Patent Issued for IT Risk Management Framework And Methods (USPTO 10,083,481)
By a
Patent number 10,083,481 is assigned to
The following quote was obtained by the news editors from the background information supplied by the inventors: "Risk transcends every aspect of business. The need to effectively and efficiently manage risk is a well understood, critical success factor in business, especially in functional disciplines such as finance, insurance, legal, marketing, and so forth. As these and other core business functions have grown more and more dependent on Information Technology (IT), managing IT-related risk has emerged as a critical discipline in running a successful business. Further, IT risk management is becoming a key driver for justifying investments in IT infrastructure and engaging in continuous service improvement programs.
"The complexity of an organization's IT ecosystem makes managing IT risk an immense challenge. It requires specific subject matter knowledge at a component, system, and enterprise level. The knowledge required includes what issues may arise given certain conditions, what the measured consequence of these issues are, and how to prioritize and solve these issues.
"IT Risk Management disciplines have primarily focused on specific issues concerning security, disaster recovery and project-related risks. Many of the existing IT Risk Management tools are based on the qualitative views of IT experts versus quantified analysis of data (such as what is used in more mature risk management disciplines related to credit, insurance, or medical risk management).
"Managing IT risks demands a common means to identify, classify, measure, and communicate risk so that individuals across IT and business organizations gain a shared understanding of the risks and take appropriate actions. Regardless of the approach taken, IT Risk Management should assist in balancing the investment required to improve and upgrade IT with the appropriate return in business value from such an investment."
In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors' summary information for this patent: "In general, in one aspect, the invention relates to a method for treating information technology (IT) risk of an organization including identifying a plurality of IT risks, where each of the plurality of IT risks is based on a known problem and is associated with an IT asset classification and an IT consequence classification, calculating a plurality of IT risk exposure indices, where each of the plurality of IT risk exposure indices is associated with at least one of the plurality of IT risks, adjusting each of the plurality of IT risk exposure indices based on a business impact factor to obtain a business impact index, prioritizing the plurality of IT, risks by adjusting the business impact index based on a risk treatment factor to obtain a prioritized risk treatment index, and selecting at least one of the plurality of IT risks for treatment based upon the prioritized risk treatment index.
"In general, in one aspect, the invention relates to a computer system for treating a plurality of information technology (IT) risks including a processor, a memory, and software instructions stored in the memory for enabling the computer system under the control of the processor, to calculate a plurality of IT risk exposure indices, where each of the plurality of IT risk exposure indices is associated with at least one of the plurality of IT risks, where each of the plurality of IT risk exposure indices is adjusted based on a business impact factor to obtain a business impact index, where the business impact index is adjusted based on a risk treatment factor to obtain a prioritized risk treatment index, and where at least one of the plurality of IT risks is selected for treatment based on the prioritized risk treatment index.
"In general, in one aspect, the invention relates to a computer readable medium storing instructions for treating a plurality of information technology (IT) risks, the instructions including functionality to calculate a plurality of IT risk exposure indices, where each of the plurality of IT risk exposure indices is associated with at least one of the plurality of IT risks, where each of the plurality of IT risk exposure indices is adjusted based on a business impact factor to obtain a business impact index, where the business impact index is prioritized based on a risk treatment factor to obtain a prioritized risk treatment index.
"Other aspects of the invention will be apparent from the following description and the appended claims."
The claims supplied by the inventors are:
"The invention claimed is:
"1. A computer system for selecting an information technology (IT) risk for treatment, comprising: a processor; a memory; and software instructions stored in the memory and configured to be executed by the processor to perform a method, the method comprising: identifying a plurality of IT risks to one or more hardware servers, wherein the plurality of IT risks are risks of outages of a hardware server of the one or more hardware servers, and wherein each of the plurality of IT risks is based on a known problem and is associated with one of a plurality of IT asset classifications and one of a plurality of IT consequence classifications; for each of the plurality of IT risks: determining a probability value (P) to measure a probability of the IT risk occurring, determining a severity value (S) to measure a severity of an impact of IT risk, calculating a subclass IT risk exposure index based on a square root of (P.sup.2+S.sup.2), obtaining a subclass significance value for the subclass IT risk exposure index quantifying the significance of the subclass IT risk to a parent IT risk, calculating a composite IT risk exposure index for the parent IT risk based on a plurality of IT risk exposure indexes and a plurality of significance values, wherein the subclass IT risk exposure index is one of the plurality of IT risk exposure indexes, wherein the subclass significance value is one of the plurality of significance values, and wherein the composite IT risk exposure index is a first quantitative score associated with the IT risk, generating a business impact index based on the composite IT risk exposure index and at least one business impact associated with the IT risk, wherein the business impact index is a second quantitative score associated with the IT risk, and generating a risk treatment index based on the business impact index and at least one factor affecting an ability to treat the IT risk, wherein the risk treatment index is a third quantitative score associated with the IT risk; prioritizing the plurality of IT risks based on the risk treatment index of each IT risk; selecting at least one of the plurality of IT risks for treatment based upon the priority of each of the plurality of IT risks and at least one risk acceptance policy; and treating the selected at least one of the plurality of IT risks by changing one or more system parameters on the hardware server implicated by the at least one of the plurality of IT risks, wherein the one or more system parameters address a corresponding known problem associated with the at least one of the plurality of IT risks causing an outage of the hardware server.
"2. The computer system of claim 1, further comprising software instructions to determine the plurality of IT risk exposure indices, wherein the software instructions enable the computer system to: wherein calculating the subclass IT risk exposure index comprises: plotting a first point representing the IT risk on a risk exposure square, wherein the risk exposure square is a graph having a vertical axis measuring probability values and a horizontal axis measuring severity values.
"3. The computer system of claim 2, wherein calculating the subclass IT risk exposure index further comprises: determining a distance between the first point and a second point on the risk exposure square, wherein the second point corresponds to a zero probability value and a zero severity value.
"4. The computer system of claim 1, wherein the at least one business impact associated with the IT risk comprises at least one selected from a group consisting of business size, market, business system criticality, and risk perception.
"5. The computer system of claim 1, wherein the at least one factor comprises at least one selected from a group consisting of recovery effectiveness, mitigation cost, and risk treatment alternatives.
"6. The computer system of claim 1, wherein treating the selected at least one of the plurality of IT risks comprises treating the at least one of the plurality of IT risks according to a best practice knowledgebase.
"7. The computer system of claim 1, wherein each of the plurality of IT asset classifications comprises one selected from a group consisting of system execution, service operations, solution development, and IT governance.
"8. A non-transitory computer-readable storage medium storing instructions for selecting an information technology (IT) risk for treatment, the instructions executing on a processor and comprising functionality to: identify a plurality of IT risks to one or more hardware servers, wherein the plurality of IT risks are risks of outages of a hardware server of the one or more hardware servers, and wherein each of the plurality of IT risks is based on a known problem and is associated with one of a plurality of IT asset classifications and one of a plurality of IT consequence classifications; for each of the plurality of IT risks: determine a probability value (P) to measure a probability of the IT risk occurring, determine a severity value (S) to measure a severity of an impact of IT risk, calculate a subclass IT risk exposure index based on a square root of (P.sup.2 +S.sup.2), obtain a subclass significance value for the subclass IT risk exposure index quantifying the significance of the subclass IT risk to a parent IT risk, calculate a composite IT risk exposure index for the parent IT risk based on a plurality of IT risk exposure indexes and a plurality of significance values, wherein the subclass IT risk exposure index is one of the plurality of IT risk exposure indexes, wherein the subclass significance value is one of the plurality of significance values, and wherein the composite IT risk exposure index is a first quantitative score associated with the IT risk, generate a business impact index based on the composite IT risk exposure index and at least one business impact associated with the IT risk, wherein the business impact index is a second quantitative score associated with the IT risk, and generate a risk treatment index based on the business impact index and at least one factor affecting an ability to treat the IT risk, wherein the risk treatment index is a third quantitative score associated with the IT risk; prioritize the plurality of IT risks based on the risk treatment index of each IT risk; and select at least one of the plurality of IT risks for treatment based upon the priority of each of the plurality of IT risks and at least one risk acceptance policy; and treat the selected at least one of the plurality of IT risks by changing one or more system parameters on the hardware server implicated by the at least one of the plurality of IT risk, wherein the one or more system parameters address a corresponding known problem associated with the at least one of the plurality of IT risks causing an outage of the hardware server.
"9. The non-transitory computer-readable medium of claim 8, wherein calculating the subclass IT risk exposure index comprises: plotting a first point representing the IT risk on a risk exposure square, wherein the risk exposure square is a graph having a vertical axis measuring probability values and a horizontal axis measuring severity values.
"10. The non-transitory computer-readable medium of claim 9, wherein calculating the subclass IT risk exposure index further comprises: determining a distance between the first point and a second point on the risk exposure square, wherein the second point corresponds to a zero probability value and a zero severity value.
"11. The non-transitory computer-readable medium of claim 8, wherein at least one business impact associated with the IT risk comprises at least one selected from a group consisting of business size, market, business system criticality, and risk perception.
"12. The non-transitory computer-readable medium of claim 8, wherein the at least one factor comprises at least one selected from a group consisting of recovery effectiveness, mitigation cost, and risk treatment alternatives.
"13. The non-transitory computer-readable medium of claim 8, wherein the functionality to treat the at least one of the plurality of IT risks comprises functionality to treat the selected at least one of the plurality of IT risks according to a best practice knowledgebase.
"14. The non-transitory computer-readable medium of claim 8, wherein each of the plurality of IT asset classifications comprises one selected from a group consisting of system execution, service operations, solution development, and IT governance.
"15. The non-transitory computer-readable medium of claim 8, wherein each of the plurality of IT consequence classifications comprises one selected from a group consisting of continuity and availability, security and integrity, agility and capacity, manageability and serviceability, development project, and governance control.
"16. The non-transitory computer-readable medium of claim 8, wherein identifying the plurality of IT risks comprises using a service excellence index based upon at least one selected from a group consisting of best practice knowledge bases and maturity models.
"17. The non-transitory computer-readable medium of claim 8, wherein identifying the plurality of IT risks comprises generating a plurality of linkages between a plurality of IT service assets and at least one business value effect.
"18. The computer system of claim 1, wherein each known problem associated with each of the plurality of IT risks is an ordered pair, wherein a first element of the ordered pair is the severity of the impact of the IT risk associated with the known problem, represented by the severity value (S), and a second element of the ordered pair is the probability of the IT risk associated with the known problem occurring, represented by the probability value (P).
"19. The non-transitory computer-readable medium of claim 8, wherein each known problem associated with each of the plurality of IT risks is an ordered pair, wherein a first element of the ordered pair is the severity of the impact of the IT risk associated with the known problem, represented by the severity value (S), and a second element of the ordered pair is the probability of the IT risk associated with the known problem occurring, represented by the probability value (P)."
URL and more information on this patent, see: Futch, Jefre E.; Gonczi, Andrew J.; Mason, Roberta J.; Stuckenberg, Ingrid C. IT Risk Management Framework And Methods.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Assurant Inc. Files SEC Form SC 13D/A, General Statement of Acquisition of Beneficial Ownership: (Sept. 20, 2018)
Heffernan Foundation Benefit ‘Diamonds Are Forever’ Raises Over $1.6 Million
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News