Vendor Risk Management

What is IT Risk Management?

Melissa Stevens | December 15, 2015

This post was updated on January 27, 2020.

IT risk management is defined as the policies, procedures, and technology an organization adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.

In this article, we’ll show you how the classic equation for risk can help you prioritize your IT risk management strategy and recommend best practices for doing so. 

Understanding the IT risk equation

As mentioned in our working definition, IT risk management examines this classic equation for risk:

Threat  x Vulnerability  x Consequence

Threat is inherent in IT risk management, and most organizations assume that their vendors present at least some level of threat.

Vulnerability comprises the gaps in a protection program. Let’s say you have a really sensitive document and you put it in a safe, in a locked building, protected by guards; you likely feel confident that the document isn’t vulnerable to many threats. Now, if that same document was online in an open network where your organization stores all of its data, it’s easy to understand how the safety of the document is compromised. The moral of this story is to understand not only what vulnerabilities are in your protection program, but also how those vulnerabilities can be exploited. Once you parse through this information, you’ll gain a clearer idea of how to address your overall risk.

Consequence represents the harm caused to an organization by a cyberattack. An important element to consider here is the value of the information you’re trying to protect — something which can vary tremendously. For example, intellectual property data or pricing information may be of value to your organization. But data, such as personally identifiable information (PII), can also hold value because of the legal requirements to protect it. When determining risk, it’s important to ask what might happen if that data is compromised.

Properly managing IT information risk

Knowing what IT risk management is and what it entails, as outlined by the risk equation, is the first step to managing that risk. From here you can take the next step of establishing a clear strategy for information security and risk management. 

It’s important to note that this strategy is typically set by the leadership in an organization. Data is the lifeblood of so many companies — so the task of managing information risk isn’t and shouldn’t be taken lightly.

Once senior executives set an IT risk management (IRM) strategy, it’s contingent on the rest of the organization — from HR to legal, marketing to finance — to set policy into action. The policies (like an acceptable use policy, for example) are written and distributed throughout the organization, so all employees understand the severity of any risk management infractions. 

The IRM strategy also serves as a guideline for IT security teams to implement the technical controls (firewalls, intrusion detection, multi-factor authentication, etc.) they need to help avoid or lessen the impact of a catastrophic data breach.

To mitigate third-, fourth-, and even nth-party risk, vendor Risk Management teams must work  with vendors, suppliers, and other parties critical to business operations to make sure that they have reasonable information security policies in place. These combined efforts help ensure that a company doesn’t suffer from the harm they’re trying to stay away from.

Everyone is responsible 

IT risk management is not something that lies with IT or security teams; it’s an imperative that the whole organization must own.

In other words, this is not something to swiftly pass over or delegate to a low-level intern. IT risk management requires senior leadership involvement. There are simply too many intentional and unintentional threats to an organization’s data, and if these issues are ignored, the consequences could be severe. Financial, legal, and reputational harm could befall those that do not take this advice into consideration — so make sure you’re prepared!

third party risk management

Suggested Posts

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...

READ MORE »

4 Ways to Minimize the Risk of a Third-Party Data Breach

Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.

READ MORE »

How to Develop a Vendor Cyber Risk Management Framework

Third-party vendors are an essential part of today’s business ecosystem. A study by Gartner finds that, in 2019, 60% of organizations work with more than 1,000 third parties and those networks are only expected to grow.

READ MORE »

Subscribe to get security news and updates in your inbox.