IT Risk Management: The board of directors’ strategic role in managing IT risk

We all know that IT brings a wealth of benefits to any business. From allowing employees to work more effectively and supporting better collaboration and communication, through to enhancing service delivering and increasing customer satisfaction. Technology is now involved, in some part, in almost every area of operations and critical process – regardless of the sector or size. 

However, the more entwined IT is with the business, the greater the potential exposure to IT risk. These types of risks can have a catastrophic impact, so it is vital that businesses identify IT risks, take steps to control them, and develop a robust response plan in the event of an IT-related crisis

What is IT risk management?

IT risk management is the policies, procedures, and technologies a company uses to protect their business from threats and mitigate their impact. It is essentially focused on reducing technology vulnerabilities which can affect the availability, confidentiality, and integrity of systems and data.  

By identifying and evaluating potential IT risks, businesses can be better prepared for potential threats, minimise the impact of an incident and recover faster should something happen. Managing IT risk also helps guide further strategic planning by ensuring risks which may impact the business achieving its goals and objectives are identified and controlled effectively.  

What are some examples of IT risk?

Threats to your IT environment can occur internally or externally, and they can be unintentional or deliberate. The potential risks are numerous, but can typically be broken down into the following categories 

• Physical Threats: As a result of physical access or damage to IT resources. This could include theft, fire or flood damage, natural disasters, extreme weather, or unauthorised access to confidential data – either internally or externally.  
• Security Threats: Where cyber-criminals or other malicious actors attempt to compromise your business. This could include computer viruses, malware, ransomware, phishing/vishing, business email compromise (BEC), and or other targeted attacks. Or it could involve the business, or an employee, falling victim to a fraudulent website or email. 
• Technical Failures: Such as software bugs, unpatched software, system weaknesses, computer crashes or complete failure of a core piece of infrastructure. Technical failures can be catastrophic, for example, if a hard drive was corrupted and there was no way to retrieve the data. This could also include legacy technology which is difficult and expensive to maintain. 
• IT Management Failures: Where a company fails to embrace new technologies or methods of working, which result in lost opportunities and reduced productivity and efficiencies. It could also include failing to deploy new software releases or updates, leaving the company open to bugs or security flaws which could be exploited by cyber-criminals. 
• Infrastructure Failures: This could include things like the loss of your internet or telephone connection. 
• Human Error: Such as an employee accidentally deleting important data, failing to follow security procedures properly, or losing a corporate device.  
• Supply Chain Error: The disruption of critical IT processes outsourced to IT service providers and vendors. 
• Operational Risk: The risk of technological failures disrupting core business processes. 
• Compliance Failure: The failure to comply with industry or geographical regulations (e.g. GDPR) or regulatory bodies (e.g. the FCA, ICO) 

Why does the board of directors need to be involved with IT risk management?

It’s understandable why businesses may think that IT risk management is the sole responsibility of the IT department. It is risks related to the use of technology. Technology typically falls under the IT department, therefore, that’s where IT risk management also lies.  

Yet, technology isn’t the whole story.  

A simple technical failure, such as the email system going down, can affect multiple teams across the business as well as clients and prospective clients. Depending on the length of downtime, this can result in lost productivity, lost revenue, and reputational damage. All of which will be reflected in the bottom line.   

IT risk affects the whole business. Not just BAU operations, but the long-term goals and objectives. This risk must be considered and evaluated when determining the strategic direction of the business, which is why it is essential that the board of directors take ultimate accountability for it. 

The IT department should certainly be involved in the process, as they will have a wealth of knowledge and understanding of the technical risks and the changing landscape, but it’s essential that the board understand the commercial impact as well. They need to know what the IT risks are, what the potential impact is, and the likelihood of that risk occurring, in the context of the business environment.  

Only with this information can effective planning and resource allocation take place. Personnel may need to be allocated to undertake projects to address certain risks. The budget may need to be redistributed, allocated, or increased to take mitigating actions. It all depends on the board’s appetite for risk, but again, this tolerance level can only be determined with a complete and clear understanding of all the risks.  

Of course, this is not to say that board members need to involve themselves in the minutiae of day-to-day monitoring. Everyone within a business has a role to play when it comes to successful IT risk management. Once the risks have been identified, categorised, and catalogued, responsibility can then be cascaded to senior personnel. They would then hold responsibility for identifying plans to mitigate that risk, and regular monitoring.  

However, IT risk management should be a standing item on the board agenda. This is not an item which can be ticked off the to-do list. It is an item which needs to be reviewed and re-evaluated periodically. The rapid pace of change in the technology and business landscape means not only do the identified risks change, but there are new ones to review. There will be new technology to consider, which comes with its own complex risks. The context in which you evaluate these risks will also change as your business develops. What was once a high risk may become lower, or vice versa. As businesses are required to be more agile in practice and operation, so must they be too when it comes to IT risk management.  

Taking accountability for risk

IT risk management is a business investment. One which will help companies safeguard their ability to achieve their long-term goals. It requires commitment at board level and continual review. The pace of change in the IT landscape is so rapid that not only are their new risks developing all the time, but there is the risk that the business will be disrupted if it does not take advantage of opportunities. 

The process requires a blend of strong IT and commercial expertise, as the board will need to strike a delicate balance when it comes to risk appetite. An extremely high tolerance could put the business in harm’s way with unnecessary risk from being on the ‘bleeding edge’. On the other hand, extreme risk aversion can stifle innovation and development, leaving the business lagging in the market and missing out on opportunities.  

Boards should not be afraid to seek external counsel from a CIO-level Consultant to manage this process. Even where a business has an internal IT resource, a CIO can provide additional expertise. For example, translating the technical risk identified by IT into commercial terms for the board and assessing the impact on business strategy.