The ‘R’ in GRC: Your guide to a better IT Risk management strategy

9 min read
9 min read

We’re back with our third installment of the GRC blog series. Last week, we talked specifically about IT Governance and its place within the overall GRC structure. The way your organization polices itself is critical to its long-term sustainability, not to mention being a responsible business. Governance needs to be built from the ground up.

In this blog post we will tackle the next phase – Risk management.

It seems like the more rapidly we incorporate powerful technology into our business processes, the more risks we face. There are many places threats can come from – both internal and external – whether it’s a hacker infiltrating your systems or an innocent employee accidentally clicking on a suspect link in an email. Or it can be ‘risky’ customized code that isn’t secured well enough. Ensuring your business processes and IT infrastructure are secure is essential practice to avoid these kinds of risks.

You need an approach to make sure these risks can be spotted before they have a chance to negatively impact the performance of your organization or damage its reputation.

That’s why a dedicated, thoughtful IT risk management strategy is imperative.

What your IT risk management strategy should include

Your risk management strategy should be made up of three core functions:

Identifying risk

Recognizing gaps in internal and external processes—like interactions with third parties, for example—and drawing them to attention.

Assessing risk

When it comes to assessing risks, being actively aware of where uncertainty exists is very important. Assess risks surrounding the organization, your people, and assets.

Managing and preventing risk

Risk is part-and-parcel of running an organization. But managing and preventing that risk effectively is the hallmark of a successful and well-run business.

Your risk management strategy should be:

  • Systematic
  • Recorded
  • Reviewed consistently

Whose responsibility is IT risk management?

Up until recently IT risk management would, as expected, be the sole responsibility of the IT department. Times have changed, however, and with it business users have as much an impact on the fate of your IT strategies as your IT team does. That’s because IT and business functions are moving closer together. So, IT risk management is just as much a responsibility of your business leaders as it is your CIO. The goal of your IT risk management strategy should be to align with and complement your overall business goals.

Developing your IT risk management strategy

Getting to grips with IT risk management may seem like a monumental task that carries significant consequence if it’s not carried out correctly. Fear not, here’s a quick guide to putting together a coherent strategy that allows you to identify, assess and manage risk, while aligning your IT infrastructure with the rest of your business processes and goals.

Observe your current business environment

Before you can figure out how to effectively put together the right strategy, you’ll need to understand where your organization currently stands. Seeing where you are will help you avoid producing a strategy that is too ambitious or one that doesn’t do enough to protect your processes. This step should examine the size of your organization, how you function, your staff and budget.

Agree on your risk management goals

Risk management strategies for your IT are not ‘one-size-fits-all’. Based on an understanding of your business environment, you will need to understand the scope of your overall risk management strategy. The purpose here is to develop the context for risk assessment and to define risk criteria. What is considered a risk, where does data exist in your infrastructure, what is the significance of such data being compromised? The answers to questions like these should then influence what you need for securing your IT infrastructure and how this will align with your business environment and goals.

Review timescales

When planning any kind of project, knowing your timelines is essential. The same goes for rolling out an IT risk management strategy. What will you need to do today to have minimal requirements up and running tomorrow? Because business processes, business goals and IT environments tend to change, you’ll need to have in place a rolling plan to allow your risk management to adjust to these potential changes.

Evaluate employee abilities

Another key element to your strategy is your employees. Strategy execution relies heavily on staff abilities to ensure that the risk management objectives can be met. Your strategy must match with these capabilities or the whole exercise can fall down.

Monitor your customizations

If your IT environment is using SharePoint then you are likely making the most out of its customizability. Whether customizations are done internally or as add-ins within your platform, you need to account for these customizations as part of your IT risk management strategy. This becomes more difficult with the more customizations you create or add in – especially with a larger and heavily customized SharePoint environment.

There is such thing as unsafe code and some third-party add-ins may not be secure. Some customized code is fine right now but as you update your systems over time, that code can become a risk – processes that rely on it may not work, which can snowball into bigger issues. To monitor your customized code, it might be worth considering specialized tools for the jobs so you don’t burden your IT department.

Let the specialists help

Rencore’s SharePoint Governance and Risk Prevention solutions are designed to make sure your IT risk management strategies go off without a hitch. And that includes specialist tools to identify customized code across your IT environment and analyze it to make sure it’s safe and won’t interrupt your business processes.

As IT and business functions move closer together, the role of managing IT risk will become more important. By developing a watertight IT risk management strategy, you will be able to make sure your business processes stay efficient and valuable both now and as you continue to grow and progress.


In the ever-evolving world of business and technology, theories and practices are always being challenged and improved. Keep an eye on where GRC might be heading in the future by reading up on Gartner’s Integrated Risk Management (IRM) Magic Quadrant.

Subscribe to our newsletter