Example of an IT Risk Management Plan

This section contains detailed roles, responsibilities, teams, and procedures associated with restoring an IT system following a disruption. The contingency section should document the technical capabilities designed to support contingency operations. Tailor this section to your organization and its requirements.

In this plan, the contingency section is comprised of five main components:

1. Supporting Information: Guidance in making decisions on how to use the plan, and in providing information on where associated plans and information outside the scope of the plan may be found.
2. Notification/Activation: Use this section to detail the initial actions to take once a system disruption or emergency has been detected or appears to be imminent.
3. Recovery: This component of your plan should focus on measures to execute temporary IT processing capabilities, repair damage to the original system, and restore operational capabilities at the original or new facility.
4. Reconstitution: In the Reconstitution section specify which teams are responsible for restoring or replacing both the site and the IT system.
5. Plan Appendices: Plan appendices should reflect the specific technical, operational, and management contingency requirements of the given system.

Each IT risk management contingency plan element should be tested to confirm the accuracy of individual recovery procedures and the overall effectiveness of the plan. Use this Plan Testing Section to specify how you will test your IT risk management contingency plan. This section should contain the following components:

• System recovery on an alternate platform from backup media
• Coordination among recovery teams
• Internal and external connectivity
• System performance using alternate equipment
• Restoration of normal operation
• Notification procedures

Training for personnel with contingency plan responsibilities should complement testing. Utilize this training component to detail how personnel will be trained. Below are areas in which personnel should be trained, specified in detail in this section:

• Purpose of the plan
• Cross-team coordination and communication
• Reporting procedures
• Security requirements
• Team-specific processes (Notification/Activation, Recovery, and Reconstitution Phases)
• Individual responsibilities (Notification/Activation, Recovery, and Reconstitution Phases)

Lastly, your IT Risk Management plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. IT systems undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies. Therefore, it is important to review and update your Risk Management Plan regularly. As a general rule, the plan should be reviewed for accuracy and completeness at least annually, or whenever significant changes occur to any element of the plan. In this last section of your plan, devise a maintenance schedule to ensure flexibility and scalability.

To see examples of the first four sections of this Risk Management Plan follow the link to part 1.

Example of an IT Risk Management Plan (Part 1)