Job Description: What does a Risk Analyst Do?

The Information Technology (IT) Risk Analyst supports the risk identification and management process across all aspects of Information Technology for a business, government agency or educational institution. Responsibilities include assessing the current adequacy of the security strategy, business continuity /disaster recovery plans, threats to the systems, and then calculating the impact of potential adverse events. Audits and assessments must be continual, as the threat profiles change constantly.

The Analyst will keep executive management up to date on the results of the risk assessment and make recommendations for mitigations, or projects, to protect their systems or cover potential losses.

To continually improve the quality of the risk management, some analysts collect lessons learned information and metrics from security events and integrate the knowledge gathered into future protection strategies. This may involve reviewing logs, network traces and other evidence from computers, networks and data storage devices.

IT Risk Analyst Responsibilities & Duties:

Senior IT Risk Analysts use their knowledge and experience to examine systems and procedures to identify potential adverse events, including hardware and software crashes, physical disasters, malicious intruders, malware, denial of service attacks and employee misconduct.

Analysis will include a clear description of the risk and its likelihood. For those considered significant, an assessment of the impact, in dollars or business disruption will be developed. From this, mitigation plans must be developed and presented to management for approval and funding.

Generally speaking, the Analyst must:

  • Identify risks which might occur;
  • Stay knowledgeable of current advances in all areas of information technology concerning vulnerabilities, security breaches or malicious attacks;
  • Continuously evaluate communication security, data vulnerability, business continuity and compliance risks;
  • Identify vulnerabilities or weaknesses in systems;
  • Examine employee compliance with security controls and deficiencies;
  • Evaluate security policy, processes and procedures for completeness;
  • Ensure that controls are adequate to protect sensitive information systems;
  • Report to management on IT system vulnerability and protection against malware and hackers;
  • Clearly document and define risks and potential impacts along with the statistical probability of such an event and identify systems affected by the defined risk;
  • Provide mitigation/ damage reduction proposals with cost justification.
  • Assist in identifying breaches in a firm’s security or tracking the source of an unauthorized intrusion.
  • Identify defensive steps to take, including necessary firewalls, security software and data encryption;
  • Recommend all infrastructure and applications patching and remediation be done;
  • Communicate recommended business continuity preparations and controls, including deficiencies, to business units.
  • Recommend improvements in network security, identity management and logging.