White paper

Ensuring business continuity with a sustainable risk management process  

IT is the backbone of digital business. It must be protected against possible risks to ensure smooth operations. Risks are manifold, some arising from external threats (including viruses, aggressive hackers or data theft) and others from internal sources (such as inappropriate handling of passwords by employees, or poor license and contract management). IT security incidents can result in a partial or complete loss of data, the disclosure of sensitive or confidential data, or the manipulation of data—leading to a serious impact on business’ ability to perform its tasks.

Due to the increasing pace of business change, risks are prone to modification as often as IT systems. IT risk management should not be a one-off project, but a continuous process targeting constantly changing IT risk and business environments, monitoring the risks and adjusting the risk management strategy accordingly.

With effective IT risk management processes in place, IT organizations are able to manage IT’s integrity with regard to applications, projects, data, systems, and employees to ensure business continuity. An additional benefit of IT risk management is that it improves operational performance by helping understand IT operational risk so you can implement mitigation measures. Thus the number of incidents can be lowered, fostering greater business satisfaction. Another reason for wanting to establish a continuous IT risk management process is compliance—the consistent enforcement of and compliance with standards and regulations, such as SOX, Dodd-Frank and data protection laws.

IT risk management comprises the inventorization and prioritization of applications to identify possible risks, the assessment of the risks identified and, of course, their mitigation in order to reduce the overall threat to the enterprise.

Read on to find out more about Software AG’s recommended approach to IT risk management and how it is supported by Alfabet for enterprise architecture, IT planning and portfolio management.  

Inventorize applications

The objective of this phase is to prepare a detailed listing of all applications as preparation for setting the scope of the risk assessment. This phase also includes description of the interdependencies between the business, applications and the infrastructure in order to establish a comprehensive inventory that can be re-used for future assessments.

When creating the inventory, it is important to keep the actual need for risk assessment in mind to avoid an unnecessarily large scope. Decide on the reach of the assessment (for example, company-wide, region-wide, organizational or domain-wide) and whether to apply quantitative or qualitative criteria for choosing which applications belong in the inventory for risk assessment. A quantitative assessment calculates different risk factors to understand how these contribute to an overall risk value. A qualitative assessment is more descriptive but in most cases sufficient to identify risk areas that need attention.

  • IT Compliance Manager, CISO
  • Inventorize applications, services, technologies, business capabilities and their relationships to each other
  • Define metrics and aggregation rules
  • Documented IT scope for risk assessment
Best-practice recommendations:
  • Define ownership and responsibility for the application information
  • Define roles for quality control and escalation of issues
  • Document roles in the IT inventory for transparency and to anchor governance
  • Use workflows and wizards to support automation of inventory management and ensure high quality data
  • Integrate to primary sources as available  
Figure 1: Use either a quantitative or qualitative approach to decide which applications will be in the scope for the risk assessment
Figure 2: The ability to see the interdependencies of the architecture elements is critical for business continuity. In this view you see all of the devices, applications and business processes dependent on each other. The various colors and shades indicate risk of loss (blue) and incidence rate (red) with low indicated by a pale color and high indicated by a deep color. The icons indicate business criticality with the arrow up indicating high importance and down indicating low importance.

Prioritize applications

IT risk assessment is commonly carried out by multiple stakeholders and involves many objects—applications, processes, technologies, services—and a variety of risks that are to be assessed. Thus a clear focus should be set on only the relevant objects. This should be done in two phases.

First, identify the most risk-relevant applications—those which are most important to protect—and make them first priority. These will be applications that support business-critical capabilities or are subject to compliance regulations.

Second, perform a detailed risk and mitigation survey. The survey is to fine-tune the reasoning for an application being risk-relevant. This process and follow-up analyses can be automated by using workflows, calculation routines and reporting tools, thus making it less costly in terms of labor. The answers, for example, “major breach of law” for regulatory risk, can then be mapped to metrics reflecting the type of violation, such as confidentiality, integrity or availability. These metrics are then added up to provide a risk-relevance score for the application scope.

Decide on the reach of the assessment (for example, company-wide, region-wide, organizational or domain-wide) and whether to apply quantitative or qualitative criteria for choosing which applications belong in the inventory for risk assessment. A quantitative assessment calculates different risk factors to understand how these contribute to an overall risk value. A qualitative assessment is more descriptive but in most cases sufficient to identify risk areas that need attention.

  • IT Compliance Manager, CISO
  • Define questions and mappings to metrics
  • Survey application owners
  • Decide on prioritization
  • List of applications for risk assessment
Best-practice recommendations:
  • Be pragmatic—pursue a qualitative approach directed at relevant stakeholders
  • Use only a compact set of questions with simple answers
  • Map the answers to numeric values for easier analysis
Figure 3: Here we see a sample survey of questions to ask for each application.
Figure 4: Here we see a metrics scheme which gives a specific value to each answer depending on which type of protection requirement it would need.

Risk assessment

Assessing the risks to applications aims at understanding the risks an application is subject to and analyzing the relevant risk’s damage potential in order to be able to suggest and evaluate possible mitigations.

Risk catalogs support consistent risk assessment by providing sample categories for risks and sample risks in these categories (for example, willful act > manipulation of data or data theft). In the course of the assessment, each risk is assessed as to its probability and damage potential. Inventorizing possible mitigations for the risks in the catalog supports the standardization of the mitigation strategy and reduces the effort in risk assessments. When assessing the risk for an application, it is important to document the relevant mitigation and to what extent the proposed mitigation will change the risk’s probability and damage values in order to be able to identify the most effective mitigations.

  • IT Compliance Manager, CISO
  • Catalog risks
  • Assess probability
  • Assess potential damage
  • Suggest mitigation and assess change to risk
  • Application risk portfolio
Best-practice recommendations:
  • Use a risk catalog to standardize risks and their mitigations
  • Use multiple-choice questions and simple answers for comparability, for example, risk: none, low, medium, high, very-high; damage: $3 million
Figure 5: Once assessed, the risks can be shown in a portfolio according to damage potential and probability of occurrence.
Figure 6: A filter on the portfolio shows mitigation effects to determine the best potential for reduction of risk. This and the previous chart provide a “before-and-after“ risk portfolio.

Risk mitigation

Once identified and assessed, risks can be mitigated by initiating a project to support changes, or by implementing a control system in order to regularly check and ensure that all tasks are fulfilled appropriately.
Typically, internal control systems are a set of controls implemented to ensure that risk mitigations are performed according to plan. For example, if there is a risk of a system failure, a possible mitigation strategy is to provide a back-up instance of the system. Controls for this mitigation strategy could regularly check whether back-ups are made (for example, monthly), whether the restore procedure is documented (for example, yearly), and whether the restore procedure is tested (for example, bi-annually). Automating such control assessments delivers a substantial savings potential for the enterprise as it makes the process repeatable and also provides a basis for external and internal control audits, for example, as required by SOX. And finally, risk mitigation systematically reduces the extent of exposure to a risk and its probability.

  • IT Compliance Manager, CISO
  • Propose mitigation projects
  • Propose controls
  • Reduced risk
  • Documented controls
Best-practice recommendations:
  • Formulate controls as questions
  • Structure controls to address specific compliance topics
  • Re-use controls to reduce effort
Figure 7: Here we see an example of the compliance controls used in a company.

Efficient IT risk management with Alfabet

As IT tries to keep pace with the acceleration of the business environment, IT managers have to find that delicate balance between performance and risk. They need greater insight into their organization’s risk exposure to be able to understand what IT systems carry risk, what the implications of the risk are, and what kind of mitigation measures are needed.

Every company in every industry will have some risk management process in place. But what they need to be asking themselves is: Are the processes and tools we are using really helping to identify all of the risks the company is facing? Because in IT risk management it’s clear: What you don’t know WILL hurt you. A risk management program needs to ensure that:

ALL IT assets are being considered:

  • “Invisible” assets relating to risk-loaded assets are identified
  • Risk surveys are executed time- and cost-efficiently
  • Resources for assessing risks and mitigation efforts are only used on assets that are truly critical
  • Mitigation plans are actionable, effective and published
  • Decisions to accept certain risks are communicated to senior management
  • Risk management processes are repeatable and sustainable

Alfabet puts a best-practice methodology into your hands that will improve your company’s risk posture by identifying:

  • Which projects and applications are risk-relevant
  • What risks these projects and applications actually pose
  • How risks can be effectively mitigated
  • Which mitigations have not been implemented

Alfabet’s proven technology platform enables you to:

  • Capture the assets to be evaluated
  • Understand the structure and relationships of the assets
  • Employ collaboration technology to ensure timely survey participation
  • Automatically translate survey results into risk-relevance values
  • Create reports for easy understanding and communication of the risk portfolio
  • Know when, where and how to start mitigation 

Using Alfabet for a sustainable IT risk management program will reduce the chance of risk event loss and provide a basis for a cost-effective and sustainable risk management program.

You may also like:
White paper
Manage threat in the digital business age
You need to stay current on potential vulnerabilities, and effectively assess and mitigate them in real time. See how enterprise architecture (EA) and IT portfolio management (ITPM) can help.
Your 6-step guide to creating a cloud transformation strategy
IT portfolio management is ideal for developing a smart cloud transformation strategy. See the steps to adapt your business and technology strategies for resilience and growth.
The guide to IT investment portfolio management
Good IT investment portfolio management can clearly align your IT and business goals. But getting started is often the hardest part.
Customer story
Generali: An agile IT pioneer in the insurance industry
This German insurer knows that to keep its processes running smoothly, it’s very important for everyone to know what’s changing. Learn how Alfabet set the ideal conditions for transparency, agility, and regulatory compliance.
Alfabet portfolio playbook: Achieving a business-aligned IT investment portfolio
Business success is dependent on recognizing and responding to changes in a fast-moving business environment. Sustainability goals, resilience to shocks, aligning digital business models to market changes, and fending off cyberattacks are just some of the challenges that organizations must face head-on.
All together now: How OKRs and strategic portfolio management help make the right IT investments
Thinking of using OKRs to drive your company’s IT investments? If so, you’ll also need a way to document your strategy—by adopting an enterprise architecture-based strategic portfolio management, or SPM, solution.
Are you ready to support ongoing innovation?
Fine tune your IT landscape with IT portfolio management to make the right strategic decisions and master change.