IT risk management lifecycle

- [Instructor] Now we're going to dive into some key topics when it comes to C risk and the general IT risk management. We'll talk about terms specific to each module as we encounter them. So I'm not going to go through every key definition here. I'm not going to go through every security term. I just wanted to make sure that we were on the same page when it comes to key terms that we'll use in and out of each module, and that we can center ourselves. So if you say, oh, I can't remember what this term means, you can come back and revisit it here to make sure we're on the same page. We're going to start with the IT risk management lifecycle. If you're coming from more of an enterprise risk management background, this lifecycle is going to look very familiar to you. It is the same no matter what type of risk that we're looking at, what type of risk we're analyzing, what type of risk we're reporting on, we're just going to talk about it specifically in the IT risk lens. So the examples I give will be IT-related or security-related, and we'll talk about how to do these things with that IT risk management lens. So starting in the upper right, we have risk identification. We're going to go through the steps that are needed to actually find risk in our environment. What is a risk and what isn't a risk? How to know where emerging risks might come from or new risks to your environment, whether based on internal or external circumstances, and figure out how to get that core list of risk that our organization is facing. Then we'll move on to the bottom right, which is risk assessment and risk analysis. So let's take a look and kind of dive deeper into those risks. How often are they going to happen? What is the impact if they do happen? How much are we set to lose on the assets that we have? Whether that's people, whether that's equipment and hardware, whether that's software, or whether that's just a general loss of operations or business. And we're going to figure out then from that analysis and from that assessment, and move onto the bottom left-hand corner, which is risk treatment. So we've identified the risk, we figured out which of those is going to be the biggest impact to our organization, which is going to be critical to make sure that we can still achieve our objectives, and we're going to figure out what to do with them. There are four key treatment options that we'll talk about, but as I've mentioned, none of this is as simple as what's written on the page. So we'll talk about how to make sure we know when is the right time to do something, when is the right time to not do something, things to keep in mind, a mix of potential response options. All of those things will happen in that risk treatment portion. And then we'll dive into monitoring and reporting. So you've done all of this work, you've found the risk, you've analyzed the risk, you've decided to do something about it, or you've decided to take some sort of action as an organization in response to those risks. Now we want to make sure that we're monitoring them. So in real life, has the risk turned out like we anticipated through the identification and analysis portion? If it's not, we need to make sure that as this mentions, we go back into the lifecycle to begin to identify, assess, analyze, and treat those risks. And then we want to do some reporting. Risk management is not done in secret. It's not done without the knowledge of others who are involved, either directly or indirectly in that risk management decision. And we want to make sure that we get the reporting out to the right people in the right format so they can understand either what we're asking of them, what they need to do, how they need to be involved, how they need to give us more resources, whatever that message that the data and reporting is telling us to do. As I said, this is a cycle, so it's not as easy as we do these five steps, identify, assess, analyze, treat, report, and then we just get to put our feet up and head to the beach. This is going to be a constant cycle, and that constant cycle can be on a risk level, right? The risk related to access to your software and hardware, the risk related to access to your physical plants or your data centers, or it can be at a higher level. The risk to a certain line of business within your organization focused on the IT technology and security that supports that line of business. Maybe this is even done at your company's level where you're looking at those key company mission and objectives, and saying, what is the risk that's present here, and doing this cycle on those as well.