11 principles of risk management

In the 21^st century, the aspect of risk management is gaining popularity because of the increasing amounts of threats. Different malicious applications are posing a huge threat to IT systems as hackers and an unauthorized third party can gain access to confidential information. Risks in Information technology are a serious threat as it can cause uncertainty in an organization. In the organization of London Fire Brigade, risk management of IT is of utmost importance in order to protect sensitive information. Therefore through the aid of risk management, its strategic importance can be thoroughly understood.

According to the ISO3100, there are 11 principles of risk management which should be implemented in every organization in order to overcome any possible threats (iso.org, 2018). These principles are listed as follows:

1. Sustains value: This principle helps in determining a various degree of threats posed due to political, legal, social or technological means. In the organization of the London Fire Brigade, this principle can be integrated to understand the level of risk possessed in the aspect of IT (london-fire.gov.uk, 2018). Through the aid of this principle, the importance of IT risk management can be understood.
2. Organisational Process: In this principle, the objective of the organization is needed to be kept in mind. The ultimate task of the London Fire Brigade in the respect of risk management is to implement an appropriate measure to secure its IT systems. In the IT infrastructure of the company, there might be sensitive information ranging from contact information about its stakeholders which includes its employees and management (Talet, Mat-Zin and Houari, 2014). It might also consist of important strategy documents that might be misused if it falls into the wrong hand. Therefore, it is important to implement IT risk management in the organization of the London Fire Brigade or LFR (Refer to Appendix 1).
3. Decision making: One of the most strategic aspects of IT risk management is the decision making process. Through the aid principle, not only proper communication is maintained between the stakeholder and management but also an effective decision about risk management can also be formulated (McNeil, Frey and Embrechts, 2015). Therefore, LFR must implement this principle for proper risk management to secure its IT systems.
4. Addresses uncertainty: This principle helps in identifying aspects which might contain potential threats. LFR can implement this strategic aspect in order to access potential threat in the IT infrastructure of the organization to eliminate the threats to secure the information in the IT systems of the organization.
5. Systematic structure: Strategic risk management in respect of Information technology helps in determination of the appropriate mitigation measures through which such threats can be avoided (business.qld.gov.au, 2017). Therefore, the London Fire Brigade should access potential risks in the IT systems of their organization step by step in order to identify potential threats.
6. Informative source: Risk management helps in strategic assessment of possible sources from where threats can arise. As opined by Sadgrove (2016), there are 3 categories of sources known as primary, secondary and tertiary. Therefore, the application of this principle by the London Fire Brigade would help in the assessment of primary and secondary sources of breaches in the IT infrastructure of the company.  
7. Tailored process: This principle definesrisk management as a tailored process. Through this process, the London Fire Brigade can organize proper mitigation tools and techniques for implementation in the IT infrastructure of the organization. Therefore, it can be considered as a strategic measure to ensure no possible harm comes to the organization.
8. Cultural and human factors: The process of risk management does not eliminate cultural or human factors. There, this principle is of utmost importance as the safety culture of an organization can be accessed through this method. The organization of the London Fire Brigade should implement this strategic measurement in order to access risk perception and compliances among the organization as well as its employees (moderngov.london-fire.gov.uk, 2018). Through this, proper mitigation measures can be taken to secure its IT infrastructure from potential threats.
9. Transparent and inclusive structure: It is important for the organization of the London Fire Brigade to have a transparent relationship with its employees. Integration of this principle would make the relationship between employee and stakeholder stronger and thus, bring in more cooperation. As forwarded by Pena et al.(2018), this aspect would undoubtedly help in the assessment of threats as well as the formulation of effective ideas to mitigate potential risks in IT infrastructure of the organization.
10. Iterative, dynamic and responsive to change: This generation is evolving at a rapid pace, therefore along with technology. However, security breaches are a common threat in this respect (Okoli et al.2016). Due to this, the London Fire Brigade needs to implement risk management in the organization. Through this, possible threats can be accessed by this strategic decision through which threats in the IT system of this organization can be avoided.
11. Continual improvement: Rapid growth of technology has brought in multiple threats. However, with the increase in threats, adequate security measurements are also being created. It is important for the organization of the London Fire Brigade to be updated about the latest trends. Through this process, the organization can save itself from emerging threats in the field of IT and effectively mitigate them.

According to the 11 principles of risk management, the various aspects which can be integrated into the IT infrastructure of the London Fire Brigade have been thoroughly accessed. Emerging threats such as virus and malware are making it risky for the storage of information in IT systems. The security breach is the biggest issue which is rising in the 21^st century. Therefore, it is essential to formulate proper strategies through the process of IT risk management. A thorough assessment of the 11 principles also gave a clear view of the advantages of risk management. Therefore, the organization of the London Fire Brigade should implement necessary IT risk management strategies in order to identify potential threats. This process, in turn, would help in understanding the level of risks faced in a certain region and therefore, appropriate mitigation can be taken according to the IT risk management plan. 

Process involved in creating risk management system for IT 

Risk management is an essential part, especially in IT systems through which 80 to 90 per cent risks can reduce. The London Fire Bridge is a big organization; therefore, it is essential to implement a proper IT risk management system in order to protect sensitive data and information. Therefore, the London Fire Bridge is needed to follow the six steps of a process according to PMBOK guidelines in order to create an effective system. These steps are listed as follows:

Step 1: Identification of Risks

The first step in order to create a proper risk management plan for the IT infrastructure of the London Fire Brigade, it is essential to identify the potential threats. According to Bromiley et al. (2015), this aspect can be achieved through the help of through observation and collection of internal reports of the organization. It is necessary to implement a security team who would assess these reports collected from within the organization. Prior project reports on IT along with upcoming ones can be monitored through this process. Through this step, the possible process of external risks such as security breach by hackers can also be identified.

IT risks in the London Fire Brigade

Step 2: Methods for risk analysis

The second step in creating an effective management plan is to analyze the possible methods through which risk can be identified. For understanding possible threats in IT, qualitative as well as quantitative methods can be applied by London Fire Brigade. The aspect of qualitative analysis can be done with the aid of a matrix chart (isaca.org, 2018). This can be measured by plotting the risk in a horizontal bar while starting its probability and impact in the vertical bar. In the process of quantitative analysis, the London Fire Brigade can use the concept of decision making a tree in order to access which risks consider more threat to the ones with less threat.

Step 3: Identification of risk triggers

Triggers can be defined as warning signs through which possible threats can be prevented. As forwarded by McNeil, Frey and Embrechts (2015), triggers give the opportunity to identify the potential threats so that they can be mitigated before it causes harm. In the organization of the London Fire Brigade, risk triggers such as warning protocols in IT system can help in early warning so that all information regarding stakeholders and risks strategies can be kept confidential. 

Step 4: Ideas for risk resolution

Identification of risks and risk triggers gives a clear idea of the steps which should be taken in order to mitigate the risks. The IT systems of London Fire Brigade can mostly be affected by security breaches; therefore, various IT security measures such as antivirus are needed to be added. There are various antiviruses available in the market among which the most effective one is needed to be implemented upon the need of the organization. Coid et al. (2016), the process of encryption of data is another idea which can also be taken into consideration.

Step 5: Action Plan for risk resolution

After the fourth step, the appropriate decision can be taken regarding the mitigation method that is needed to be implemented in the organization of the London Fire Brigade. This step also takes the aspect of cost into consideration. A thorough assessment of the organization would help in determining the direction which should be taken for the action plan to be mitigated (Yin et al. 017). The IT security team is the key responsible department through which this action plan could be implemented to secure the IT systems of the organization. 

Step 6: Responsibility and Accountability

Six steps for an effective IT risk management plan

The last process of creating a risk management system for the IT infrastructure of the London Fire Brigade is assigning specific tasks to the responsible person in the organization. A scheduled structure is needed to be followed through which regular checks in the IT system can be done (Kirat, Vigna and Kruegel, 2014). Other than this, according to the identified impact of the risk and probability, mitigation measures can be implemented by the IT security team to keep its information secure.

These six steps are the most important and needed to be followed in order to create a proper risk management system. The organization of London Fore Brigade would essentially benefit from the application of these six principles through which IT risks such as security breaches can be analyzed for proper mitigation process.

The 21^st century is a world full of innovation and new challenges. Information technology is one such aspect which has been impacted the most.

 

Figure 1: Risk management in IT

(Source: gov.uk, 2018)

In accordance with the increase in cybersecurity issues, there have been some key trends which have been observed (Kappelman et al. 2014). These trends have been listed as follows:

Special focus on cyber attacks

Almost every organization of this generation is dependent on information technology. Numerous organizations proceed with business with their stakeholder through the aid of creative networks. According to Aven (2016), implementation of security strategy is gaining fast popularity in order to protect data from unauthorized access. The same can be stated for the organization of the London Fire Brigade. It uses information technology to access location, storage of important information as well as different strategies on firefighting. As manual data processing takes a lot of time, this organization prefers to use the system of information technology. Therefore, the main focus of the organization right now would be to increase security measurements in its IT infrastructure.

Cloud computing

Cloud computing might be the most popular among the key trends in the 21^st century. It is a system of a storage device which has the capacity to handle data a thousand times more than a regular system (Rao and Selvamani, 2015). Through the aid of this data can be retrieved from this system by using web-based tools. It is an essential mitigation strategy where information can be stored in an external system with direct access to the computer database. However, according to Yin and Kaynak (2015), there are still a lot of steps to be taken in order for cloud computing to be hundred per cent effective. This is because external breach can occur if there is no tight online security. Therefore, the organization of the London Fire Brigade can utilize this aspect for storage of data and information but strict security measurements are needed to be taken to assure its safety.

Key trends in IT security

Changes in regulation

The increased amount of cyber attacks have caused the changes I enforcement in rules and regulations regarding online security. According to the recent Data Protection Act 2018, it is essential to implement a strict online sensor in order to detect any potential threat (gov.uk, 2018). This Act essentially compliments Europe’s General Data Protection Regulation or GDPR through which highlights the importance of data protection for stakeholders of an organization. This act outlines that the responsibility of an organization to protect data and information including its own and its stakeholder’s. Therefore, it is absolutely necessary for the organization of the London Fire Brigade to integrate their policies and security measures according to this Act. 

Implementation of machine learning

The aspect of machine learning is essentially an application of Artificial Intelligence which would provide the automatic ability for a system to keep itself updated. It is one of the latest buzzwords in the security world. As per the view of Kappelman et al. (2016), machine learning focuses on the development of computer programs. Therefore, it can be stated that the implementation of machine learning will bring in significant changes in the level of online security. Machine learning would not only help in detecting advanced cyber threat but also will provide adequate protection for data security. Moreover, this system would automatically be updated with the latest and most effective online security software, thus, providing it with additional security. Although machine learning is still in the process of development, its importance can thoroughly be understood. Therefore, the London Fire Brigade should implement this aspect when it is launched in the market. Through this, all data and information can be secured preserved without any risk.

Concentration on digital power

Security concerns are the main issue when it comes to anything digital. Therefore, alternative methods known as blockchain as well as edge computing are gaining more popularity. These aspects help in moving away from computing resources from the main centralized servers (Lam, 2014). This aspect not only elevates security but also provides adequate privacy to its stakeholders. The organization of the London Fire Brigade should implement such aspects so that its data can be stored in a decentralized manner to secure it from the unauthorized breach.

The above-stated list is the few key trends in the world of IT security. Some of these trends are already in use while some are being readied for future use. It is important to access such factors in order to stay updated about the latest online security measurements. Thus, these key trends helped in identifying the steps which should be taken for proper security by the organization of the London Fire Brigade 

Increased cyber attacks and related regulations

References

Aven, T., 2016. Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), pp.1-13.

Bromiley, P., McShane, M., Nair, A. and Rustambekov, E., 2015. Enterprise risk management: Review, critique, and research directions. Long range planning, 48(4), pp.265-276.

business.qld.gov.au, 2017, Information technology (IT) risk management, Available at: https://www.business.qld.gov.au/running-business/protecting-business/risk-management/it-risk-management [Accessed on: 10-09-2018]

Coid, J.W., Ullrich, S., Kallis, C., Freestone, M., Gonzalez, R., Bui, L., Igoumenou, A., Constantinou, A., Fenton, N., Marsh, W. and Yang, M., 2016. Conclusions and future directions for risk management tools using Bayesian networks, OS, 2(1), pp.1-16.

gov.uk, 2018, Data Protection Act 2018, Available at: https://www.gov.uk/government/collections/data-protection-act-2018 [Accesssed on: 10-09-2018]

isaca.org, 2018, Risk IT Framework for Management of IT Related Business Risks , Available at: https://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx [Accessed on: 10-09-2018]

iso.org, 2018, ISO 31000:2009 Risk management- Principles and guidelines,  Available at: https://www.iso.org/standard/43170.html [Accessed on: 10-09-2018]

Kappelman, L., McLean, E., Johnson, V. and Gerhart, N., 2014. The 2014 SIM IT key issues and trends study. MIS Quarterly Executive, 13(4), pp.237-263.

Kappelman, L., McLean, E., Johnson, V. and Torres, R., 2016. The 2015 SIM IT Issues and Trends Study. MIS Quarterly Executive, 15(1), pp.12-17.

Kirat, D., Vigna, G. and Kruegel, C., 2014. BareCloud: Bare-metal Analysis-based Evasive Malware Detection. In USENIX Security Symposium, 3(2), pp.287-301.

Lam, J., 2014. Enterprise risk management: from incentives to controls. New Jersey: John Wiley & Sons.

london-fire.gov.uk, 2018, About Us, Available at: https://www.london-fire.gov.uk/about-us/ [Accessed on: 10-09-2018]

McNeil, A.J., Frey, R. and Embrechts, P., 2015. Quantitative Risk Management: Concepts, Techniques and Tools-revised edition. New Jersey: Princeton university press.

moderngov.london-fire.gov.uk, 2018,  Risk Management Strategy 2018-2021 [online], Available at: https://moderngov.london-fire.gov.uk/mgconvert2pdf.aspx?id=6739 [Accessed on: 10-09-2018]

Okoli, J., Watt, J., Weller, G. and Wong, W.B., 2016. The role of expertise in dynamic risk assessment: A reflection of the problem-solving strategies used by experienced fireground commanders. Risk Management, 18(1), pp.4-25.

Pena, A., Bonet, I., Lochmuller, C., Chiclana, F. and Góngora, M., 2018. Flexible inverse adaptive fuzzy inference model to identify the evolution of operational value at risk for improving operational risk management. Applied Soft Computing, 65(3), pp.614-631.

Rao, R.V. and Selvamani, K., 2015. Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48(1), pp.204-209.

Sadgrove, K., 2016. The complete guide to business risk management. Abingdon: Routledge.

Talet, A.N., Mat-Zin, R. and Houari, M., 2014. Risk management and information technology projects. International Journal of Digital Information and Wireless Communications (IJDIWC), 4(1), pp.1-9.

Yin, H.L., Wang, W.L., Tang, Y.L., Zhao, Q., Liu, H., Sun, X.X., Zhang, W.J., Li, H., Puthoor, I.V., You, L.X. and Andersson, E., 2017. Experimental measurement-device-independent quantum digital signatures over a metropolitan network. Physical Review A, 95(4), pp.38-42.

Yin, S. and Kaynak, O., 2015. Big data for modern industry: challenges and trends [point of view]. Proceedings of the IEEE, 103(2), pp.143-146