How can IT operations management develop a risk-aware culture?

In my experience, risk Awareness for each and every ITOM (and any organizational) team starts with recognition of their role in risk management. Always asking what can go wrong and what are the implications for my organization? But it doesn’t stop there. Most teams are specialists in their domain and they assess their risks successfully. However, they stop within their silo. Awareness culture transcends how your organization is structured and siloed. Impacts and consequences of a risk that lead to an incident are never limited to just one team’s mandate. Real risk awareness culture lies in recognizing the full picture and the combined roles each team plays. And collaborating. Because Risk management is the ultimate team play.

ITOM should separate the risk management to prevent conflict of interest. Besides, the risk assessment process should also rely on the input from the business, e.g., to understand the business impact in the case of a particular system/function is not available and the corresponding tolerance level.

Risk assessment is the crucial step in the preparation of the risk awareness plan and strategy. In order to make the comprehensive risk assessment you will need to connect with other departments and business users for their input. In order to do a comprehensive risk assessment you will need to have a "big picture" not only from your own vision as ITOM manager but also from another perspective. ITOM's risks are only the tip of the iceberg, so please liaise with other department heads and do the risk assessment exercise together.

Understanding IT risks involves recognizing their diverse sources, internal and external. These risks encompass technology changes, user behaviors, vendor relationships, regulatory requirements, and unforeseeable environmental events. Their impacts vary, from financial losses and reputational damage to operational inefficiencies and legal liabilities. An effective risk management approach involves conducting a comprehensive risk assessment to identify potential risk sources and impacts. Prioritizing risks based on likelihood and severity enables organizations to allocate resources efficiently and implement appropriate mitigation strategies.

IT really should not be implementing risk management strategies, practices, methods or tools outside the overall company Governance, Risk, and Compliance (GRC) framework. While IT risk management has a defined set of concerns, IT needs to be established as a critical partner to the company's overall GRC program. Every other department's GRC scope will include some technology, which means IT becomes the hub of the overall GRC solution.

For successful risk management, controls need to be implemented to mitigate the those risks. Controls must also be assessed for effectiveness on an ongoing basis in order to determine risk exposure, develop remediation activities and assess residual risk to IT.

Risk Management is about understanding and reducing uncertainty. Use scenario planning to work through the risks impacting your operations and business environment to analyze unpredictability and variability. This helps leaders and team members member appreciate the viability of assumptions (whether pragmaticistic or theoretical) and risk interdependencies that can influence outcomes. Scenario planning activities require the commitment of time to participate. This investment of time can provide light bulb moments for organizations to be prepared for an actual risk event. The resulting changes from scenario planning to strategy and operations contribute to navigating disruption and resiliency successfully.

We randomly test users that can cause financial damage to our systems. We are extremely pleased with the KnowBe4 product. Users who fail are required to take a 45 minute interactive training and is quite painful but educational and entertaining. We report failures to our C levels and monitor who regularly fails. We will then isolate the users who constantly fail by limiting their access and therefore the damage they could inflict. We also incorporate this in our employee handbook and take up this matter during new hire orientation. C Level buy in is paramount. At the start, our failure rate was 65%. Now it hovers below 6%. We cannot achieve 0% due to turnover and cannot prevent all possible vulnerabilities;only minimize the risk.

Through the use of technology and data, continuous monitoring can be utilized across the lines of defense. Whether it be analytics, monitoring controls or full population testing, this output can show how effective a process working as well as if it is operating in line with acceptable risk tolerance levels.

Another perspective is that leveraging risk monitoring and reporting tools is a critical step in building a risk-aware culture in IT. These tools collect, analyze, and present data on IT risks and their management. They serve to measure performance, detect emerging risks, report and escalate incidents, and provide insights for continuous improvement. By using these tools, organizations can proactively manage and respond to IT risks, enhancing their overall security and resilience.

It is critical for risk incidents, experiences and issues to be an input back into the risk assessment process (e.g., RCSA, Mgmt Reporting, Internal Audit Risk Assessment) in order to ensure risk are evaluated and addressed at the proper level of action. This allows for proper allocation of risk resources, gaining adequate qualitative risk coverage.