Tag Archives: audit

Snake oil or common sense? Demystifying risk management

Tim Banks
Faculty IT Manager
University of Leeds

Let’s face it; risk management doesn’t have the best reputation. Many institutions see it as a necessary evil; something to keep the auditors happy, a document to pull out of the filing cabinet once a year. Something that has to be done, rather than something that people want to engage with. Proper, active IT risk management can be of enormous benefit to an institution and is the foundation upon which professional quality IT services should be built. However, this requires IT staff at every level to see risk management as a live, ongoing process, rather than just an annual activity. We all undertake risk assessments on a daily basis, not because we feel we ought to but because we see the value in doing so. Every time we cross a road, pick a child’s toy up from the floor, prepare a meal or get in a car we are (often unknowingly) assessing likelihood, impact and making judgements on how to proceed based on the overall risk level.

Let’s focus on that last example of driving a car.  The bad thing that could happen (impact) is serious injury or death resulting from a crash. The chance that it will happen (likelihood) depends on a series of triggers such as excessive speed, mechanical failure, poor weather etc.

In order to manage the risk of something bad happening, we implement a series of control measures, each of which requires checking (auditing) at different intervals.

Examples of control measures that reduce the likelihood of a crash are as follows:

  • For example, we make sure that our driving speed is appropriate to the road conditions and monitor this every few seconds whilst driving.
  • We make sure that our car is mechanically sound by putting it through an MOT test every year. However, if we hear strange noises before the next MOT is due, we don’t just ignore them – we make sure that the car is checked out by a mechanic.
  • Tyre condition is something that we would (or at least should) check weekly and when it’s wet, we use windscreen wipers to reduce the problem of poor visibility in wet weather.

Control measures to reduce the impact of a crash might include:

  • Wearing a seatbelt (which we check is securely fastened each trip; the actual belt is tested every year with the MOT).
  • Airbags (again checked every year).
  • Motorway crash barriers (installed and checked by the Highways agency).

When driving, we don’t think it’s acceptable to just check your speed once a year, but equally don’t try and test the airbags every trip. We have an audit schedule that is appropriate for each control measure. Each control measure is audited by somebody appropriate (e.g. qualified, experienced MOT tester, driver, highways agency engineers). Some are within the direct control of the driver, some need to be actioned and checked by the driver and others have to be entrusted to 3rd parties. We should take the same approach to managing risk in IT services.

I have signed up to attend several risk management sessions at EDUCAUSE 2015 and will report back on them in other blog posts.