IT Risk Management

 

IT risk management is not a standalone service in my practice, it is the analytical foundation that makes disaster recovery planning and information security management work properly. Without rigorous Business Impact Analysis and risk assessment, DR plans are based on assumptions rather than evidence, and ISMS control selection is generic rather than risk-informed.

My approach to risk management is grounded in the CRISC (Certified in Risk and Information Systems Control) body of knowledge, and informed by established frameworks including ISO 27005, ISO 31000, and COBIT 2019 with RISK IT. I provide professional risk management services as an integrated component of DR and ISMS engagements, and as a standalone discipline for organisations that need structured risk analysis and governance.

 

Risk Management as the Foundation for DR and ISMS

The layered dependency mapping framework I have developed for disaster recovery planning requires rigorous Business Impact Analysis to function. Without accurate BIA; identifying critical business processes, their dependencies, recovery time objectives, and recovery point objectives, dependency mapping has no anchor. The framework works because it starts with evidence-based understanding of what the organisation actually needs to recover, in what sequence, and to what standard.

Similarly, effective ISMS implementation depends on risk-informed control selection. ISO 27001 provides a catalogue of security controls, but not all controls are equally relevant to all organisations. Risk analysis determines which controls address the threats and vulnerabilities that actually matter, and which can be deprioritised or excluded. Without structured risk assessment, ISMS implementation becomes a compliance exercise rather than a strategic response to real exposure.

This is why risk management sits at the centre of my consulting practice, even though it is not the primary offering. It is the analytical discipline that makes the other work defensible.

 

What Is IT Risk Management?

IT risk management is the systematic process of identifying, assessing, treating, and monitoring risks to information assets, IT systems, and the business processes they support. It translates uncertainty into structured decision-making, enabling organisations to allocate resources to the risks that matter most and to justify those allocations to leadership, auditors, and regulators.

Effective IT risk management is not a one-time assessment. It is a continuous process integrated into governance structures, with defined ownership, regular review cycles, and clear escalation pathways when risk exposure exceeds appetite.

 

The frameworks I use to structure this work include:

      • ISO 27005 – Information Security Risk Management. Provides a seven-stage process aligned to ISO 27001, covering context establishment, risk identification, analysis, evaluation, treatment, acceptance, and communication.
      • ISO 31000 – Enterprise Risk Management. A higher-level framework applicable across all risk domains, not just IT. Useful for organisations integrating IT risk into broader enterprise risk programmes.
      • COBIT 2019 with RISK IT – Governance-focused framework for aligning IT risk with enterprise objectives. RISK IT provides specific guidance on IT risk governance, evaluation, and response, and integrates well with COBIT’s governance and management structures.
      • NIST Risk Management Framework (RMF) – Control-oriented framework widely used in government and critical infrastructure sectors. Structured around categorisation, control selection, implementation, assessment, authorisation, and continuous monitoring.

 

ISO 27005 and COBIT/RISK IT are the frameworks I use most frequently. ISO 27005 is the natural companion to ISO 27001 ISMS implementations. COBIT/RISK IT is appropriate for organisations with mature IT governance structures and board-level risk oversight.

 

What I Provide

My risk management services are structured around the core activities required to establish and maintain a defensible risk programme:

 

Business Impact Analysis (BIA)

BIA is the foundation of disaster recovery planning. I work with stakeholders to identify critical business processes, map their dependencies on IT systems and services, define Maximum Tolerable Periods of Disruption (MTPD), and establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). The result is an evidence-based understanding of what the organisation must recover, and in what sequence, to resume critical operations.

BIA is a structured, repeatable process involving interviews, workshops, dependency mapping, and impact scoring. It is not a one-off exercise, BIA must be reviewed and updated as the business changes, new systems are introduced, or organisational priorities shift.

Asset Identification and Classification

You cannot manage risk to assets you do not know exist. I guide organisations through structured asset identification, including shadow IT, cloud services, key applications, data repositories, and infrastructure components. Assets are classified according to confidentiality, integrity, and availability requirements, and according to their role in supporting critical business processes.

Asset classification provides the foundation for both risk analysis and control design. It answers the question: if this asset is compromised, what is the impact to the organisation?

Threat and Vulnerability Assessment

Threat modelling identifies the threat actors, attack vectors, and failure scenarios relevant to the organisation’s operating environment. Vulnerability assessment identifies the weaknesses in systems, processes, and controls that those threats could exploit. Together, these activities produce a structured understanding of risk exposure.

I do not rely on generic threat catalogues. Threat and vulnerability assessment is contextual; informed by the organisation’s sector, regulatory environment, threat intelligence, and past incidents.

Risk Assessment and Risk Register Development

Risk assessment combines asset value, threat likelihood, and vulnerability severity to produce a prioritised view of risk exposure. I use qualitative, semi-quantitative, or quantitative methods depending on organisational maturity and data availability. The output is a risk register: a structured record of identified risks, their owners, their current treatment status, and their residual exposure.

The risk register is the governance artefact that drives decision-making. It is reviewed regularly, updated as risks change, and escalated to leadership when exposure exceeds appetite. Without a well-maintained risk register, risk management is an academic exercise with no operational impact.

Risk Treatment and Mitigation Planning

Risk treatment defines how the organisation will respond to identified risks: accept, avoid, transfer, or mitigate. I support organisations in defining treatment protocols, prioritising mitigation activities according to risk ranking and resource availability, and embedding treatment plans into project management and operational workflows.

Risk treatment is where risk assessment becomes actionable. It is also where organisations often fail, producing comprehensive risk registers but never implementing the controls or process changes required to reduce exposure.

Risk Governance and Reporting

Effective risk management requires governance structures that define ownership, escalation pathways, and decision rights. I support organisations in embedding risk governance into existing management structures: defining risk owners, establishing risk committees, and creating reporting mechanisms that provide leadership with actionable risk intelligence.

This includes KPI and KRI development, dashboard design, and board-level risk reporting. The goal is to make risk visible to decision-makers in a form they can act on.

 

Why Risk Management Matters

Without structured risk management, organisations operate reactively, responding to incidents, audit findings, and regulatory requirements as they arise, but without a coherent view of overall exposure. Resources are allocated inefficiently, with effort spent on low-impact risks while high-impact vulnerabilities remain unaddressed.

Structured risk management provides:

 

      • Visibility over risk exposure, enabling prioritised resource allocation
      • Defensible decision-making, with documented rationale for risk treatment choices
      • Governance and accountability, with clear ownership and escalation pathways
      • Compliance and audit readiness, with traceable evidence of risk management processes
      • Integration with DR and ISMS programmes, ensuring that recovery strategies and security controls are risk-informed

 

Risk management is not glamorous work, but it is foundational. It is the discipline that ensures DR plans are grounded in business reality rather than generic templates, and that ISMS controls address the threats that actually matter rather than a checkbox catalogue.

 

Working Together

If you are building a disaster recovery programme, implementing an ISMS, or establishing enterprise risk governance, structured risk management is the foundation that makes those efforts defensible.

I provide professional risk management services grounded in the CRISC body of knowledge and informed by ISO 27005, ISO 31000, and COBIT/RISK IT. This work is often delivered as an integrated component of DR or ISMS engagements, but it can also be provided as a standalone discipline for organisations that need rigorous risk analysis and governance support.

Contact me to discuss how structured risk management can support your disaster recovery planning, information security programme, or broader IT governance objectives.

 

Contact me