Vendor Risk Management

What is IT Risk Management?

Melissa Stevens | December 15, 2015

This post was updated on January 27, 2020.

IT risk management is defined as the policies, procedures, and technology an organization adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.

In this article, we’ll show you how the classic equation for risk can help you prioritize your IT risk management strategy and recommend best practices for doing so. 

Understanding the IT risk equation

As mentioned in our working definition, IT risk management examines this classic equation for risk:

Threat  x Vulnerability  x Consequence

Threat is inherent in IT risk management, and most organizations assume that their vendors present at least some level of threat.

Vulnerability comprises the gaps in a protection program. Let’s say you have a really sensitive document and you put it in a safe, in a locked building, protected by guards; you likely feel confident that the document isn’t vulnerable to many threats. Now, if that same document was online in an open network where your organization stores all of its data, it’s easy to understand how the safety of the document is compromised. The moral of this story is to understand not only what vulnerabilities are in your protection program, but also how those vulnerabilities can be exploited. Once you parse through this information, you’ll gain a clearer idea of how to address your overall risk.

Consequence represents the harm caused to an organization by a cyberattack. An important element to consider here is the value of the information you’re trying to protect — something which can vary tremendously. For example, intellectual property data or pricing information may be of value to your organization. But data, such as personally identifiable information (PII), can also hold value because of the legal requirements to protect it. When determining risk, it’s important to ask what might happen if that data is compromised.

Properly managing IT information risk

Knowing what IT risk management is and what it entails, as outlined by the risk equation, is the first step to managing that risk. From here you can take the next step of establishing a clear strategy for information security and risk management. 

It’s important to note that this strategy is typically set by the leadership in an organization. Data is the lifeblood of so many companies — so the task of managing information risk isn’t and shouldn’t be taken lightly.

Once senior executives set an IT risk management (IRM) strategy, it’s contingent on the rest of the organization — from HR to legal, marketing to finance — to set policy into action. The policies (like an acceptable use policy, for example) are written and distributed throughout the organization, so all employees understand the severity of any risk management infractions. 

The IRM strategy also serves as a guideline for IT security teams to implement the technical controls (firewalls, intrusion detection, multi-factor authentication, etc.) they need to help avoid or lessen the impact of a catastrophic data breach.

To mitigate third-, fourth-, and even nth-party risk, vendor Risk Management teams must work  with vendors, suppliers, and other parties critical to business operations to make sure that they have reasonable information security policies in place. These combined efforts help ensure that a company doesn’t suffer from the harm they’re trying to stay away from.

Everyone is responsible 

IT risk management is not something that lies with IT or security teams; it’s an imperative that the whole organization must own.

In other words, this is not something to swiftly pass over or delegate to a low-level intern. IT risk management requires senior leadership involvement. There are simply too many intentional and unintentional threats to an organization’s data, and if these issues are ignored, the consequences could be severe. Financial, legal, and reputational harm could befall those that do not take this advice into consideration — so make sure you’re prepared!

third party risk management

Suggested Posts

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...


Subscribe to get security news and updates in your inbox.