ITSM

IT Risk Assessment vs. IT Risk Management: The Difference and What They Mean to the Service Desk

May 28, 2020

IT Risk Assessment vs. IT Risk Management: The Difference and What They Mean to the Service Desk

In life, risks can be perceived both negatively and positively. Taking a risk can sometimes yield great results, but other times, a risk is a yellow light of caution. For businesses in particular, if not managed properly, IT risks like malware malfunctions and employee errors can range in size and occur in several areas. The result is disruption and valuable time being used to resolve the issue. But even with risk present, there are measures IT can put in place to ward them off.

Before we get into the technical side of it all, let’s start with the basics of IT risks, the difference between risk assessment and risk management, and what qualifications a business needs to help determine if the two should be invested into.

What is an IT Risk as it applies to the Service Desk?

According to ITIL training, a risk is a possible event that could cause loss/harm or affect the ability to achieve objectives. To put it plainly, risk = assets + threats + vulnerabilities. An IT risk can be anything from an employee error to system failures to compromised data. Without proper incident, problem, and change management, risks can infiltrate the service desk, making it vulnerable to problems almost impossible to solve.

What is IT Risk Assessment?

IT risk assessment is simply a step in the risk management process. Performing regular assessments helps you identify areas of risk you can mitigate and possibly alleviate. Just think of it as security at a concert or big event; the security guard checks each person for weapons or dangerous substances before entering the venue. If someone does have a prohibited item, the guard has a responsibility to make sure that the item doesn’t harm others.

So what would the “prohibited item” be in the IT world? Risks can include legacy technology, suboptimal performance from servers, breached SLAs, and overloaded network connections. Issues like these can cause significant downtime, process failures, and a decline in customer satisfaction (CSAT). If applicable, businesses could use a service desk solution with its own “security guards” that would notify IT technicians to risks they should be aware of.

What is IT Risk Management?

ITIL’s risk management process helps businesses identify, assess, and prioritize potential business risks. According to it’s framework, here’s what the risk management process looks like:

  • Identify and characterize threats
  • Assess vulnerability of critical assets to specific threats
  • Determine the probability of risks and their impact
  • Identify ways to reduce risks
  • Prioritize risk reduction measures
  • Continuously monitor risk factors

Risk management may not be just a suggestion, but a requirement for financial reasons. The ITAM Review says the biggest risks are often found in the data center, since that’s where the most complicated and expensive software licenses are found. If licenses aren’t in compliance, the business could end up spending more money than necessary.

Do I need to hire an IT Risk Manager?

In our latest IT Trends Report, we asked businesses which three areas of security skills and management is their organization prioritizing for development. Out of five top responses, IT risk assessment ranked #4. Because these companies find IT risk assessment a top area for development, it may not be a bad idea to consider bringing an IT risk manager onboard. It isn’t a requirement, and actually, for small businesses it might not be necessary. However, factors that could influence that decision include the size of the company, the amount of devices used, and if there are multiple locations.

There are risks in almost everything we do. For today’s businesses, IT risks are amplified as operations are increasingly reliant on technology and infrastructure continues to evolve. And although some IT risks are inevitable, a service desk solution can act as a buffer to help avoid major technical and financial problems in the business.


Liz is a technical point of contact for SolarWinds Service Desk customers, providing expertise on ITSM best practices, APIs, integrations, and security. She's ITIL 4 certified and has never met a dog she didn't want to adopt.