Information Technology Security. Advice from Experts

As risk is inherent in everything a business does, risk management must be a part of everyone s job if the business goals are to be fully realized. Threats to the company s goals have to be minimized, at least to the point where the rewards sought as a business outweigh the likely impact of the threats.

In order to assess if risk is being managed properly, ask the following questions:

• Are you familiar with the business processes that support daily work? Do you know the reward associated with those following those processes?

• Do you understand which IT controls (policies, processes, practices/SOPs/standards) are mandated over the work you do? Are you in compliance with these controls? Are these controls fully implemented within your area?

• Are the risks inherent in your projects and in their deliverables identified and managed?

• Do you consciously consider and manage the risks associated with your work and how they may impact your area or other areas in the business?

Confidentiality of Risk Management Documentation

Documentation associated with the risk management process will often contain highly confidential information and must be protected as such. Such documentation may also contain information that has potential legal or regulatory implications for a company. At the outset of each project, and before creating any documentation, consideration should be given to whether the particular project involves such implications and, if so, should involve appropriate personnel from other stakeholders in the organization.