Risk management

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Current Developments and Issues Affecting IS/IT Strategies.


'Risk Assessment plays an important role in an organisation's strategic planning for managing data security'

Risk Management is an integral part of any Business Management System - it should be an organisations policy to proactively identify, understand and manage the risks inherent within the organisation and its business practices to encourage responsible and informed risk taking and seek to optimise the balance between risk and control.

The data held by an organisation is just as much of an asset to the business as any other item be it tangible or not - data and its handling is important to any organisation and should be treated accordingly. Data and information security have in recent years had an extremely high profile, a number of incidents have been highlighted and pursued in the press, this has increasingly given organisations more of a reason to take their approach to managing data security issues seriously. Particular attention was given to the loss of data relating to child benefit records and driving test candidates (Nov/Dec 07).

Using a Risk Management methodology allows for a systematic approach to identifying, analysing and controlling risks that may have the potential to cause damage or harm to an organisation. This approach can inform and formulate the organisations policies, objectives and procedures as well producing business action plans and prioritisation of available resources and assets.

Data Security

Data security can be described as the practice of keeping data protected from corruption and unauthorised access - ensuring privacy and protection of the organisations data. The confidentiality, integrity and availability of any data are essential to maintain service levels, legal compliance and the public image and public perception of any organisation.

It is crucial that an organisation takes data security seriously and invests suitable resources to provide the necessary controls - customers and service users should have the necessary trust in the ability of an organisation to act appropriately when obtaining and holding data/information. Organisations considering data security should aim to reduce any threats, increase the safeguards put in place and reduces any vulnerabilities. The data held can be in different formats and can include data stored electronically on database systems, letters, spreadsheets, communications sent by email, stored digital video, speech recordings etc.

When dealing with data and its security an organisation has to consider the cost or damage any breach may have on the business or service be it through the loss, alteration, replication or disclosure of data. Lapses can lead to the loss of reputation and confidence even prosecution. In the UK, the Information Commissioner's Office (ICO) has been set up to police data privacy for individuals and the right to access certain public information. The ICO has recently consulted on the possibility of fines up to £500k for the worse breaches of the Data Protection Act 1998.

Examples of other implications include the Turnbull Report on internal control and risk management that gives directors of Stock Exchange listed companies the responsibility to act on IT governance, manage risks and computer security. Banks and financial-sector organisations are subject to the requirements of Bank of International Settlements (BIS) and Basel 2 framework, which deals with operational risk (including information/ IT risk).

Risk Assessment

Risk assessment (RA's) forms part of the overall risk management approach and will be the first process undertaken in assessing any risks and addressing any subsequent actions that may be required. RA's will be used to determine the extent of any potential threat and the risk associated with it - where risk is defined as "a potential future event which is uncertain in likelihood and consequence and if it occurs could affect a company's ability to achieve its objectives". Appendix 1 provides an example template for recording the RA's details.

The output of this process helps to identify appropriate controls for reducing or eliminating a particular risk giving consideration to the likelihood of that event occurring and its vulnerability and the resulting impact of that adverse event on the organisation. Any RA's will have to consider the business context of the risk and its interrelated business functions.

The Risk management objective will be firstly to eliminate the risk or to reduce to acceptable levels for those that cannot be eliminated. Then either the organisation has to live with the risk by maintaining careful controls and countermeasures to keep the risks at 'acceptable' levels or they will have to transfer them, by means of insurance or otherwise, to some other organisation.

The RA will be undertaken by firstly carrying out an asset identification exercise to assess any vulnerability. The areas covered at this stage will be made up of primary assets, which are business processes and their related activities along with any data/information held, and supporting assets which will include the hardware, software, network's, premises/sites, the organisational structure and its personnel. The RA should be undertaken by a competent person who has knowledge of the organisation and available controls and should include as many other staff and managers as possible.

The next stage is determining and listing all possible security threats and vulnerabilities for the assets identified. Threats can be deliberate, accidental or natural events. The list of data security threats and vulnerabilities are endless a few examples are given in the tables.

Because not all risks represent an equal significance to an organisation, each risk will be ranked high, medium or low in terms of both the likely frequency of occurrence and the likely impact on the organisation.

Many organisations establish a Risk Register that identifies all significant risks that may have a material effect on service objectives. The register will consider all potential risks facing an organisation and assess if there are any related or interconnected issues. Once a register has been, established consideration will then be made as to the likely countermeasures and mitigation for the threats allowing for effective decision-making.

Although high-level threats will be in need of attention first it is likely that a number of threats can be addressed quickly / easily with relatively low cost implications to the organisation and that addresses several threats even if these are considered a lower risk.

Implementing any controls or countermeasures will usually address any requirements of legislation or regulations, objectives of an organisation along with operational requirements it will also consider the costs involved in implementing and operating the controls considering the investment involved against the harm that may result from any failures.

Countermeasures implementation are very much dependent on the identified threat how to treat it may involve a number of changes that may in fact resolve or impeach on or introduce other risks. The ultimate aim of the countermeasures will be to address the baseline controls by reducing the threat, increase the safeguards and reduce the vulnerability. Countermeasures can involve anything from implementing an Organisational security policy, putting a lock on a door or banning the use of memory sticks. The following are some more examples.

The RA process is iterative and involves the monitoring and review of the countermeasures in place to see if they are achieving their set goal as well as revisiting and assessing whether there are any new threats or vulnerabilities to be considered.

There are a number of recommended approaches to Risk Assessment and Information Security along with a number of tools to help they can be quantitative or qualitative in approach and include CCTA Risk Analysis and Management Methodology(CRAMM), RiskPAC, CORA, COBRA

One way for an organisation to establish data security requirements is to follow a set of guidelines or standards the British Standards Institution (BSI) have developed a number of standards for information security that are now incorporated into the ISO 27000 set of standards.

The RAs model suggested by BSI for Information Security follows similar risk management approaches in other standards as well as following the plan-do-check-act cycle of quality assurance that aims for continual improvement.

Using the BSI standards provides improvements for an organisation through a process and system approach to management, allows for continual improvement and a factual approach to decision-making and the potential certification to a recognised business standard that can provide a level of assurance to customer and service users.


The use of Risk Analysis in relation to data security ensures that security controls for systems are fully proportionate with the risks having an overall picture of any requirements and involves everyone in the organisation not just the IT department or section this allows for IS/IT to be integrated strategically into the business. The self-analysis process provides a way to justify additional costs that will inevitably fallout from additional control requirements allows for department management and IT staff to have a more pro-active role and enhances their understanding of each other. RAs allows for better targeting of threats and vulnerabilities by accurately identifying requirements, enables issues to be identified at an earlier stage, and protects high-risk assets, it increases overall organisational awareness of data security issues for all staff. The approach gives the organisation as a whole a more consistent and objective way to assess their data security.

Risk Assessment results are compiled by observing the vulnerability or threat and recording the results accordingly and will include the following:-

  • observation number with description of observation
  • description of threat-source/vulnerability
  • identifying of existing security controls
  • evaluation of risk with reference to risk matrix (e.g., High, Medium, or Low likelihood)
  • Impact analysis evaluation with reference to risk matrix (e.g., High, Medium, or Low impact)
  • Risk rating calculation from the risk-level matrix (e.g., High, Medium, or Low risk level)
  • Finally any suggested controls or alternative options for reducing the risk


  • John Ward and Joe Peppard, 2002, Strategic Planning for Information Systems (3rd edition), John Wiley & Sons, ISBN 0470841478
  • Bernard Burnes, 2004, Managing Change (4th edition), Pitman Publishing, ISBN 0273683365
  • John Ward and P Griffiths, 1996, Strategic Planning for Information Systems, John Wiley & Sons,