Getting Back to I&T Basics: The more audits I do, the more I’m convinced that managing risk is a bit like herding cats. Except in this case, the cats are constantly shifting threats, unpredictable vendors, and an ever-growing list of regulatory requirements.Risk is everywhere. It’s in the systems we manage, the processes we rely on, and the partners we depend on to keep our operations running smoothly. Whether it’s operational, strategic, regulatory, or reputational, risk must be acknowledged, assessed, and addressed. And this is all before we even begin discussing third-party risk.In this second installment of our monthly Getting Back to I&T Basics series, we will explore both risk management and third-party risk management by breaking them down into approachable, actionable concepts. My goal is to equip you with the tools needed to strengthen your organization’s risk posture without needing a degree in chaos theory.
In our first article, we emphasized the importance of building a strong Information and Technology (I&T) governance foundation through creation of an IT strategic plan and policy framework. While this creates a solid foundation, there is one significant aspect missing – risk management.
Any conversation about risk management should start at the enterprise level; however, that can be a lengthy subject. Instead, I will simply state that the key to a strong enterprise risk management (ERM) program is in creating a scoring mechanism that enables those charged with governance to compare two disparate business units’ risks and accurately prioritize resources between them.
Now let’s dive into two of the most significant portions of any business’s risk management process: managing risks associated with I&T operations and third-parties.
Think about how much your organization depends on technology every single day. Everything from processing payroll to handling customer transactions, from storing sensitive data to providing digital services, depends heavily on your company’s information systems and technology. When technology fails, even momentarily, it can have significant impacts on your business operations and your bottom line.
Effective I&T risk management is all about identifying, assessing, and mitigating risks associated with technology usage across your enterprise. It’s essential for protecting your business against cybersecurity threats, data breaches, downtime, regulatory non-compliance, and reputational damage. In short, it’s your shield against uncertainty in the digital age.
As you go through the risk assessment process remember that it is impossible to mitigate risk entirely. The only way to even come close would be to cease operations as a company, but even then, you would face the risk of financial ruin; ergo, risk cannot be completely avoided.
Additionally, there are many ways to go about identifying risks. Some approaches include asset-based, threat-based, compliance-based, or a hybrid of the various approaches. Depending on your industry, one of these approaches may be more beneficial than another. In general, I would recommend that an organization just beginning its journey into risk management start with an asset-based approach. An asset-based approach starts with a listing of all an organization’s assets, including systems, data, and people. This type of approach will assist in minimizing the number of overlooked risks.
The complexity of modern businesses often means relying heavily on third-party vendors for software, cloud services, support, and more. While these relationships are essential, they also introduce additional complexities and layers of risk. Managing third-party risk is about ensuring that these external partners are just as committed to risk management as you are.
Consider the infamous Target breach in 2013. Attackers did not come after Target directly; instead, they exploited vulnerabilities in a third-party HVAC vendor’s system. This event provides a vital lesson into why third-party risk management is so critical: your organization’s security posture is only as strong as your weakest third-party.
Previously, I referred to the 2013 Target breach, which originated from the company’s HVAC vendor. When assessing risk from third-party vendors, it is crucial to recognize that threats to your organization may not be limited to IT vendors. Just as identifying potential choke points within the vendor supply chain is essential for managing supply chain risk, it is equally important to evaluate cybersecurity risks throughout the vendor supply chain.
It’s crucial not to treat I&T and third-party risk management as isolated silos. Effective ERM means integrating both together and aligning third-party oversight with your internal risk management framework. Third-parties should understand your risk appetite, security policies, and standards, while internal teams should be aware of third-party related risks and responsibilities.
Many organizations stumble in their risk management journeys because of a few common mistakes:
Technology is not just something to manage, it is also your ally in risk management. Modern Governance, Risk, and Compliance (GRC) platforms can streamline risk assessments, automate continuous monitoring, and improve collaboration across teams and with third-parties.
Consider using tools that provide real-time visibility into risks and vulnerabilities, automate vendor evaluations, and deliver actionable insights. These tools help you maintain comprehensive oversight without drowning in spreadsheets and manual tasks.
Effective ERM does not require overly complex frameworks or overwhelming documentation. Sometimes, simple checklists, clear processes, and regular conversations can go a long way. Foster a risk-aware culture where everyone understands their role in managing risks—whether internal or third-party related.
IT and third-party risk management are not just necessary evils; they are strategic enablers of business success. Well-managed risk allows your organization to innovate and move quickly, knowing you have solid safety nets in place.
As you move forward in your ERM journey, remember:
By getting these fundamentals right, you are not only protecting your business from potential threats but also positioning it for future growth, resilience, and anything else that may follow. Speaking of what comes next: stay tuned for next month’s article, Essential Safeguards: Building Your IT General Controls Framework.
Foundations First: Crafting Effective IT Governance and Policies