Risk management plan

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 20:00, 13 April 2007 by Mdpeters (talk | contribs) (New page: ==IT Risk Management Process== IT controls result from an effective, risk assessment process. Therefore, the ability to mitigate IT risks is dependent upon risk assessments. Senior managem...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

IT Risk Management Process

IT controls result from an effective, risk assessment process. Therefore, the ability to mitigate IT risks is dependent upon risk assessments. Senior management should identify, measure, control, and monitor technology to avoid risks that threaten the safety and soundness of an institution. The institution should (1) plan for use of technology, (2) assess the risk associated with technology, (3) decide how to implement the technology, and (4) establish a process to measure and monitor risk that is taken on.

All organizations should have:

  • An effective planning process that aligns IT and business objectives
  • An ongoing risk assessment process that evaluates the environment and potential changes
  • Technology implementation procedures that include appropriate controls
  • Measurement and monitoring efforts that effectively identify ways to manage risk exposure


This process will typically require a higher level of formality in more complex institutions with major technology-related initiatives.

The risk identification and management process for technology-related risks is not complete without consideration of the overall IT environment in which the technology resides.

Management may need to consider risks associated with IT environments from two different perspectives:

  • If the IT function is decentralized, and business units manage the risk, then management should coordinate risk management efforts through common organization-wide expectations.
  • If the IT department is a centralized function that supports business lines across shared infrastructure, management should centralize their IT risk management efforts.