Many people start out dealing with risk and have no idea they have anything to do with it. The look at problems and issues and deal with all manner of thing but until someone gets to them and sits down and explains risk they just go along without managing it. In Information Technology and Information Systems Management there is much daily risk work but some are still working blindly on systems either in operations or working on projects and have little idea about risk.
I know I spent a time working in project and didn't fully understand risk so I went out and bought a book. It was pretty short, but it did a good job of explaining it. Unfortunately I didn't really get it at that time, I didn't think that it could be that simple, so I kept looking for more information. Yes risk is a simple topic.
Three question should just about do it:
What could impact me or what I am working on?
What is the likelihood of that happening?
What would be the effect if the thing happened?
Yes that's it.
Now the interesting work happens there is a number of risk matrices around and these allow you to measure the relative effort for each risk you have identified. This is the hard part applying each risk to the matrix you have chosen to use and then weighting each risk.
The following is an example of risk determination.
A data center is in a major city somewhere in the world. Some of the risks that might apply to this data center is flooding, earthquake (hopefully not both), rioting, fire, labour strikes, plane crash, power problems. These are potential problems that could be related to any global city these days. So we would list this risks suing a table if you haven't done it before just try a spreadsheet.
Then we would look at can any realistically happen, a plane crash could happen, A light aircraft could in fact have an engine failure and crash into the data center. We would have to document that. The chances of that as the nearest airport is 40km away might make the risk negligible, we might also be within 1 km of a major international airport. These cases would have different weighting as to is it unlikely or probable.
We keep building our list and assigning it a likelihood and consequence.
Now we have our risk matrix. From this we can evaluate some of our decisions, should we have a DR site, where should it be. Should we have different access to our building, our server room. Remember only look at those risks associated with what it is we are trying to understand. The earthquake fault line 10 km away doesn't really alter our risks in regards to external security threats, like botnets, but it sure influences our decision of where to place the DR site and if we should have one
In IT there is many risks to deal with Physical threats, insider security problems, outsider security problems and business risks to but name a few. If you are doing projects and lets face it who isn't then you have project risks. On the ISACA website there is a very good set of information to use for looking at risk and managing it.
There is a Risk IT framework that is a great tool to assisting you to building your risk profile. Risk assessments like this are great tools for arguing business ideas. One of the things it doesn't cover in the way it is approached by Prince2 or PMP for project risk, but I would say that if you are a project manager and have a good understanding if Risk IT then you will likely be a better risk manager on your projects.
The Risk IT framework will assist in aligning IT Risk to the overall business risk. It will help business managers and technical staff to align risks and formulate better responses. It assists in better governance and includes a generic list if common IT risk scenarios.
Risk IT fills a gap between more general risk management frameworks such as ISO31000 and the more specific risk frameworks widely used by IT security. I would recommend anyone who needs to do more with Risk in the IT area to go to the ISACA website and find and download the Risk IT overview and the Risk IT Framework, both are free, yo need to create an account to do so
If you need to go further then consider either paying for a copy of the Risk IT Practitioners Guide or joining ISACA and obtaining the Practitioners Guide for free.