When performing IT risk assessments, be sure to identify both internal and external risks, threats and vulnerabilities....
Clearly, you will want to interview subject matter experts in IT, but also identify interview candidates from other departments.
Assuming you have completed a business impact analysis, you probably know who can serve as subject matter experts (SMEs) from IT and other departments. Before scheduling any interviews, prepare a proposal and project plan for the IT risk assessment and review it with management. Obtain the necessary authorizations and funding, and keep management informed of the risk assessment's progress.
If you don't have a list of SMEs, work with human resources to identify potential candidates. Remember that SMEs from other departments are regular users of IT systems, and they can offer valuable insights from their unique perspectives. Formulate questions that will help elicit their views on internal and external risks, threats and vulnerabilities. Provide a brief summary on the need for IT risk assessments before starting the interview.
Use the same approach with IT staff, as they will be able to focus more on specific technologies and their associated risks. Try to schedule half-hour interviews with department SMEs and one-hour interviews with IT. This will minimize the interruption to department SMEs. The longer interview time for IT should be sufficient to gather the risk data you need.
Here is a list of suggested user interview questions for IT risk assessments:
- How well have your IT systems performed for you?
- What problems have you experienced with these systems, if any?
- If you had problems, what kind of impact, such as loss of productivity, occurred?
- What internal risks, such as loss of power, could affect the performance of those systems?
- What external risks, such as loss of internet access, could affect the performance of those systems?
- What natural threats, such as severe weather or flooding, could affect your systems?
- What vulnerabilities, such as a security breach, could affect your systems?
- What else could negatively affect your use of your critical systems?
The above questions can be modified for IT SME interviews.
Conducting IT risk assessments is an essential part of the disaster recovery process. While it's important to interview SMEs from IT, be sure to also interview SMEs from other departments, as they can provide insights on the user side, which are just as important as those on the technical side.
How risk assessments and business impact analyses work together
Key risk questions to ask if you're tight on time
Risk assessments are just part of BC/DR planning
Dig Deeper on Disaster recovery planning - management
Related Q&A from Paul Kirvan
From mainframes to the cloud, the business continuity profession has seen a lot over the decades. How did we get to the business continuity process ...continue reading
Has your organization created a disaster recovery plan and left it on the shelf? You're not alone. Explore what you can do to improve your plan's ...continue reading
As the desired recovery time objective continues to decrease, make sure your organization can handle it with the proper technology, employees and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.