risk assessment - tool/template available? 2081



  • I am curious to know if any of you can share your thoughts on how IT risk assessment has been performed and what has been used? i.e is there a proven, effective tool(s) out there., whether it is a spreadsheet someone creates or a full blown system/app), that you can recommend or share?
    Thank you in advance…



  • Risk assessment is quite subjective and the inputs for assessing IT risk assessment would vary from case to case.
    The best way to go ahead would be to develop a template based on the IT managements risk apetite( how much of risk is acceptable), establish a scoring matrix( based on risk, probabilty, and annualised loss expectancy) and assess each IT challenge based on this.
    Frankly, a tool or application would be of little use( other than reducing paper and computing work) given how dynamic IT risk assessment is.
    hope this input helps



  • Hi SG - To add to NC’s points, I saw some potentially good links in the search below, that might help:
    Please paste to browser and add www
    google.com/search?hl=en-and-q=sox risk management
    Please paste to browser and add www
    networkworld.com/columnists/2005/050205blum.html
    PCAOB’s current guidelines call for companies to develop internal controls based on risk management considerations - what risks to accept, avoid or transfer before rushing in with protective measures . Moreover, the cost of protections should be proportionate to the consequences they prevent or other benefits they bring to the business. If SOX is causing your company to increase emphasis on risk management, that’s a good thing in itself.
    SOX risk management runs a bit sideways to traditional risk management , which focuses on preventing major losses. SOX doesn’t care, so to speak, whether the company loses money, as long as it accurately reports on losses. Therefore, SOX remediation should pay the most attention to locations, systems and applications that deal directly with large amounts of financial information. Companies should make sure that auditors do the same.



  • ISACA has some good material in this area as well as various tools and methodolgoies e.g. COBIT, Val IT



  • Thank you for posting your feedback and input about IT Risk Assessment and Tools. I appreciate them greatly. I will follow up with your suggestions.
    SG


Log in to reply