IT Risk Management — Step-by-Step Guide
A clear guide to finding, assessing, and handling risks that could harm your systems, data, or operations.
1. What IT Risk Management Is
IT risk management helps you find and handle risks that could harm your systems, data, or operations. It’s not about removing all risk, but about knowing what matters most and keeping the remaining (residual) risk within acceptable limits.
The Risk Management Cycle
Identify
Assess
Treat
Monitor
This cycle repeats continuously.
2. Two Ways to Look at Risk
Asset-based approach
You start from what you have — servers, applications, or data — and think about what could go wrong with each.
- Example:
- “If the customer database is exposed to the internet, personal data could leak.”
- When to use:
- Building your first inventory or ISO 27001 risk list.
- Strength:
- Clear link between assets and controls.
- Limitation:
- May miss business-level scenarios.
Scenario-based approach
You start from what could happen, not from individual assets. This focuses on business disruption.
- Example:
- “Ransomware encrypts systems and stops order processing for three days.”
- When to use:
- Once your team understands core assets and wants to model real incidents.
- Strength:
- Focuses on business impact.
- Limitation:
- Needs facilitation to stay concrete.
Good Practice
Combine both. Use the asset view for coverage and the scenario view for priorities.
3. The Risk Management Process
Step 1 – Identification
Ask three basic questions:
- What could be affected? (→ List key assets or processes.)
- What could happen? (→ Describe the threat or event.)
- What would the effect be? (→ Think of impact on confidentiality, integrity, availability, or compliance.)
Write risks as short statements in this form:
Example: “Unpatched web server (cause) could be exploited (event), leading to data loss (impact).”
Step 2 – Assessment
Estimate how likely and how severe each risk is. Use simple 1–5 scales. Multiply or combine both to get a risk level (Low / Medium / High). High risks get attention first.
Risk Assessment Matrix (Example)
(Minor)
(Low)
(Moderate)
(High)
(Major)
(Likely)
(Probable)
(Possible)
(Unlikely)
(Rare)
Step 3 – Treatment
Decide what to do for each risk. You have four standard options:
| Option | What it means | Example |
|---|---|---|
| Avoid | Stop or change the activity so the risk disappears. | Don’t store sensitive data locally. |
| Reduce | Add or improve controls to lower likelihood or impact. | Enable MFA, patch systems. |
| Share | Transfer part of the risk to someone else. | Buy cyber insurance, use a secure cloud provider. |
| Accept | Acknowledge the residual risk and continue. | Low-impact risks with management approval. |
Step 4 – Monitoring and Review
Risks change over time. Review the register regularly and update entries when systems, vendors, or processes change.
| Frequency | What to check |
|---|---|
| Monthly | High risks and open actions |
| Quarterly | Medium risks |
| Annually | Low risks and risk method itself |
4. What to Record in a Risk Register
Keep the register simple. One line per risk, with clear wording.
| Field | Description |
|---|---|
| Risk ID / Title | Unique name |
| Description | Cause → Event → Impact |
| Type | Asset- or scenario-based |
| Owner | Person responsible |
| Likelihood / Impact / Level | Current rating |
| Existing Controls | What is already in place |
| Planned Actions | New or improved controls |
| Residual Risk | Expected level after treatment |
| Status | Open / In Progress / Closed |
| Review Date | Next check |
5. Example
Scenario: Ransomware attack stops the ERP system for several days.
Identification: Business-critical ERP, potential ransomware attack.
Assessment: Likelihood = 3 (Possible), Impact = 5 (Major) → High.
Treatment (Reduce): Set up offline backups, run phishing training, patch policy.
Residual Risk: After controls: Likelihood = 2, Impact = 4 → Medium (accepted).
Monitoring: Review quarterly; test restore once per quarter.
6. Key Takeaways
- Start small — focus on top 10–15 risks first.
- Keep risk statements clear and business-focused.
- Combine asset and scenario thinking.
- Always assign an owner.
- Review regularly and update evidence.