Difference between revisions of "IT Risk"
Wiki admin (talk | contribs) |
(No difference)
|
Revision as of 00:54, 5 March 2020
Definition
IT Risk is a broad term that encompasses any risks to the firm's operation's that are associated with and derive from the use of (Digital) Information Technology.
Information Technology in this context includes both the systems and services (hardware for computation or storage of data, software for the processing of data, digital communication networks (wired and wireless) used for the transmission of data etc). A variety of other terms are used in the same context with varying degrees of scope overlap: Technology Risk, Cybercrime, Cyber Risk, Infosecurity
IT Risk has several distinct subtypes[1], summarized in the following IT Risk Taxonomy:
- IT Availability Risk
- IT Security Risk (See also Cyber Risk)
- IT Change Risk
- IT Data Integrity Risk
- IT Outsourcing Risk
Risk Factors
The IT Risk Profile of a firm depends in general on the following general risk factors (more specific factors are associated with individual risk sub-types):
- whether the institution has high reliance on internet dependencies, high adoption of innovative IT solutions or other business distribution channels that may make it a more likely target for cyber-attacks
- whether the institution may have inherent complexity (e.g. as a result of mergers or acquisitions) or the outdated nature of its IT systems
- whether the institution is implementing material changes to its IT systems and/or IT function (e.g. as a result of mergers, acquisitions, divestments or the replacement of its core IT systems), which may adversely impact the stability or orderly functioning of the IT systems
- whether the institution has outsourced material IT services or IT systems within or outside the group
- whether the institution is implementing aggressive IT cost cutting measures which may lead to the eduction of needed IT investments, resources and IT expertise and can increase the exposure to all the IT risks types in the taxonomy
- whether the location of important IT operations/data centres (e.g. regions, countries) may expose the institution to natural disasters (e.g. flooding, earthquakes), political instability or labour conflicts and civil disturbances
Controls
IT Risk Controls comprise of:
- IT risk management policies, processes and risk tolerance thresholds
- Organisational management and oversight frameworks
- Internal audit coverage and findings
- Specific risk controls for the IT risk sub-categories
See Also
References
- ↑ EBA, Final Guidelines on ICT Risk Assessment under SREP