Wrong! It is more likely that you will hear about system availability or lack thereof.

But there is a wide range of risks that organisations must work to mitigate to keep their business rolling.

It is prudent to take a balanced approach to IT risk management that encompasses security, availability, compliance and performance risks. Misunderstandings of IT risk management can lead to potential system failures, which can ultimately affect business continuity.

Security software company Symantec has just released a report on IT risk management trends. IT Risk Management Report Volume II, is based on a survey of more than 400 IT professionals worldwide and debunks four security myths:

• that IT risk management is focused only on IT security

• that IT risk management is project driven

• that technology alone can manage IT risk

• that IT risk management has already become a formal discipline.

The report revealed that IT professionals now hold a much broader view than that of risk being synonymous with security. Availability risk was given 'critical' or 'serious' ratings by 78 per cent of respondents compared to 70 per cent for security, 68 per cent for performance and 63 per cent for compliance risks.

That only 15 per cent separated the highest and lowest scoring risk-types indicates that IT professionals are adopting a more balanced, less security-centric, view of IT risk.

Report findings confirmed that security and compliance risks often attract attention because of their high visibility and impact. More than 60 per cent of respondents rated data loss incidents as having a serious impact on their business.

But, increased availability risks are receiving more attention as downtime can cost millions of pounds in lost productivity.

A second myth dispelled by the report relates to the project management approach to IT risks. The report shows that risk management cannot be addressed in a single project or even as a series of point-in-time exercises across budget periods or years. This ignore the dynamic nature inherent in risk.

IT risk management is increasingly being approached as an ongoing process to keep pace with change as it happens. Incidents of various types can effect the modern organisation at an alarming rate as these figures show.

• 69 per cent of respondents expect a minor IT incident once a month

• 63 per cent anticipate a major IT failure at least once a year

• 26 per cent expect a regulatory non-compliance incident at least once a year

• 25 per cent anticipate a data-loss incident at least once a year

The report shows that the most effective organisations take an holistic approach, but many still fail to implement some fundamental risk management controls, such as asset classification and management.

Only 40 per cent of respondents rated their performance as 75 per cent effective or higher.

In addition, only 34 per cent believed they had an up-to-date inventory for the wireless and mobile devices, which are essential in today's business world.

Another widely held belief is that technology alone removes risk. Symantec's found that, while technology plays a critical role in risk mitigation, the people and processes supported by technology also determine the effectiveness of risk management. Process issues cause 53 per cent of IT incidents.

Only 43 per cent of those surveyed rated data lifecycle management as 'greater than 75 per cent' effective.

This means all assets are treated equally, so some systems, processes and objects will be over-protected and others under-protected. This makes protection costly and inefficient.

It is clear from the report that IT risk management is not a formal discipline or a precise science, but an evolving business subject area.

This is largely due to reliance on the growing experience of individuals as they keep pace with change.

There is a growing understanding that IT risk management incorporates elements of operational risk management, quality control and business and IT governance. Practitioners may also come to see IT risk management as a set of fixed principles and relationships, universally applicable across industries and geographies.


>>Sherrilynne Starkie is the managing partner of Strive Public Relations, a communications consultancy serving the Isle of Man. She provides her views on business and technology each week in Tech Talk. Visit her business blog Strive Notes for frequent updates.
www.strivepr.com