactly as possible what can "happen" to each of these systems.
  • Risk analysis and assessment: All identified risks are then assessed (according to their probability of occurrence, effects, etc.); this can be done, for example, with the help of a multi-level matrix:
1.) E.g. from unlikely to likely to very likely 2.) z. B. from uncritical to acceptable and critical to catastrophic * in addition, risks and their effects are assigned to the respective areas concerned (economic effects, technical, organizational and so on) * according to the assignment and importance of the respective individual risk, the budget for is also calculated later the measures to limit the risk (to effectively reduce the probability of occurrence)
  • Risk Management: Which measures can minimize the risk? What can be done to control possible consequences in the best possible way? At what budget?
  • Risk monitoring: How are the risks developing? What are the new ones? Reporting and monitoring of the corresponding planning and developments are precisely documented and tracked.

Recognized standards as guidelines for risk management

Best practices are summarized in standards and these are useful guidelines for developing and implementing successful risk management. The latest state of the art is maintained and secured by following the standards. In addition, endangered IT systems, for which there is a particularly high risk, can be optimized using the guidelines of these standards. In this way, company-relevant and absolutely necessary technical requirements can be met even in an emergency.

Common standards of security and risk management are: IT-GS (IT basic protection), ISO / IEC 18028 (IT network security), ISO / IEC 27005 (Information security risk management), ISO / IEC 15816 (Security objects for access control), ISO / IEC 27001 (Information security in organizations)