Sample IT Risk Management Plan - Basic Components

IT systems are vulnerable to a variety of disruptions, ranging from mild (power outage, disk drive failure) to severe (equipment destruction, fire). Many risks and vulnerabilities may be minimized or altogether eliminated through technical, management, or operational solutions as part of the organization’s risk management effort. This plan is designed to mitigate the risk of system and service unavailability by focusing on effective and efficient recovery solutions.

To develop and maintain an effective IT Risk Management contingency plan, organizations should use the following approach:

1. Develop the contingency planning policy statement
2. Conduct the business impact analysis (BIA)
3. Identify preventive controls
4. Develop recovery strategies
5. Develop an IT contingency plan
6. Plan testing, training, and exercises
7. Plan maintenance

To be effective the risk management contingency plan must be based on a clearly defined policy. The first section of your IT risk management plan is the policy statement. Your policy statement should define your organization’s overall risk management contingency objectives, and establish the framework and responsibilities for IT risk management planning. Key policy elements to include in this section are as follows:

• Roles and responsibilities
• Scope as applied to the type(s) of platform(s) and organization functions subject to contingency planning
• Resource requirements
• Training requirements
• Exercise and testing schedules
• Plan maintenance schedule
• Frequency of backups and storage of backup media

The BIA is a key part of an IT risk management plan. The BIA enables your IT department to identify the system requirements, processes, and interdependencies and use this information to determine requirements and priorities. The purpose of the BIA is to link specific system parts with the services that they provide. Based on that information, discuss the consequences of a disruption to the system components.

This section of your plan, the Recovery Strategy section, should address the impact destruction would have, and allowable outage times identified in the BIA section. Several alternatives should be considered when developing the strategy, including cost, allowable outage time, security, and integration with larger, organization-level risk management and contingency plans. It is best to list specific recovery methods such as commercial contracts with cold, warm, or hot site vendors, mobile sites, reciprocal agreements with internal or external organizations, and service level agreements (SLAs) with the equipment vendors.

This concludes the first part of the series, Example of an IT Risk Management Plan (Part 1). To complete your IT Risk Management Plan, follow the link for part two. Example of an IT Risk Management Plan (Part 2).