---

---

Definition of risk management: What is risk management?

You want a brief definition of risk management? You'll get it: Risk management identifies, recognises, monitors and evaluates risks that exist for IT throughout its entire life cycle. But this is only the first step, because in the second step risk management, also known as risk management, confronts these risks with appropriate emergency plans and effective measures. The implementation of all these measures can then be referred to as the risk management process.

IT risk management process must become part of the business objectives

IT risk management must be part of the corporate goals and implemented as a holistic risk management process. This means that risk management must be taken in hand by the management at the operational level. At the same time, additional committees and responsible persons are appointed to monitor the measures of IT risk management, which thus take over the task of strategic work. Risk managers must therefore be active at both levels and all necessary measures must be organised as a holistic risk management system.

Targets of risk management - definition

There is no question about it: Today, many business processes are based on functioning IT. As a result, IT is becoming more and more complex and thus more and more fragile - it must therefore be protected. Many IT components are connected as entire IT systems, which in turn are essential for maintaining important business processes. In the event of a failure, the company in question is threatened with massive damage. This is precisely where IT risk management comes in with its primary objective: It identifies risks, assesses their significance and prevents their occurrence.

It is important for risk managers to know: What are the risks?

This includes everything that can happen to IT and thus to the business processes associated with it. Many risks today arise from the internet and also from the fact that so much already takes place exclusively digitally. For example, hacker attacks are a real danger, as are espionage, data theft, loss and misuse. Hardware failure and software errors must also be considered as serious risks.

Risk management process

There are therefore numerous scenarios for possible damage. At this point in the risk management process, measures are developed to avoid such damage scenarios by identifying and controlling risks in advance. It is important to include every IT element, starting at minute one, as it is integrated into the business process and performs. So, as soon as an IT element is implemented, its risk management begins and continues as long as that element is in operation and until it is finally retired and decommissioned.

Risk management system also applies to physical security

The aspect of physical security should not be neglected as part of IT risk management. Unauthorised access as well as external threats from fire and the like also pose a risk to IT systems. To counter this risk, IT components must first be housed in a suitable location - and this literally means a safe place. This is how the danger of unauthorised access can be counteracted. In addition, cryptographic IT security procedures (encryption) can be used, for example.

There are also risks to physical IT security, which are also assessed in the context of IT risk management.

Risk management - Internet as a danger point: The Internet is a major, red-hot source of danger, for example due to the threat of computer viruses, etc., as well as random attacks from outside. Hacker attacks always represent a major threat to IT systems, because they harbour the danger of data theft, manipulation and misuse. Therefore, holistic risk management naturally also starts here - risks are also limited in this area and potential negative effects are limited. Optimal IT risk management has emergency measures and plans tailored to the relevant risk areas in case of an emergency.

Steps of risk management

The risk management process can be implemented in the following steps, for example:

• Identify/recognise IT risk areas: Which systems are threatened? In this step, sensitive IT systems are identified and then the question is answered: How important are these systems?
• Risks: What can happen to these systems? What risks do they face? Now we identify as precisely as possible what can happen to each of these systems in detail.
• Risk analysis and assessment: All identified risks are then assessed (according to probability of occurrence, impact, etc.); this can be done, for example, with the help of a multi-level matrix.
• Risk management: What measures can be taken to minimise the risk? What can be done to manage possible consequences in the best possible way? At what budget?
• Risk monitoring: How are the risks developing? What new ones are being added? Reporting and monitoring of the corresponding planning and developments are precisely documented and tracked.

Recognised standards as a guideline for risk management

Standards summarise best practices and are a useful guide to developing and implementing successful risk management. The state of the art is maintained and secured by following the standards. In addition, IT systems that are at risk can be optimised with the help of the guidelines of these standards. Even in an emergency, company-relevant and absolutely necessary technical requirements can be met.

General standards of security and risk management are: IT-GS (IT-Grundschutz), ISO/IEC 18028 (IT network security), ISO/IEC 27005 (information security risk management), ISO/IEC 15816 (security objects for access control), ISO/IEC 27001 (information security in organisations).