IT Risk

From Open Risk Manual

Definition

IT Risk is a broad term that encompasses any risks to the firms operation's that are associated with and derive from the use of (Digital) Information Technology. IT in this context includes both systems and services (hardware for computation or storage of data, software for the processing of data, digital communication networks (wired and wireless) used for the transmission of data etc).

A variety of other terms are used in the same context with varying degrees of scope overlap: Technology Risk, Cybercrime, Cyber Risk, Infosecurity

IT Risk has several distinct subtypes[1], summarized in the following IT Risk Taxonomy

Factors

The IT risk profile of a firm depends in general on the following general factors (more specific factors are associated with individual risk types)

  • whether the institution has high reliance on internet dependencies, high adoption of innovative IT solutions or other business distribution channels that may make it a more likely target for cyber-attacks
  • whether the institution may have inherent complexity (e.g. as a result of mergers or acquisitions) or the outdated nature of its IT systems
  • whether the institution is implementing material changes to its IT systems and/or IT function (e.g. as a result of mergers, acquisitions, divestments or the replacement of its core IT systems), which may adversely impact the stability or orderly functioning of the IT systems
  • whether the institution has outsourced material IT services or IT systems within or outside the group
  • whether the institution is implementing aggressive IT cost cutting measures which may lead to the eduction of needed IT investments, resources and IT expertise and can increase the exposure to all the IT risks types in the taxonomy
  • whether the location of important IT operations/data centres (e.g. regions, countries) may expose the institution to natural disasters (e.g. flooding, earthquakes), political instability or labour conflicts and civil disturbances

Controls

IT Risk Controls comprise of:

  • IT risk management policies, processes and risk tolerance thresholds
  • Organisational management and oversight frameworks
  • Internal audit coverage and findings
  • Specific risk controls for the IT risk sub-categories


References

  1. EBA, Final Guidelines on ICT Risk Assessment under SREP

Contributors to this article

» Wiki admin