Risk, in the IT sector, is defined by the NIST as the probability that a particular threat-source will accidentally or intentionally exploit particular information system vulnerabilities.
The threats can arise from vulnerabilities or weaknesses within the organization. Nevertheless, the organization should take enough precautions and take calculated risks to promote growth.
Risk management is the management of risks in an organization, through detection, analysis, and deployment of adequate countermeasures, depending on the impact that the risk will have, so as to bring the risk down to a non-critical level.
A risk manager is someone who is responsible for detecting, analyzing and controlling risks. He thus has his hands full while making a risk assessment and the process is incomplete until the final solutions are implemented.
Risk management policy
A risk management policy is an essential set of guidelines which have been laid down to sufficiently describe and convey the organization’s risk management approach.
A risk log is a tool used by risk managers during the risk management process to keep tabs on the detected risks and the possible solutions and countermeasures.
The main objective of risk management in ITIL is to detect, analyze and control the risks.
Detection of risks involves identifying the threats and vulnerabilities which can affect the organization’s assets. It is essential to have experience for identification of risks as they can originate from random sources and don’t follow a fixed pattern. Detection is often the toughest part as risks can often be overlooked.
Analysis of risk deals with collection and calculation of data regarding risk exposure. It is essential for the company to take appropriate decisions and manage risks. Accurate analysis of the risk helps in implementing more effective solutions.
Control of risk deals with making decisions after monitoring the surroundings in order to ensure that the older threats and vulnerabilities are effectively countered.
If the organization dealing with e-commerce decides to enter into digital payments, there is a lot of investment which needs to be made into acquiring adequate human resources, capital, and digital infrastructure.
All 3 of these acquisitions are made over a period of time and can pose a financial, business and organizational risk. Mismanagement of such resources can not only cause the new venture to fail but can also affect the profitability and credibility of the existing core competence of the company.
It is therefore vital to identify all the risk areas before jumping into a new venture.
The identified risks should then be analyzed to find out their cause and effect.
The adequate solutions must be implemented to minimize the risk to such an extent that the new venture will not affect the business even if it does not perform as expected.