A crucial aspect of risk management is IT issue management, which involves managing issues and exceptions that can stem from an array of sources including federal and state regulators and other government agencies. In addition, organizations experience issues and exceptions arising from audit findings, internal testing teams, security incidents and self-identified issues. Each of these types of issues is nuanced and must be prioritized according to risk.
Failure to effectively manage these issues can have severe consequences, such as financial loss, reputational damage, regulatory penalties and operational disruptions. Conversely, an effective issue management process gives decision makers the tools they need to effectively prioritize resources. Thus, it is worth exploring the importance of IT issue management and highlighting best practices and tools that organizations can use to understand, measure and mitigate IT risk.
Issue Management Tools
An issue management tool can help streamline the issue management process and make it easier to track issues and resolutions. There are many issue management tools available, ranging from simple spreadsheets to customized Sharepoint forms to more advanced software solutions such as Archer GRC or ServiceNow workflows. Some of the key features to look for in an issue management tool include:
- Ability to track issues and resolutions
- Customizable workflows and processes
- Integration with other IT management tools
- Reporting and analytics capabilities
Issues should be documented, including a description of the issue and context, the root cause, the severity and impact of the issue, the priority level, and the plan to resolve the issue (including deadlines). More advanced tools offered by issue management software may include:
- A citation of the law, regulation or policy that was violated
- Incremental progress updates on resolving the issue
- Information about any software applications affected by the issue
- A description of business processes affected by the issue
- A link to software used to manage user stories and backlogs (for Agile environments)
Aggregating all IT issues and their associated risk levels within a centralized system offers significant advantages. It enables effective communication of risk to senior management and provides a comprehensive view of trends and patterns. By aggregating issues, organizations can gain a holistic understanding of the overall risk landscape and make resource allocation decisions in a risk-based fashion. Risk management and compliance professionals can use the outputs and data from the issue management tool to make the case for resources to be allocated where they can have the highest return on investment (ROI).
By aggregating issues, organizations can gain a holistic understanding of the overall risk landscape and make resource allocation decisions in a risk-based fashion.
Risk Rating Issues
A critical aspect of IT issue management is risk rating the issues. IT issues can have significant consequences including financial loss, damage to reputation and regulatory penalties. Therefore, it is essential to prioritize and address issues based on their level of risk. Risk rating involves evaluating the likelihood and impact of an IT issue and assigning it a risk score. This score helps organizations determine the appropriate level of response and resources needed to address the issue.
Because the risk rating process concerns any potential damage that may be caused by an issue and how it would affect the enterprise, risk rating requires IT teams to have a deep understanding of the business context. Additionally, IT teams should implement a structured review and approval process with 2 goals:
- Get buy-in from the business unit funding the remediation.
- Get buy-in from the leader overseeing the required IT resources.
More significant issues requiring increased IT and business resources involve approval from higher levels of management.
It is also worth noting that as issues are addressed, organizations can reevaluate their risk ratings. By effectively addressing the key aspects of high-risk issues that are easy to resolve (i.e., low-hanging fruit), the risk level can be reduced to a moderate or even low level. This incentivizes management to identify compensating controls and quickly fix any issues that are considered low-hanging fruit.
Accepting the Risk
In some cases, an organization may choose to acknowledge or accept the risk associated with an IT issue. This decision should only be made after a thorough risk assessment and consideration of all available options. Acknowledging or accepting the risk does not mean ignoring the issue, but rather, it means taking steps to mitigate the risk and minimize the potential impact. For example, if an organization identifies a high-risk IT issue that would be too costly to address, it may choose to implement compensating controls to reduce the risk. Alternatively, management may decide to transfer the risk to a third-party service provider through outsourcing. Organizations may also differentiate between accepting a given risk and deciding that a policy violation occurred without any corresponding risk. Issues that are accepted or acknowledged without being fixed should be revisited periodically in case changing budgets or technology capabilities make it possible to fix the issue.
Conclusion
In this era of heightened regulation and IT risk, organizations must navigate a complex landscape to safeguard their operations and maintain compliance. By implementing a structured approach, leveraging issue management tools, and adopting risk-based decision-making, organizations can proactively address IT issues and allocate resources effectively. Effective issue management empowers enterprises to focus on high-priority risk, protect themselves and drive long-term success.
Eric Peck, CISA, CISSP
Is an experienced risk professional with more than a decade of experience as a bank regulator, internal auditor and IT risk manager. He is passionate about improving technology risk management systems in the financial industry.