风险管理的一个关键方面是IT问题管理, which involves managing issues and exceptions that can stem from an array of sources including federal and state regulators and other government agencies. In addition, organizations experience issues and exceptions arising from audit findings, 内部测试团队, 安全事件和自我识别的问题. Each of these types of issues is nuanced and must be prioritized according to risk.
Failure to effectively manage these issues can have severe consequences, 比如经济损失, 声誉损失, 监管处罚和运营中断. Conversely, an effective issue management process gives decision makers the tools they need to effectively prioritize resources. Thus, it is worth exploring the importance of IT issue management and highlighting best practices and tools that organizations can use to understand, 衡量和减轻IT风险.
问题管理工具
An issue management tool can help streamline the issue management process and make it easier to track issues and resolutions. 有许多可用的问题管理工具, ranging from simple spreadsheets to customized Sharepoint forms to more advanced software solutions such as Archer GRC or ServiceNow workflows. Some of the key features to look for in an issue management tool include:
- 能够跟踪问题和解决方案
- 可定制的工作流和流程
- 与其他IT管理工具的集成
- 报告和分析功能
应该记录问题, 包括对问题和背景的描述, 根本原因, 问题的严重性和影响, 优先级, 解决问题的计划(包括最后期限). More advanced tools offered by issue management software may include:
- 违例:对被违反的法律、法规或政策的引用
- 解决问题的增量进度更新
- Information about any software applications affected by the issue
- 对受问题影响的业务流程的描述
- A link to software used to manage user stories and backlogs (for Agile environments)
Aggregating all IT issues and their associated risk levels within a centralized system offers significant advantages. It enables effective communication of risk to senior management and provides a comprehensive view of trends and patterns. 通过聚合问题, organizations can gain a holistic understanding of the overall risk landscape and make resource allocation decisions in a risk-based fashion. Risk management and compliance professionals can use the outputs and data from the issue management tool to make the case for resources to be allocated where they can have the highest return on investment (ROI).
通过聚合问题, organizations can gain a holistic understanding of the overall risk landscape and make resource allocation decisions in a risk-based fashion.
风险评级事宜
A critical aspect of IT issue management is risk rating the issues. IT issues can have significant consequences including financial loss, 声誉受损和监管处罚. Therefore, it is essential to prioritize and address issues based on their level of risk. Risk rating involves evaluating the likelihood and impact of an IT issue and assigning it a risk score. This score helps organizations determine the appropriate level of response and resources needed to address the issue.
Because the risk rating process concerns any potential damage that may be caused by an issue and how it would affect the enterprise, risk rating requires IT teams to have a deep understanding of the business context. Additionally, IT teams should implement a structured review and approval process with 2 goals:
- 获得资助补救的业务单位的支持.
- 获得监督所需IT资源的领导的支持.
More significant issues requiring increased IT and business resources involve approval from higher levels of management.
同样值得注意的是,随着问题的解决, 组织可以重新评估他们的风险等级. By effectively addressing the key aspects of high-risk issues that are easy to resolve (i.e., low-hanging fruit), the risk level can be reduced to a moderate or even low level. This incentivizes management to identify compensating controls and quickly fix any issues that are considered low-hanging fruit.
承担风险
在某些情况下, an organization may choose to acknowledge or accept the risk associated with an IT issue. This decision should only be made after a thorough risk assessment and consideration of all available options. Acknowledging or accepting the risk does not mean ignoring the issue, but rather, it means taking steps to mitigate the risk and minimize the potential impact. For example, if an organization identifies a high-risk IT issue that would be too costly to address, it may choose to implement compensating controls to reduce the risk. 另外, management may decide to transfer the risk to a third-party service provider through outsourcing. Organizations may also differentiate between accepting a given risk and deciding that a policy violation occurred without any corresponding risk. Issues that are accepted or acknowledged without being fixed should be revisited periodically in case changing budgets or technology capabilities make it possible to fix the issue.
Conclusion
在这个监管和IT风险加剧的时代, organizations must navigate a complex landscape to safeguard their operations and maintain compliance. 通过实现结构化的方法, 利用问题管理工具, 采取基于风险的决策, organizations can proactively address IT issues and allocate resources effectively. Effective issue management empowers enterprises to focus on high-priority risk, 保护自己,推动长期成功.
Eric Peck, CISA, CISSP
Is an experienced risk professional with more than a decade of experience as a bank regulator, 内审员和IT风险经理. He is passionate about improving technology risk management systems in the financial industry.