IT risk management can be a risk all by itself. Although the principles sound straightforward, applying them incorrectly can lead to wasted effort, mistakes in risk postures, and failing to spot relevant risks or changes in those risks
At best, you could end up with a risk management approach that leaves other experienced parties sighing with disappointment. At worst, your enterprise could be unprepared and exposed if risks turn into reality. Avoiding the following traps can be a good way to start improving the situation.
- Reinventing the wheel. DIY and effective IT risk management can only overlap so much. Not only will DIY take you far more time and effort, but you are likely to make mistakes that others already corrected.
- Enforcing policy without thinking. Bad IT risk management limits itself to mechanically applying procedures, without checking if they are the right ones. IT security controls are a case in point.
- Chop logic calculations. You’d think that typed programming languages would have made it clear that you can’t lump apples and oranges together, then multiply up for a numerical result. For instance, high, medium and low ratings may help to better understand risks, but you cannot compare them any further until you have measured and assigned compatible numbers to them.
- The Risk Register Rucksack trap. Novice hikers fill their rucksacks until they are full – then discover how painful and difficult all that weight is when hiking. The risk register is a similar trap, tempting managers to bundle in every possible (but not probable) risk under the sun. Yes, aliens crashing their spaceship into your data centre is a possible danger, but highly, highly unlikely.
Many processes like getting expert counsel on risk are already documented. At some point, it makes more sense to leverage existing knowhow from others in your organisation or use a competent external resource, instead of creating everything from zero. So we’ll finish off with a bonus pitfall avoidance: never let personal pride or ignorance interfere with setting up IT risk management that covers your organisation efficiently and effectively.