IT risk management​ in 6clicks

This article provides a step-by-step guide on how to manage risk across your organization within the 6clicks platform.

Topics covered in this article:

• Establishing the scope and context
• Risk identification
• Risk analysis
• Risk evaluation
• Risk treatment
• Monitoring and review

IT risk management provides organizations with a strategic and structured approach to identifying, assessing, managing, and monitoring risks. By implementing this comprehensive methodology, organizations can proactively address potential threats, mitigate risks, and protect their objectives and goals. Use this guide to help you get started on your risk management program.

Establishing the scope and context

Organizations define the boundaries for risk management by considering industry regulations, organizational objectives, and internal and external stakeholders. They incorporate these regulations into their risk management activities to ensure compliance and minimize legal and regulatory risks. By aligning risk management efforts with goals, organizations prioritize and allocate resources accordingly. Internal stakeholders, such as employees, and external stakeholders, like customers and regulatory bodies, are considered to identify risks and tailor risk management strategies. Considering industry-specific risks and the organizational context, organizations can develop relevant and effective risk management strategies.

Conducting an internal assessment is an effective way to gather necessary information across your organization and accurately capture its scope and context. Learn how to create and respond to an internal assessment.

Start your internal assessment by running the 6clicks Scope Assessment and following these steps: 

1. Navigate to the 6clicks Content Library on the right-hand side of the dashboard.
2. From the Content Library, use the search bar to find the 6clicks Scope Assessment and view its details.
   
3. Click Add Content and go back to your Audits & Assessments module and click on Create assessment to create a new assessment.
4. Select Question-Based Assessment then search for the 6clicks Scope Assessment and click Next.
5. Enter a unique name for the new assessment, add a respondent entity (in this case, choose Internal Assessment), then click Create.
6. Once created, you can review the new assessment within the Assessment Builder page and move the status to Published. You can then add respondents under the Respondents tab and send invitations to complete the assessment.

Risk identification

Risk identification is a crucial step in the IT risk management process. Organizations can use a risk library or risks can be added or imported directly into the 6clicks Risk Registers. By maintaining a comprehensive record and prioritizing risks based on likelihood and impact, organizations can develop strategies to mitigate threats and protect their objectives.

There are several key risk management configurations you can explore in the 6clicks platform:

• 6clicks enables users to configure custom fields for their risk management needs. Learn how to configure your own custom fields within the 6clicks Risk Registers.
• You can also configure your own risk workflow as required for your risk framework or process.

To get started with risk identification, use 6clicks' Risk Libraries or add a risk in the 6clicks Risk Registers by following the steps below:

1. Navigate to the Risks module and choose Registers.
2. The Risk Registers page will then open displaying a list of all identified risks. Select Import to import existing risks or Create Risk to create a new risk.
3. The Risk Details modal will then open within the Overview page for you to fill in the details of the risk such as Description, Common Cause, Potential Impact, Risk Domain, Risk Owners, Access Members, and Tags. You can then link controls and other data such as assets, issues, and assessments to the risk.

Risk analysis

6clicks enables the assignment of a numerical value to assess the likelihood and impact of risks, allowing for prioritization based on significance. This analysis helps organizations understand the level of risk associated with each identified risk and make informed decisions on risk treatment strategies and resource allocation. It also allows organizations to develop a clear understanding of potential threats, prioritize risk management efforts, and implement appropriate controls.

Users can configure custom fields including risk matrices for their risk assessment processes within the Risk Registers. To conduct a risk assessment, follow these steps:

1. Open the newly created risk. From the Risk Details modal, navigate to the Risk Assessment tab.
2. Enter a unique name for the risk assessment under the Create New Risk Assessment field on the side panel. Hit Enter on your keyboard to create the risk assessment.
3. Add a date, rate the Likelihood and Impact of the risk, and fill in the other custom fields to complete the risk assessment.

Risk evaluation

Risk evaluation is a crucial step in the risk management process. It involves examining what policies and controls are in place to mitigate the risk as well as other compliance requirements the organizations must consider in order to make informed decisions about risk treatment. By evaluating risks, organizations can develop strategies to mitigate or eliminate potential threats, protect objectives, and ensure operational continuity.

Anyone with appropriate access rights to the risk, including risk owners and access members, can evaluate the risk information, linked data and controls, and risk assessments when required. During their review, users with access can make updates to the risk across any available tabs depending on rules configured in the risk workflow stages. Any updates made to a risk during its lifecycle are logged in the History tab of a risk.

Risk treatment

After evaluating risks, organizations develop and implement strategies to mitigate or eliminate them. A comprehensive risk treatment plan is created, outlining specific actions, responsibilities, timelines, and additional controls if needed. This plan serves as a roadmap for effectively managing and addressing risks, reducing their likelihood and impact. In some cases, additional controls such as new policies, enhanced security measures, or advanced technologies may be necessary to further mitigate risks. The goal of risk treatment is to minimize disruptions, protect assets, and maintain a positive reputation. Regular review and updates of risk treatment plans allow organizations to adapt and improve their risk mitigation strategies.

Here's how you can set up risk treatment plans for risks outside of your risk appetite or tolerance:

1. From the Risk Details modal, navigate to the Treatment tab. From here you can define the Treatment Decision for the risk and change the Treatment Status.
2. Click the + icon on the side panel and type in a unique name for the treatment plan under the Create New Treatment Plan field. Hit Enter on your keyboard to create the new treatment plan.
3. Add a Due Date, Status, and Assignees to the treatment plan and link statements and provisions as needed.

Monitoring and review

The final phase of IT risk management is monitoring and review. This ensures ongoing oversight of risk management efforts and allows organizations to adapt strategies to address emerging risks effectively. It involves regularly tracking the progress of risk treatment plans to ensure they are being implemented as intended and taking corrective actions promptly. Organizations also need to monitor overall risk levels by assessing the current state of risks and identifying any changes or new risks. This involves assessing the effectiveness of implemented controls through periodic audits or assessments and identifying areas for improvement to enhance risk mitigation strategies. Continual risk review is essential to remain agile and proactive in risk management efforts, adapting strategies to address emerging risks or changing business conditions. Reviewing, adjusting, and correcting risk tolerance is also necessary to stay ahead of future trends in the industry.

You can use 6clicks' Reporting & Analytics functionality to monitor risk levels and the progress of risk treatment.

1. From the top of the dashboard, navigate to the Analytics module. If you do not have a dashboard built out, select Browse and choose Reports.
2. Search for out-of-the-box risk reports such as our risk register report that summarizes all risks in the Risk Registers.

Through the establishment of a clear scope and context, thorough risk identification, rigorous risk evaluation, effective risk treatment, and ongoing monitoring and review, organizations can enhance their resilience and ensure long-term success.