Tom Wang - Fotolia

How can IT risk assessments best involve employees?

In conducting an IT risk assessment, are you asking the right questions to your staff? Are you talking to the right people? These elements are important for disaster recovery.

When performing IT risk assessments, be sure to identify both internal and external risks, threats and vulnerabilities....

Clearly, you will want to interview subject matter experts in IT, but also identify interview candidates from other departments.

Assuming you have completed a business impact analysis, you probably know who can serve as subject matter experts (SMEs) from IT and other departments. Before scheduling any interviews, prepare a proposal and project plan for the IT risk assessment and review it with management. Obtain the necessary authorizations and funding, and keep management informed of the risk assessment's progress.

If you don't have a list of SMEs, work with human resources to identify potential candidates. Remember that SMEs from other departments are regular users of IT systems, and they can offer valuable insights from their unique perspectives. Formulate questions that will help elicit their views on internal and external risks, threats and vulnerabilities. Provide a brief summary on the need for IT risk assessments before starting the interview.

Use the same approach with IT staff, as they will be able to focus more on specific technologies and their associated risks. Try to schedule half-hour interviews with department SMEs and one-hour interviews with IT. This will minimize the interruption to department SMEs. The longer interview time for IT should be sufficient to gather the risk data you need.

Here is a list of suggested user interview questions for IT risk assessments:

  • How well have your IT systems performed for you?
  • What problems have you experienced with these systems, if any?
  • If you had problems, what kind of impact, such as loss of productivity, occurred?
  • What internal risks, such as loss of power, could affect the performance of those systems?
  • What external risks, such as loss of internet access, could affect the performance of those systems?
  • What natural threats, such as severe weather or flooding, could affect your systems?
  • What vulnerabilities, such as a security breach, could affect your systems?
  • What else could negatively affect your use of your critical systems?

The above questions can be modified for IT SME interviews.

Conducting IT risk assessments is an essential part of the disaster recovery process. While it's important to interview SMEs from IT, be sure to also interview SMEs from other departments, as they can provide insights on the user side, which are just as important as those on the technical side.

Next Steps

How risk assessments and business impact analyses work together

Key risk questions to ask if you're tight on time

Risk assessments are just part of BC/DR planning

Dig Deeper on Disaster recovery planning - management