Getting Back to I&T Basics: The more audits I do, the more I’m convinced that managing risk is a bit like herding cats. Except in this case, the cats are constantly shifting threats, unpredictable vendors, and an ever-growing list of regulatory requirements.Risk is everywhere. It’s in the systems we manage, the processes we rely on, and the partners we depend on to keep our operations running smoothly. Whether it’s operational, strategic, regulatory, or reputational, risk must be acknowledged, assessed, and addressed. And this is all before we even begin discussing third-party risk.In this second installment of our monthly Getting Back to I&T Basics series, we will explore both risk management and third-party risk management by breaking them down into approachable, actionable concepts. My goal is to equip you with the tools needed to strengthen your organization’s risk posture without needing a degree in chaos theory.

In our first article, we emphasized the importance of building a strong Information and Technology (I&T) governance foundation through creation of an IT strategic plan and policy framework. While this creates a solid foundation, there is one significant aspect missing – risk management.  

Any conversation about risk management should start at the enterprise level; however, that can be a lengthy subject. Instead, I will simply state that the key to a strong enterprise risk management (ERM) program is in creating a scoring mechanism that enables those charged with governance to compare two disparate business units’ risks and accurately prioritize resources between them.  

Now let’s dive into two of the most significant portions of any business’s risk management process: managing risks associated with I&T operations and third-parties.  

Why Does I&T Risk Management Matter? 

Think about how much your organization depends on technology every single day. Everything from processing payroll to handling customer transactions, from storing sensitive data to providing digital services, depends heavily on your company’s information systems and technology. When technology fails, even momentarily, it can have significant impacts on your business operations and your bottom line. 

Effective I&T risk management is all about identifying, assessing, and mitigating risks associated with technology usage across your enterprise. It’s essential for protecting your business against cybersecurity threats, data breaches, downtime, regulatory non-compliance, and reputational damage. In short, it’s your shield against uncertainty in the digital age. 

Tackling I&T Risk Management: The Basics 

1. Risk Identification: You cannot manage what you do not see. Start by mapping out your technology landscape, pinpointing critical systems, applications, data assets, and processes. Ask questions like: What would happen if this system went offline? Where are our greatest vulnerabilities? Where is sensitive information stored? 

2. Risk Assessment: Once you’ve identified potential risks, evaluate their impact and likelihood. A common practice is using a risk matrix to prioritize risks, ranking them from low-impact, low-likelihood to high-impact, high-likelihood. 

3. Risk Mitigation: Now it is time to decide how you will respond. Options include risk avoidance (stopping certain activities), risk reduction (implementing controls to lessen impact), risk transfer (shifting risk to a third-party, like through insurance or outsourcing), or risk acceptance (acknowledging the risk is manageable without additional controls). 

4. Continuous Monitoring: Risk management is not a set-it-and-forget-it activity. Regularly reassess and adjust your approach to respond to changes in your business, technology landscape, and emerging threats. 

As you go through the risk assessment process remember that it is impossible to mitigate risk entirely. The only way to even come close would be to cease operations as a company, but even then, you would face the risk of financial ruin; ergo, risk cannot be completely avoided.  

Additionally, there are many ways to go about identifying risks. Some approaches include asset-based, threat-based, compliance-based, or a hybrid of the various approaches. Depending on your industry, one of these approaches may be more beneficial than another. In general, I would recommend that an organization just beginning its journey into risk management start with an asset-based approach. An asset-based approach starts with a listing of all an organization’s assets, including systems, data, and people. This type of approach will assist in minimizing the number of overlooked risks.  

Third-Party Risk Management: Extending Your Shield 

The complexity of modern businesses often means relying heavily on third-party vendors for software, cloud services, support, and more. While these relationships are essential, they also introduce additional complexities and layers of risk. Managing third-party risk is about ensuring that these external partners are just as committed to risk management as you are. 

Consider the infamous Target breach in 2013. Attackers did not come after Target directly; instead, they exploited vulnerabilities in a third-party HVAC vendor’s system. This event provides a vital lesson into why third-party risk management is so critical: your organization’s security posture is only as strong as your weakest third-party. 

Steps to Effective Third-Party Risk Management 

1. Third-Party Assessment: Before onboarding third-parties, conduct thorough assessments. Look at their security practices, compliance certifications (like ISO 27001, SOC 2, or PCI DSS), incident history, and financial stability. 

2. Contract Management: Clearly define security expectations, responsibilities, and incident reporting requirements in vendor contracts. Include right-to-audit clauses that allow you to periodically assess third-party practices. 

3. Continuous Oversight: Regularly evaluate your third-parties’ performance against agreed-upon security benchmarks. Make sure vendors are keeping pace with evolving threats and compliance requirements. 

4. Incident Response Coordination: Plan and test incident response activities involving third-parties. Ensure clarity around roles, responsibilities, and communication channels during potential incidents. 

Previously, I referred to the 2013 Target breach, which originated from the company’s HVAC vendor. When assessing risk from third-party vendors, it is crucial to recognize that threats to your organization may not be limited to IT vendors. Just as identifying potential choke points within the vendor supply chain is essential for managing supply chain risk, it is equally important to evaluate cybersecurity risks throughout the vendor supply chain. 

Bridging I&T and Third-Party Risk Management 

It’s crucial not to treat I&T and third-party risk management as isolated silos. Effective ERM means integrating both together and aligning third-party oversight with your internal risk management framework. Third-parties should understand your risk appetite, security policies, and standards, while internal teams should be aware of third-party related risks and responsibilities. 

Common Pitfalls and How to Avoid Them 

Many organizations stumble in their risk management journeys because of a few common mistakes: 

• Ignoring “Shadow IT”: Employees often use unauthorized apps and services without the IT department’s knowledge, introducing risks. Promote a culture of openness and educate your team on the potential impacts. 

• Inconsistent Third-Party Management: Different departments handling vendors differently can create blind spots. Standardize your third-party risk management processes enterprise wide, this includes both the components of the due diligence process, and the risk scoring system used. 

• Static Risk Assessment: Treating risk management as a checkbox exercise without regular review can leave you exposed. Ensure regular updates and reassessments. 

Embracing Technology to Enhance Risk Management 

Technology is not just something to manage, it is also your ally in risk management. Modern Governance, Risk, and Compliance (GRC) platforms can streamline risk assessments, automate continuous monitoring, and improve collaboration across teams and with third-parties. 

Consider using tools that provide real-time visibility into risks and vulnerabilities, automate vendor evaluations, and deliver actionable insights. These tools help you maintain comprehensive oversight without drowning in spreadsheets and manual tasks. 

Keeping It Simple and Practical 

Effective ERM does not require overly complex frameworks or overwhelming documentation. Sometimes, simple checklists, clear processes, and regular conversations can go a long way. Foster a risk-aware culture where everyone understands their role in managing risks—whether internal or third-party related. 

Looking Ahead 

IT and third-party risk management are not just necessary evils; they are strategic enablers of business success. Well-managed risk allows your organization to innovate and move quickly, knowing you have solid safety nets in place. 

As you move forward in your ERM journey, remember: 

• Keep it consistent, practical, and actionable. 

• Regularly review and refine your approach. 

• Stay engaged with your teams and vendors. 

By getting these fundamentals right, you are not only protecting your business from potential threats but also positioning it for future growth, resilience, and anything else that may follow. Speaking of what comes next: stay tuned for next month’s article, Essential Safeguards: Building Your IT General Controls Framework. 

Explore more in our ongoing series with this related article:

Foundations First: Crafting Effective IT Governance and Policies