IT Risk Exploration

The IT Risk Management Taxonomy and Evolution

Steve Schlarman, CISM, CISSP

The measurement of risk, evaluation of options, and planning and execution of actions to manage threats to business are crucial to success. Risk management is a broad discipline and certain facets of risk must be defined when discussing the process of managing risk. One of the most difficult and frustrating challenges when professionals get in the room to talk about risk is defining what is actually meant by the word “risk.” Risks come in all shapes and sizes. Thus, there are as many definitions of risk, or at least interpretations of risk, as there are risk management professionals.

In the world of IT, risk management also takes on many different faces. The difficult part of IT risk management is not only the broad universe of risks inherent in business processes and their related technologies but risks in managing a critical part of the business: information technology. IT risk management has undergone an evolution that continues today. This progression of IT risk management maturity began with the early era security focus and today manifests in complex, global risk programs that target not only IT risks, but also the plethora of regulatory and industry requirements facing organizations.

Looking at these two topics—IT risk types and the IT risk evolution—gives some insight into where organizations need to target to stay ahead of the game. IT risk management can bring real value to the organization and should be the method to ensure regulatory compliance. Those organizations that can create an operational IT risk management program that is weaved into the IT organization are the organizations that will benefit from their efforts, not simply absorb continually increasing costs associated with technology evolution and regulatory compliance.

IT Risk Taxonomy

It is necessary to define some type of taxonomy to address the varied types of risks facing IT organizations today. Identifying any risk in the IT world always requires connecting the risk to IT services or technologies and connecting the risk to the business and the bottom line.

Financial risks are risks that can cost the organization money. These can include:

Poor delivery of IT services that slow down money-making processes such as rolling out new business offerings, services or products
Inefficient processes that lead to poor allocation of resources, overtime, downtime and general cost issues
Project overruns that cost the company time, money or both

Regulatory risks lead to fines and prison. These may include:

The recent onslaught of legislative requirements, such as the US Sarbanes-Oxley Act, US Health Insurance Portability and Accountability Act (HIPAA), European Privacy Act, or the Payment Card Industry (PCI) Data Security Standard (DSS)
Industry regulations that are specific to an industry, such as those from North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), Securities and Exchange Commission (SEC) or many other industry watchdog organizations

Business risks include risks that generally hinder the company’s overall success. Some examples include:

Technology failures that cause business offerings to flounder
Failure to deliver products or services due to instability in the IT environment

Reputation risks cause harm to company prestige or influence. These include:

Scandals and public relations issues such as product recalls or executive misbehavior
Business failures such as failed mergers or acquisitions
Poor standing with business partners that lead to business delivery issues

Strategic risks in the IT world are the failure of IT to meet business commitments. Poor planning, leadership and a variety of other issues can cause these types of risks.

Security risks are risks that can cause harm to company resources. Typically, many of these risks cascade into other risks and create financial, regulatory, business, reputation or strategic risks. This is the world of hackers, thieves and spies and is couched in terms of confidentiality, availability and integrity of information.

Whether starting from the top, with the executive level (business risks), or at the bottom, with detailed IT administrative risks, some taxonomy of risk is necessary to ensure the same level of risk is being discussed. The following is an exploration of the different IT risks facing companies and a method to categorize the risks so that the discussion can focus at the right level and the response can be appropriate. Risks can be summarized in four types of IT risks: microscopic, micro, macro and mega. This simple taxonomy can be used to illustrate the many types of risks and can put a structure around the IT risk management discussion.

Figure 1 illustrates this concept, starting with low-level, discrete IT risks at the bottom and ascending to high-level executive risks at the top.

Microscopic risks are at the bottom. These are individual vulnerabilities that are the root cause of many larger risks. A vulnerable network port listening on one server is a microscopic risk. An employee who has not completed and understood IT awareness training is a microscopic risk. Microscopic does not mean insignificant. The Ebola virus is microscopic yet far from inconsequential. Microscopic in this case means “curable with a single action.” The remedy is very focused. Microscopic risks are addressed by concentrating on the root cause—system configuration, employee training or business process design—and defining necessary controls.

Micro risks are a combination of microscopic risks that result in a broader area of risk. For example, the microscopic risks of various network vulnerabilities results in the increased risk of network failure. Multiple poorly trained personnel can increase the risk of virus or worms within the environment. A combination of poor project management and lack of oversight can lead to project failure. Micro risks are typically localized within a particular portion of the business.

Macro risks are organizationally focused and require the reaction of a major portion of the entity, because they are a combination of micro risks. The approach to manage a macro risk must be undertaken by a specific segment of the organization. For example, as organizations developed complex technology infrastructures, the advent of the broad technical security risks involved with these business changes resulted in the deployment of designated information security departments. Additionally, macro risks impact the organization broadly.

Mega risks are at the top of the risk stack. These risks generally have two main attributes:

Requirements are imposed by an external body (business, industry or regulatory body).
Even the perception of being susceptible to a mega risk can affect the bottom line, e.g., the perception that the company does not run a secure environment can cause business partners to walk away from potential opportunities.

Using these two criteria to define a mega risk, regulatory compliance and very critical business risks fall into this category. These risks are a combination of macro risks but have the added weight of external pressure and consequences. For instance, one incident of product tampering in the food and beverage industry can ruin the reputation of the company. However, even the perception of unsafe product handling—such as a failure of safety inspections by an external party—can cause a negative impact in that industry regardless of whether there has been an actual incident.

The IT organization’s response to the risk stack has required an approach that is mindful of these various risks as well as the need to continually connect the dots. Ten years ago, identity theft, regulatory risks, business partner risks and other areas of IT risk were just beginning to peek over the horizon. These risks types have developed and coalesced over time and present a serious challenge to IT executives today.

The Evolution

IT risk management has undergone an evolution over the last 15 to 20 years. As technology has matured, the ways and means to manage risk have changed. As business environments have changed, the risks, in turn, have evolved, forcing new requirements for technology.

Figure 2 illustrates the continued push to close the gap between risks and exposures and risk management processes. Risk management practices, by nature, have always been slightly behind the curve when it comes to keeping pace with risks. Risk management is in this way a reactionary process. While progress has been made, it always seems the risk or, more appropriately, the threats seem to get the better of the race. First, let’s review the past to learn for the future.

In figure 2, the wavy line depicts the constantly changing risk profiles of companies. The level of risk, as defined by business and technological requirements, wavers constantly—rising and falling with the business. However, the fundamental equation underlying the risk profile has been consistently on the rise. Hence, the wavy line shows a constant rise, despite the fluctuations.

In response to this constant rise in risk, IT has responded with many activities. Each wave of these activities has pushed toward reducing the gap between the risk and exposure and the controlled business process. However, as depicted, there is a certain point where the approach levels out. In other words, the risks and exposures continue to increase, while the risk management processes begin to fall farther short of managing the gap. This plateau has typically been reached when something in the risk universe has catapulted the risk profiles of companies higher, whereby the current risk management practices are not targeting the specific new risk.

Each time the risk profile has jumped, IT has had to respond with additional approaches and new practices. These major “bumps” in risk management practices can be categorized into ages: the age of security, the age of audit, the age of controls enlightenment and the age of organic risk management.

These ages also depict a maturity model since most organizations move through each age as the internal risk management process evolves. The first two ages depict the practices that organizations put in place in the late 1990s and early 2000s. The last two ages are near-future and future predictions on the risk management movement.

The age of security (figure 3) built the foundation for modern security programs and focused on microscopic risk, such as protection against viruses and worms, operating system vulnerabilities, and basic end-user awareness.

The age of audit (figure 4) spawned the performance of spot assessments, internal or external audits, and the establishment of recurring operational security assessments. These assessments generally focused on the micro level in the risk taxonomy.

The age of controls enlightenment (figure 5) has birthed more sophisticated IT risk programs and has gelled together security, audit and compliance efforts. Focused on the macro and mega levels of the risk stack, organizations building IT risk management programs are combining efforts to manage micro and microscopic risks into a cohesive business operation.

The age of organic risk management (figure 6) represents the future of IT risk management. This age will be built on comprehensive risk management programs that manage the broad range of IT issues and become part of the overall corporate governance, risk and compliance infrastructure. It will force IT risk professionals to think of risk in a broad sense and to connect controls and risks with flexibility and structure. While it is difficult to foresee all the attributes of the new age, the continuum of IT risk management will push toward meeting the constant flow of risks and exposures with a methodical, efficient program.

Companies are moving through these ages at different paces. While in some cases, the IT market, industry expectations or regulatory requirements have pushed a company into a specific age, most companies have followed this continuum. The need for pushing risk management to the next stage is inherent in the business objectives and strategies of the company.

Conclusion

In response to growing risks, IT risk management has undergone many changes over the last decade or two. From the early days of firewalls and bastion hosts to the current state of IT governance, risk and compliance solutions, the market has continued to fuel technology solutions. The ability to define and communicate the IT risk framework has taken shape in recent years, as many companies look to formalize IT risk management as a discipline that takes on not only regulatory, but true business requirements as well. Objective, repeatable and measurable IT risk management programs in which cost evaluations, asset values and performance metrics are woven together are a target for most companies as they move along the risk management continuum.

Steve Schlarman, CISM, CISSP
is the IT GRC product manager with Archer Technologies. He is a frequently requested speaker at IT GRC and security events and has published many articles on key topics. Prior to joining Archer Technologies, Schlarman was the chief compliance strategist at Brabeion Software, which was acquired by Archer Technologies. Prior to his position at Brabeion, he was a director in the advisory practice of PricewaterhouseCoopers (PwC). Prior to PwC, he had operational roles in information systems at the Missouri (USA) State Highway Patrol and A.G. Edwards.

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?