IT Risk Assessment
ICT Risk Assessment
by Lasa Information Systems Team
Organisations may be required to carry out risk assessments for a variety of reasons. But what is risk assessment and how does it relate to information technology specifically?
What Is Risk Assessment?
There are various risks associated an organisation's activities, including:
- Financial management
- Health and safety
Many of the potential risks faced by organisations relate to information held in IT systems (for example an organisation's accounts will likely be held in a spreadsheet or accounting program on a computer). Risk assessments allow identification, and evaluation of potential risks to organisations (or individuals).
Risk assessment can be broken down into several phases:
- Identifying the risk — What can go wrong? (e.g. loss of accounts / finance records)
- Evaluating the risk — How likely it is to occur and (e.g. high, medium, low likelihood)
- Analysing the risk — What would be the consequences if the risk did occur (e.g. unable to produce / monitor finances and budget if accounting records lost)
- Managing the risk — Once the risk factors have been established, organisations will need to put systems, policies and procedures in place to minimise the effects of the risk should it occur (e.g. daily back up of computerised accounts).
Why risk assessment?
Organisations are often required to meet rules made by various governing bodies and stakeholders to carry out risk assessments. For example The Charities (Accounts and Reports) Regulations 2000 mean that charities with a gross income of more than £250,000 have legal requirement to include a risk management statement in their Annual Report (for more information see the Charities Commission discussion).
Apart from the Charities Commission, other bodies, laws and regulations, quality frameworks etc. often require some element of risk assessment to be carried out, since information and data needs to be protected, and comply with regulations. Whether or not there is a legal requirement to do so, doing risk assessments is good practice for any organisation that wants to carry on its function because without knowing what the risks are it's impossible to manage them.
Information Technology Risks
Information technology risk includes the loss of a network, automated system or any other IT resource that would affect an organisation's ability to carry out its mission or function. As such IT risk management needs to be included in an organisation's overall strategy for managing risk.
IT risk will change as new technologies are adopted to support the organisation's mission. Since IT is so fundamental to the way most organisations operate, there are several areas to consider including:
The Technology itself
This could be both hardware (the physical components) and software (the applications or programs run on a computer). Examples of risks include:
- The hardware or software fails to meet the organisation's operational needs (e.g. newly implemented network, database, finance package etc.)
- The equipment itself fails or proves unreliable (e.g. old / obsolete equipment)
Carefully assessing and reviewing your IT needs as part of your overall IT strategy, drawing up appropriate requirements, carefully assessing suppliers, and properly managing IT projects are ways of reducing these types of risk. In addition organisations should ensure that they have access to adequate and appropriate technical support for their technology.
Security of assets
This includes both the physical security of equipment, and protecting data held on computer systems. Risks include:
- Loss or damage (e.g. computer system failures such as network going down, or loss of data such as accounting information or important information held in a database, flood or fire damage)
- Theft (e.g. of computer equipment, data held on computers)
- Unauthorised access to information (e.g. via the Internet, or unauthorised users gaining physical access to unsupervised equipment)
Having an inventory of all your ICT equipment, adequate insurance cover, securing PCs and laptops physically, security marking, giving only relevant users permissions to access documents or directories on a computer network etc. are examples of actions that can be taken to minimise these risks. For more on security issues, see the knowledgebase article Safe and sound - keeping your computers and data secure.
In addition to the above, other protective measures should be put in place to protect personal and / or confidential information on your organisation's computers including:
- Performing regular backups of important data held on computers and keeping a copy off site
- Using and regularly updating antivirus software
- Using a suitable firewall
- If you have a client/server network use an Uninterruptible Power Supply (UPS) unit to protect your server(s) against power surges and temporary power losses
- Use a RAID (Redundant Array of Independent Disks) system on your server to minimise the effect of a hard drive failing
- If you have a large amount of data, consider having a spare server ready to take over if the main one fails
- Checking regularly for software security patches particularly for the operating system e.g. Windows 2000 (Windows users should check the Microsoft security site regularly or subscribe to Microsoft security bulletins)
Health and Safety
All organisations in the UK are required to comply with relevant health and safety laws and risk prosecution if they don't. IT health and safety audits should not be ignored. As well as more general health and safety risks (e.g. trailing cables), use of computers can pose particular risks to employees including:
- Musculoskeletal problems
- Eye strain
For more information see the knowledgebase articles Computer Health and Safety and Display screen equipment risk assessment checklist.
Procedures and Policies
Procedures and policies are important in terms of managing risk, but in addition to this, an absence of them can expose organisations to various risks including:
- Abuse of computer equipment or systems by staff or other users
- Inability to recover from "disaster" such as loss of important data held on computers
(See relevant articles in the Making Policies & Best Practice section of the knowledgebase for more information)
Of course merely having the procedures and policies in place is not enough. They will need to be enforced and regularly reviewed.
Organisations need to consider the relevant laws and regulations that apply to them. However, organisations face potential legal risks that could arise from their use of technology in the form of penalties and / or prosecution for lack of compliance with relevant laws including:
- Data Protection Act (e.g. failing to adequately protect personally identifiable information, inappropriate marketing)
- Charities law and Companies Act (e.g. financial reporting requirements not met because of computer systems going down and failure to do adequate backups of financial information)
- Disability Discrimination Act (e.g. failure to provide suitable computer equipment to disabled employees, failure to make reasonable adjustments to your website to make it accessible)
- Health and Safety Act (e.g. failure to provide suitable display screen equipment or working arrangements that allow computer users to take adequate breaks)
- Software licensing and copyright regulations (e.g. using unlicensed software, employees downloading music onto work machines, using copyrighted material on your organisation's website without the permission of the copyright owner etc.)
- Breach of libel laws (e.g. inappropriate use of Internet / email by staff such as libellous or defamatory material sent by email or posted to Internet sites)
The above list is not exhaustive but points to some of the legal areas that will need to be considered.
Loss of key personnel
This is often an issue for many voluntary and other organisations that have a high staff turnover, or who rely on volunteers or other external personnel. What happens if the only person who knows how to update your website or administer your network leaves, or if the person who developed and maintains your database gets hit by a bus? Ways of reducing this risk include:
- Clearly defining and describing in writing the IT roles required in the organisation
- Documenting important information such as administrator passwords (keep them securely!)
- Having a designated backup for key IT and other roles
Depending on the size and role of your organisation the amount of IT risk you'll be exposed to will vary. Whatever the size of your organisation though, it is important to properly assess what the risks are so you can act to minimise them.
For more resources on risk management generally try NonProfitRisk.org. You could also try the information on Business Continuity Planning in IT section and the IT Risk Assessment Tool on the Business Links website.
About the author
Lasa Information Systems Team
Lasa Information Systems Team provides a range of services to community and voluntary organisations including ICT Health Checks and consulting on the best application of technology in your organisation. Lasa IST is responsible for maintaining the ICT Hub Knowledgebase.