Because of the numerous crucial steps in identifying the process of developing a successful, efficient, and intuitive risk management process, it is extremely difficult to narrow down this process to one or two of the most essential steps, as all of the myriad steps in this process are necessary, vital, and rely upon the preceding step in order to ensure attainment of a sound process. However, in looking at the steps outlines and recommended by the National Institute of Standards and Technology in their Guide for Applying the Risk Management Framework to Federal Information Sysytem, some of the key indicated steps include the following: categorizing information systems, selecting security controls, implementing security controls, authorizing information systems, and monitoring security controls (United). Of these critical components in IT risk management, if one step must be identified as the most important step, it would be the implementation step.
Researching and categorizing information systems, determining the best controls, building authorization protocols, and monitoring the systems are all key to the success of building a sound risk management system; however, none of these steps of risk control can be effective if implementation of security controls is not performed accurately and effectively. This is the difference between theory and practice – in theory, risk control measures may sound logical and operative, but it is the practice, or implementation, of risk controls that is the most valuable element of risk management. If implementation of security controls is not effective, practical, or efficient, then all the categorizing, authorizing, and monitoring will not work. According to the U.S. Department of Commerce’s recommendations for risk management, the implementation step in the risk management process includes ensuring that an organization has the appropriate infrastructure and architecture to support a risk management process and deployment; this “information security architecture serves as a resource to allocate security controls to an information system and any organization-defined subsystems” (United). Additionally, established controls inherited from the existing architecture need to be evaluated, utilized, or eliminated in during the implementation step of the security control process.
Of course, successful implementation cannot occur in isolation: implementation is strongly interconnected with the other risk management steps previously mentioned, and it relies heavily upon them and is developed from them in the sequence of mitigating risk. Specifically, the identification of risk and opportunity is an imperative precursor to the implementation of a security control protocol. Identifying the following risks prior to implementation should include strategic risk, environmental risk, market risk, credit risk, operational risk, and compliance risk (Information Systems 11). These identified risks lead to decision making for the systems controls, specifically in the areas of the IT enablement risk benefit-to-value evaluation, the IT program and project delivery risk, and the operational and service delivery risk (Information Systems 11). This initial identification of risk and opportunity allows the organization to make informed decisions regarding their risk management process, and no implementation should occur without the benefit of a comprehensive and accurate analysis of risk and opportunity as a first step toward managing risk.
Another key factor that is strongly linked with the implementation of security controls is the process of helping an organization understand that the risk management process is not exclusively a technical issue. A successful IT risk management program ensures that before, during, and post-implementation, the IT risk management system serves the purpose of “filling the gap between generic risk management frameworks . . . and domain-specific frameworks” (Information Systems 12), it gives an organization a thorough understanding of all of the IT-related risks, and it gives the organization the ability to assess, act upon, and successfully impede or mitigate any identified IT risks.