Don’t become a victim of uncertainty with IT risk management


By Daniel Sultana, Regional Director for APAC at Paessler

Life is full of risks and while they can never be eliminated, smart organisations dedicate resources to mitigate IT risks to keep potential financial and reputational losses under control. IT departments have often focused on providing a stop-gap to fix a specific problem, often with little regard to the risk management strategy. Clearly such a shotgun approach to problem-solving has major drawbacks including the potential for inefficient use of available technical resources.

It is easy to fall into the trap and become a “victim of uncertainty.” If organisations are prepared for certain key risks, they need to strike a good balance so they can minimise the remaining threats and exploit the opportunities while keeping an eye on critical IT resources. Detecting system failures or performance issues immediately minimises downtime and its economic and reputational impact.

The importance of network management to many areas of IT operational risk management is often neglected. However, it can have a role in identifying potential problems including the download of inappropriate material on business networks and prioritising various classes of network traffic for optimal business performance. In a world in which even sub-second delays in transactional traffic can cost, these can be crucial issues to address.

The three types of operational risk to IT infrastructure

The bad news: it is impossible to eliminate risks. So the first step of risk management is to identify the problems that can and should be managed and to reduce those exposures to a level that the business can accept. IT departments need to be able to identify the three major classes of operational risk.

  1. Technology risks
    These are traditional IT issues ranging from device failure through network-borne computer viruses and worms to more exotic issues such as denial-of-service attacks, intrusion attempts and “war walkers” accessing wireless networks from outside the building. Many of the remedies to these problems are also technology-based, but strong policies are also important. Enforcing a policy that all portable devices implement strong firewalls and anti-virus systems is an obvious one.
  2. Legal and people risks
    These include compliance issues such as preparing for possible litigation, which might include employees downloading inappropriate material from the internet that could create hostile workplace court cases; or potential sabotage and espionage perpetrated by employees. These kinds of threats are harder to manage because technology cannot provide clear-cut solutions. Strong HR policies and good management are key solutions to mitigating these risks.
  3. Natural and man-made disasters
    Floods, bushfires, earthquakes, volcanic eruptions and cyclones can be devastating, but prioritising and defining appropriate strategies for managing these risks is one of the most difficult tasks of risk management. A variety of strategies are available at different prices and with varying levels of protection. They should be judged in the context of the overall situation of the business. However, disaster management should start with common sense and this has been fully tested during the pandemic.

In today‘s networked world, most organisations can locate their data centres away from disaster-prone areas and in a modern, physically secure facility sometimes shared with other businesses or can turn vital IT functionality over to outsourcers or Software-as-a-Service providers that can enable a greater level of security than the business can inhouse. In both cases, the importance of network management, including the internet last mile, becomes central to delivering IT services to the business.

Network management’s role

Network management is an incredibly important tool that is often underutilised for risk mitigation because monitoring the IT infrastructure enables organisations to troubleshoot performance issues before they affect users or clients.

Network monitoring software will check the availability and uptime of servers, computers, routers, switches, printers and so on and will also track bandwidth usage, network traffic and also monitor server load and performance to provide complete visibility of the entire network to identify any issues before they become real problems.

Accepting some level of risk

Ultimately there are no guarantees. Life is risky, and a certain amount of IT risk has to be accepted by all organisations. IT risk management is not about guaranteeing that nothing bad will happen, because even the most secure environments experience problems. The true aim of risk management is to reduce exposure to an acceptable level of risk that is both affordable and survivable. So, once the acceptable risk level is set for an organisation, a risk management team is identified and delegated the task of ensuring that no risks exceed this established level and centralised monitoring will help them to keep this under constant control.