Before discussing the best practices in IT Risk Management, let's look at a brief overview of risk management as such. This article offers guidance so that IT project teams can assess and properly treat the "identified risks" in any IT system.
We can divide risk management into five phases:
- Risk identification
- Analyzing risks to find out their negative impacts
- Prioritizing risks for creating a proper risk management plan
- Risk treatment – managing risks
- Auditing the risk management plan to refine it and offer better methods for minimizing negative effects and boosting project productivity.
In short, for any project, it is necessary to create a risk management plan so that chances of the project failing or not meeting its goals are as small as possible. It is always better to have an in-house Risk Officer who can identify and create risk management plans to manage (treat) risks. In absence of a Risk Officer, project managers themselves can create a risk management plan. For creating a risk management plan, managers can have brainstorming sessions with the different team leads involved in the project. After identification of risks, it is better to create or document them, or rather create a checklist of risks. This checklist of risks helps project managers create a risk management plan for proper treatment of risks.
The basics of risk management are the same across any project. It is just the risk treatment, which differs across projects in different fields, such as Information Technology, Stocks, Research, and Events.
Coming to the best practices in IT risk management, the next section deals with integrating risk management into the systems development life cycle. This practice helps in identifying risks at the very first step and hence, the system developers design a system with full awareness of the risk probabilities.
Among the best practices in IT risk management is the inclusion of risk factors into the system development life cycle (SDLC) so that the designers develop a system that can counter/mitigate risks as and when applicable. As the SDLC also has audit (or disposal) as its last phase, the assessment of the risk management plan is also conducted at the same time. In case of system disposal, the risk management plan helps in ensuring proper disposal so that no one else can gather data from the disposed system. Thus, it becomes easier to manage risks associated with IT. For proper understanding of the risk management process, check out an example of a risk management plan for any project.
You probably understand why you need a risk management plan, but let's look at the benefits of incorporating risk management into the SDLC. Any systems development life cycle (SDLC) has five phases: inception, design; implementation; maintenance; and audit or disposal. Let us see how the risk management plan fits into the SDLC.
- In the first phase, inception, the system developers create a rough draft for the system. At this time of brainstorming on the project, the system developers also talk about the possible risks associated with the system. This is the first step for Risk Management as well where project managers identify and prioritize risks.
- The second phase of the SDLC deals with design of the system. As the system designers now have an understanding of risks, they design an informed system that takes the possible risks into account. This stage of SDLC also gives a list of possible risks. The system designers list the risks that the system may have to manage. For understanding the risks list, check out our example for a checklist of risks.
- The third phase of SDLC is implementation of the system. The system is configured, tested, and verified. At the same time, the system is also tested against the risks identified in phase one and two. Note that the system should pass the risk management tests before it goes live.
- The fourth phase of systems development involves maintenance of the system. The system may create problems sometimes. The system developers attend and de-bug these problems. Maintenance also involves changing the system components according to project needs. Similarly, if a need arises to change some risk module or include another risk component, the system developers should make changes in this phase.
- The final phase of SDLC is auditing the system or disposal of the system. If the system goes for auditing, the risk management plan is also assessed to refine it. Audit of the risk management plan is similar to auditing any project plan. The changes in risk management are incorporated when the system is updated based on system-audit results. On the contrary, if the system is disposed, the risk management plan helps in proper disposal to end the possibility of data theft/retrieval through improper disposal.
Implementing a risk management plan for proper risk treatment is not very feasible after the system goes live. For details on risk treatment, please check out this downloadable example of a risk treatment plan. If risk assessment is done after the system is developed and tested, many changes may have to be done to integrate the risk management into the system. Also, risk management is carried out as a separate process. As a result, one of the best practices in IT risk management is to integrate risk management into the systems development life cycle, as we've discussed here.