Risk management system introduction
The task of business process efficiency enhancement can be removed from the agenda only in one case - when the issue is about their sustainability and business manageability as a whole. Often the mentioned parameters of reliable operation can be violated by risks which, to some extent, have probable nature and thus can be prevented or their negative influence can be reduced to minimum.
It is rather difficult to talk about business reliability without risk management system.
Paradox of the risk management systems implies their formalization, i.e. risks are managed but without some system. The business owners delegate this rights and liability to managers providing them with possibility to make decisions affecting the business reliability basing on their experience, intuition and deduction. Sometimes it works well, sometimes it doesn't. That is why quality risk management is impossible without system approach.
Open Technologies offers complex approach to development of risk management methodology basing not only on components directly dependent on IT systems but also regarding specific cases and models characteristic for your industry.
- The typical plan of introduction and development of the methodology looks like this:
- choice and coordination of business processes requiring system approach to risk management;
- inspection of regulating and legal documentation. The role and influence of information and communication technologies on coordinated business processes, construction of high level IT model;
- collection of data about information subsystems and specification of the IT operation model; list of data information flows, control circuits, software and hardware platforms, architectures, technical support and maintenance, state of description documentation, rules and tools of integration with other applications;
- inspection of IT landscape infrastructure (server equipment, storage systems and data transfer networks, information security assurance systems), operational software products, virtualization tools, monitoring and administration systems;
- in parallel to IT inspection - development and coordination of the list of risks and development of threats models, detection of the narrowest points of IT system;
- based on inspection and interview results:
- assessment of the current IT system state and its influence on development of negative risk consequences and action plan within the prevention and response mechanisms;
- development of a list of IT infrastructure "narrow points" and recommendations on their elimination;
- delivery of proposals on introduction of risk management system, for example, based on Government Risk Compliance (GRC) methodology.
The practice existing at the IT market is execution of separate inspection of information technologies and separate services on risk management does not usually works. Our approach allows integral work on the risk management task solution and obtaining a set of business process interactions with IT infrastructure subsystems.