Navigate Up
Sign In

Risk Management

Publication Date: May 30, 2019
 


6H6A1513.jpg

Written by Sharon GauciGauci Sharon 630182m.jpg

Risk Management is a discipline that guides and drives each one of us in our day to day lives, sometimes consciously and most of the times unknowingly.

From when we set the alarm before we go to sleep to reduce the likelihood of waking up late the next morning, to when we make healthy lifestyle choices to reduce the likelihood of diseases later in life. Or when we install intruder alarms in our homes to reduce the likelihood of theft to when we purchase any kind of insurance cover and so on and so forth.

Risk is perceived differently from one person to another. This is because each person tolerates various levels of risks depending on the type of risk, the nature of the person in question, together with personal past experiences. This is also coupled with the assurance given by the controls already in place as well as the value of the asset that may be impacted by the risk if the risk materialises.

Being the main provider of ICT infrastructure and services to the Maltese Government, it is inevitable that Risk Management is at the forefront of MITA’s agenda, especially when considering the value of data under MITA’s responsibility. In fact, as mandated by MITA’s Enterprise Risk Management (ERM) policy, all decision making within MITA involves the consideration of risks and the application of risk management to an appropriate degree.

The inception of MITA’s risk management function focused on mitigating primarily information security risks and evolved throughout the years to cater for all types of material risks that MITA may be impacted by, including:

·       MITA’s reputation and client relationship,

·       MITA’s security, compliance and financial position,

·       the achievement of MITA’s strategic objectives,

·       MITA’s ability to deliver projects and services.

MITA is governed by an ERM framework that covers the full Enterprise Risk Management process in line with ISO31000 requirements. Whilst MITA employees are all responsible for the identification of risks, risk ownership is in the hands of the MITA managers responsible for the assets, projects or services that may be impacted. The risk owner is accountable and responsible for the risk throughout its lifecycle as well as for ensuring that all relevant risk details are duly recorded in the MITA Risk Register System. Risks are also assessed in terms of their impact and likelihood to determine their severity. Based on the risk severity, a decision is taken depending on whether the risk shall be reduced, eliminated, accepted, transferred or escalated in line with MITA’s defined risk escalation hierarchy. MITA’s ERM framework also takes into consideration the level of risk that may be tolerated for different classifications of risk, through the formalisation of MITA’s risk appetite.

The governance of MITA’s ERM framework is carried out centrally directly under the Executive Chairman’s office. This is composed of MITA senior management who meet regularly to ensure that all MITA risks are under control and are being duly mitigated. The ERM Committee defines a number of objectives and targets associated with MITA’s ERM framework. Metrics are extracted every month to ascertain that these objectives are within the targets set. Any discrepancies are duly escalated and discussed further.

IMG_7024.JPGAdditionally, risk is positively associated with Opportunities. One aspect is that innovations and emerging technologies such as Blockchain and Artificial Intelligence may have risks associated to them that need to be considered and addressed. Similarly, technologies that may introduce risks can also present opportunities that need to be pursued. A case in point is the increased usage of smartphones by citizens. Whilst smartphones have risks associated to them in view of their increased risk of being lost or stolen, it is also to be noted that they present an opportunity for Governments to be closer to citizens through the introduction of mobile services for everyone, everywhere and at any time. What is important is that controls are put in place by citizens to mitigate the risk of lost or stolen smartphones, for example through setting security mechanisms (such as pin codes) to access one’s smartphone.    

Being an underlying requirement of the ISO standards against which MITA is certified, MITA’s risk management framework is regularly subject to external audits. MITA also carries out regular independent audits and risk assessments to help ensure that new risks are continuously being identified and addressed in line with its ERM framework.