An IT risk assessment is an important part of disaster recovery (DR) and business continuity (BC) planning. Once you've compiled your business impact analysis, you next step is a risk assessment. An IT risk assessment is a document that describes potential threats your organization faces, whether they are natural and/or man-made. These threats are weighed by the likelihood of occurrence and then multiplied by their effect on the operation. The result is a value that you can use to determine your level of protection against a threat.
Your risk assessment should include potential damage the events could cause, the amount of time needed to recover/restore operations, and preventive measures or controls that can mitigate the likelihood of the event occurring. The risk assessment will also help you determine what steps, if properly implemented, could reduce the severity of the event.
Putting together an IT risk assessment methodology for your organization can be time-consuming and difficult, especially if you've never done it before. In this risk assessment methodology guide, we've compiled our best resources to help you. Download a free risk assessment template, learn about free risk assessment tools and read about all aspects of risk management in this guide.
RISK ASSESSMENT METHODOLOGY GUIDE: TABLE OF CONTENTS
>> Business risk assessments in IT disaster recovery planning
>> Disaster recovery audits can help minimize risk
>> Free risk management tools
>> Hidden risks in your disaster recovery plan
>> Free risk assessment template
The Disaster Recovery Institute International (DRII) says the purpose of a risk assessment is "to determine events, probabilities and environmental surroundings that can adversely affect the organization and its facilities with disruption and disaster and the controls needed to prevent or minimize the effects of potential loss." In this article, learn about what should be included in a risk assessment, risk assessments and disaster recovery sites, and how often you need to review your risk assessment plan. Click here to read the article on business risk assessments in IT disaster recovery planning.
An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, procedures, operations and governance. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. IT audits focus on determining risks that are relevant to information assets, and in assessing controls so as to reduce or mitigate these risks. By implementing controls, the impact of risks can be minimized, but controls, no matter how comprehensive, cannot completely eliminate all risks. In this podcast, listen to how disaster recovery audits can help minimize business risks.
A risk management assessment can involve creating decision trees, risk calculators and templates -- all of which help develop a fine-tuned plan and provide organizations with the knowledge they need to better manage IT-related risks. There are a lot of free risk assessment tools that are available online, but some are more helpful than others. Check out this article from SearchCIOMidmarket that includes a compilation of risk management tools from National Institute of Standards and Technology (NIST), iSixSigma, SOA.org and more.
All threats in a disaster recovery plan should be highlighted as part of the risk assessment phase of the plan. The risk assessment should incorporate all sites, which includes the disaster recovery site. And if the risk assessment is completed correctly, and an objective view of all threats is identified, there should not be any hidden risks in an organization. However, unanticipated threats can still occur, which are issues that can come up during or part of an unforeseen incident. For example, damage to the infrastructure (road closures) can cause delays in reaching your disaster recovery site, which will affect the recovery time. Learn about how to identify risk in your disaster recovery plan in this expert response by Harvey Betan.
The risk analysis involves risk identification, assessing the likelihood of the event occurring, and defining the severity of the event's consequences. It may also be useful to conduct a vulnerability assessment, which helps identify situations in which the organization may be putting itself at increased risk by not performing certain activities. An example may be the increased risk of virus attacks by not using the most current antivirus software. Finally, the risk analysis results are summarized into a report to management, with recommended mitigation activities. It may be useful to look for vulnerabilities while performing the risk analysis. To help you get started with your risk assessment, download our free risk assessment template.
This was first published in November 2010