ICT Risk Management
Our clients tend to think about technical issues when you ask them about ITC risk management. they would mention improvements in firewalls, additional patches, anti-virus protection, configuration management, DNS traffic scrubbing, investment into new technology as a way to further strengthen company’s ITC security. At the same time majority of organisations spend only around 10% of their IT budget on ITC security within the technical understanding of it. And 70% of the companies do not quantify their ICT risk exposures to drive investment decisions on Digital Operations Resilience.
Well, practice shows that successful cyber-attacks are not just about bypassing company’s technological defences. Cyber criminals always exploit people, process and technology. They would gather information about your assets and vulnerabilities such as your weaknesses across people, processes and technology. And they will exploit these
weaknesses.
ITC incidents are not just to do with your ITC infrastructure technical defences. They have negative consequence to your business as a whole. You need to have resources and
capabilities to restore operations quickly and efficiently before the incident has affected you clients, shareholders, market share, wider financial market, ultimately your bottom line and reputation.
We like our clients to consider ICT risk as a constituent element of their overall business risk. Therefore, ICT risk management becomes a part of your company overall Risk Management Framework and should be incorporated into your Business Continuity Program. By concentrating on the following elements of ITC risks: technology, process, and people controls, and risk transfer, and working with ICT security consultants, you will be able to pinpoint your vulnerabilities and develop an effective management tools for such risks. Such tools need to include not just qualitative assessment and probabilities, technical tests but also scenarios and formulas to quantify ICT risks to understand the impact in monitory terms. If you think about risk in quantitative terms (costs and benefits ia) and are able to produce values of the level of risk in specific units defined when developing the context, it will be much more practicable. However, such level of ICT risk management will require development of additional capabilities if you do not already have technical or security staff that can do such computations.
Below is a simple example of how quantitative methods will help your company management with digital operations resilience budget decisions / allocations.
We have the following categories of risk and quantitative computation:
| Operational | £10m | Proper Security Controls give 55% risk protection |
| Financial | £25m | Residual ICT Risk = £ 27.5m |
| Regulatory & Legal | £10m | Cost of controls = £50m – £27.5m |
| Reputational | £5m | |
| Total ICT Risk: | £50m |
Replace 55% with 8% in the above calculation and see the outcome.
The risk management is a complicated matter and you need to find a pragmatic approach to balance in between complex business needs and regulatory requirements. If you need help, we will be able:
- To identify your ICT risks
- To guide your management in understanding / prioritising ICT risks
- To quantify your ICT risks using various scenarios and models/formulas
- To direct you in building informed ICT Risk Management Strategy, processes and practices
- To optimize your ITC Risk Management Strategy to ensure the best budget decision and ROI
You can find more details here and contact us to discuss your challenges today.