CIOReview
| | April 20188CIOReviewCOLLABORATIVE COMPREHENSIVE INFORMATION TECHNOLOGY RISK MANAGEMENTBy John Schaefer, Director of Risk Management, Lam ResearchAs the importance of information technology within a company has increased significantly during the past few decades, the need to control related risks has also increased. Concurrently, the complexity of the threat and the implementation of solutions have also increased. To best understand and mitigate risks, CIOs need to take a collaborative and comprehensive approach toward risk management. Risk management can be defined in many ways, but most definitions include the following elements:1. Risk Identification: What can go wrong that interferes with the company's objectives?2. Risk Assessment: How likely is it that a specific negative event will happen, what is the speed of onset and how severe will the consequences be when it happens?3. Risk reduction: What activities can be performed that will reduce the level of risk and to pay for the residual risk?4. Risk monitoring: What risk indicators should be used to determine if the threat is increasing or decreasing? These steps must be performed to not only keep information secure, but also to ensure the availability of key systems. These are largely defensive measures. However, IT can also be used to address risks faced elsewhere in the company including internal performance and meeting strategic objectives. This multi-layered approach is shown below.As the circle expands, so does the need to include other groups within the risk management process. Much, but not all, of the core circle of information security can be addressed within an IT department. The CIO is often the guardian of key information since most of this is digitalized, travels across a company network and is stored in servers managed by IT. These risks are usually controlled through a combination of tools, processes and policies coordinated through IT.System availability is also generally led from within IT, but keeping the systems running may also require assistance from groups like physical security to keep the data center secure, and Legal to ensure that third party providers have adequate contractual, systematic and policy protections in place.In both of the above situations, IT also needs to work with business units to identify and prioritize data and systems and to identify other vulnerabilities that come from outside of IT. For example, to reduce vulnerability to data loss from a third party, IT needs to work with Procurement and Legal to implement
< Page 7 | Page 9 >