- Understanding IT Risk
- The Risk Management Framework
- Risk Treatment Strategies
- Key Risk Areas
- Risk Monitoring and Reporting
- Building a Risk-Aware Culture
- Real-World Applications
- Common Pitfalls
- Measuring Success
- Conclusion
Every organization depends on technology. Email systems enable communication. Databases store customer information. Applications process transactions. Networks connect offices. This dependency creates risk—technology failures can disrupt operations, compromise data, and damage reputation.
IT risk management addresses these threats systematically. Rather than reacting to incidents, organizations identify potential risks, assess their impact, and implement controls to reduce exposure. This proactive approach protects business value while enabling technology innovation.
The challenge lies in balancing security with business needs. Excessive controls slow operations and frustrate users. Insufficient controls expose the organization to unacceptable risks. Effective IT risk management finds the right balance—protecting critical assets while enabling business objectives.
This exploration examines IT risk management fundamentals, from identifying risks to implementing controls. Understanding these principles helps organizations protect themselves while maintaining operational efficiency.
Understanding IT Risk
Before managing risks, understanding what constitutes IT risk is essential.
What is IT Risk?
IT risk represents the potential for technology-related events to negatively impact business objectives. Four components define IT risk:
⚡ Threat
Source of potential harm that could exploit vulnerabilities.
External Threats: Originate outside the organization. Hackers attempt unauthorized access, malware infects systems, ransomware encrypts data for ransom, natural disasters damage infrastructure.
Internal Threats: Originate within the organization. Employees make configuration errors, accidentally delete data, or misuse access privileges. System failures occur due to software bugs or design flaws.
Environmental Threats: Infrastructure and facility issues. Power outages disrupt operations, hardware failures cause data loss, cooling system failures damage equipment, network connectivity issues prevent access.
🔓 Vulnerability
Weakness that can be exploited by threats.
Unpatched Software: Systems running outdated versions with known security flaws. Attackers exploit published vulnerabilities before patches are applied.
Weak Passwords: Simple, easily guessed credentials like “password123” or “admin”. Enable brute force attacks and credential stuffing.
Misconfigured Systems: Default settings left unchanged, unnecessary services enabled, overly permissive access controls. Create unintended security gaps.
Inadequate Controls: Missing encryption, no multi-factor authentication, insufficient logging, lack of network segmentation. Leave systems exposed.
Missing Security Updates: Failure to apply patches promptly, outdated antivirus definitions, unsupported legacy systems. Maintain exploitable weaknesses.
💥 Impact
Consequences if the risk materializes.
Financial Loss: Direct costs include incident response, forensics, legal fees, notification expenses. Lost revenue from downtime, customer churn, contract penalties. Recovery costs for system restoration and data recovery.
Operational Disruption: System downtime prevents business operations. Productivity loss as employees cannot work. Service degradation affects customer experience. Integration failures break business processes.
Reputation Damage: Brand harm from negative publicity and media coverage. Customer trust erosion leading to business loss. Partner confidence decline affecting relationships. Market value reduction for public companies.
Regulatory Penalties: Fines for non-compliance with GDPR, HIPAA, PCI DSS, or other regulations. Legal consequences including lawsuits and settlements. Mandatory audits and remediation requirements. Potential criminal charges for severe violations.
🎲 Likelihood
Probability of the risk occurring.
Historical Frequency: How often similar incidents occurred in the past. Organizations with frequent phishing attempts face higher likelihood of successful attacks. Industry trends indicate common attack patterns.
Threat Capability: Sophistication and resources of potential attackers. Nation-state actors have advanced capabilities. Script kiddies use automated tools. Insider threats have privileged access and knowledge.
Vulnerability Severity: How easily the weakness can be exploited. Critical vulnerabilities with public exploits have high likelihood. Complex vulnerabilities requiring specialized knowledge have lower likelihood.
Existing Control Effectiveness: Strong controls reduce likelihood significantly. Multi-factor authentication prevents 99% of account compromises. Weak or missing controls leave systems exposed to exploitation.
Risk exists when threats can exploit vulnerabilities to cause impact. A threat without vulnerability creates no risk. A vulnerability without threat creates no immediate risk. Both must exist for risk to materialize.
The Risk Landscape
Organizations face diverse IT risks:
🚫 Common IT Risks
Security Risks
- Data breaches and theft
- Unauthorized access
- Malware and ransomware
- Insider threats
- Social engineering attacks
Operational Risks
- System failures and downtime
- Data loss or corruption
- Performance degradation
- Integration failures
- Capacity constraints
Compliance Risks
- Regulatory violations
- Privacy breaches
- Audit failures
- Contractual non-compliance
- Legal liability
Strategic Risks
- Technology obsolescence
- Vendor dependency
- Project failures
- Poor architecture decisions
- Inadequate disaster recovery
Each risk category requires different management approaches. Security risks need technical controls. Operational risks need process improvements. Compliance risks need governance frameworks. Strategic risks need business alignment.
The Risk Management Framework
Effective risk management follows a structured approach:
Risk Identification
The first step is identifying potential risks:
🔍 Risk Identification Methods
Asset-Based Approach
- Identify critical assets
- Determine threats to each asset
- Identify vulnerabilities
- Document potential impacts
Scenario-Based Approach
- Brainstorm threat scenarios
- "What if" analysis
- Historical incident review
- Industry threat intelligence
Compliance-Based Approach
- Review regulatory requirements
- Identify compliance gaps
- Assess penalty exposure
- Document obligations
Stakeholder Input
- Interview business owners
- Survey IT staff
- Consult security team
- Review audit findings
Comprehensive risk identification requires multiple perspectives. Technical staff identify system vulnerabilities. Business owners identify operational impacts. Security teams identify threat scenarios. Compliance teams identify regulatory risks.
Risk Assessment
Once identified, risks need assessment:
📊 Risk Assessment Criteria
Impact Assessment
- Financial: Direct costs and lost revenue
- Operational: Downtime and productivity loss
- Reputational: Brand damage and customer trust
- Compliance: Fines and legal consequences
Likelihood Assessment
- Historical frequency
- Threat capability
- Vulnerability severity
- Control effectiveness
Risk Rating
- Combine impact and likelihood
- Use consistent scale (1-5 or Low/Medium/High)
- Calculate risk score
- Document assumptions
Risk assessment quantifies exposure. A high-impact, high-likelihood risk demands immediate attention. A low-impact, low-likelihood risk may be acceptable. The assessment guides prioritization.
Risk Prioritization
Not all risks deserve equal attention:
🎯 Risk Prioritization Matrix
Critical Risks (High Impact + High Likelihood)
- Immediate action required
- Executive attention needed
- Significant resources allocated
- Weekly status updates
- Daily monitoring
High Risks (High Impact OR High Likelihood)
- Planned mitigation
- Adequate resources
- Bi-weekly status updates
- Monthly review
- Management oversight
Medium Risks
- Standard controls
- Monthly status updates
- Quarterly assessment
- Documented acceptance
Low Risks
- Accept or monitor
- Minimal resources
- Quarterly status updates
- Annual review
- Document decision
Prioritization ensures resources focus on the most significant risks. Organizations can’t eliminate all risks—they must focus on those that matter most. Higher-priority risks require more frequent status updates and monitoring to ensure timely detection of changes in risk profile.
| Impact / Likelihood | Low | Medium | High |
|---|---|---|---|
| High | Medium Risk | High Risk | Critical Risk |
| Medium | Low Risk | Medium Risk | High Risk |
| Low | Low Risk | Low Risk | Medium Risk |
Risk Treatment Strategies
Once risks are prioritized, organizations choose treatment strategies:
The Four T’s
Risk treatment follows four basic strategies:
💸 Transfer: Shift the Burden
Move financial consequences to another party while retaining operational responsibility. Like buying insurance—you pay premiums to transfer the financial risk of a breach to the insurer.
Common Methods: Cyber insurance policies covering breach costs, outsourcing to managed service providers, cloud providers assuming infrastructure risks, contractual liability clauses with vendors.
Example: Purchasing cyber insurance that covers breach notification costs, legal fees, and regulatory fines. If a breach occurs, the insurer pays these costs while you handle the incident response.
When to Use: Risk impact exceeds internal capacity, specialized expertise needed, cost-effective compared to self-insurance, or regulatory/contractual requirements exist.
🤝 Tolerate: Accept the Risk
Acknowledge the risk exists and consciously decide not to take action beyond monitoring. The cost of fixing it exceeds the potential damage.
Justification: Mitigation cost exceeds potential impact, risk falls within acceptable tolerance, no cost-effective controls available, or business benefit outweighs risk.
Example: Accepting the risk of minor website defacement on a low-traffic internal blog. The cost of advanced DDoS protection exceeds the minimal business impact.
Requirements: Formal documentation of acceptance, executive approval for significant risks, regular review of risk status, and monitoring for changes in risk profile.
🛠️ Treat: Reduce the Risk
Implement controls to reduce either likelihood or impact of the risk materializing. Most common approach—add security measures to lower the risk to acceptable levels.
Approaches: Technical controls (firewalls, encryption), process improvements (change management), training and awareness programs, redundancy and backup systems.
Example: Implementing multi-factor authentication reduces the likelihood of unauthorized access even if passwords are compromised. Adding encryption reduces impact if data is stolen.
Effectiveness: Most common strategy for significant risks, allows continued business operations, requires ongoing maintenance, and cost must be proportional to risk.
🚫 Terminate (Avoid): Eliminate the Risk
Remove the risk entirely by discontinuing the activity that creates it. Stop doing the risky thing altogether.
Actions: Decommission vulnerable legacy systems, exit high-risk business lines, stop using risky technologies, or change processes to avoid risk.
Example: Shutting down an outdated web application that can’t be secured rather than continuing to patch vulnerabilities. The business value doesn’t justify the security risk.
Considerations: Most effective but often impractical, may impact business operations, last resort for unacceptable risks, and requires business stakeholder buy-in.
The choice depends on risk level, cost of controls, and business objectives. High risks typically require treatment or transfer. Low risks may be tolerated. Unacceptable risks may require termination.
Control Implementation
Treating risks requires implementing controls. Each control type serves a specific purpose, and combining them creates defense in depth:
🛡️ Preventive Controls
Reduce the likelihood of security incidents by blocking threats proactively.
Examples: Multi-factor authentication prevents unauthorized access, firewalls block malicious network traffic, input validation prevents injection attacks, network segmentation limits lateral movement, security awareness training reduces human errors.
Effectiveness: 60-80% risk reduction when properly implemented. Most cost-effective control type as they prevent incidents entirely.
Limitations: Cannot stop all attacks. Determined attackers may find ways around preventive controls.
🔍 Detective Controls
Detect security incidents quickly to enable rapid response and minimize damage.
Examples: Intrusion detection systems alert on suspicious activity, SIEM correlates logs to identify attack patterns, file integrity monitoring detects unauthorized changes, anomaly detection identifies unusual behavior, regular security audits find control gaps.
Effectiveness: 40-60% risk reduction by enabling faster response. Reduces average detection time from months to hours or days.
Limitations: Only effective if monitored and acted upon. Generates false positives requiring investigation.
🔧 Corrective Controls
Minimize impact after an incident occurs by enabling quick recovery and preventing recurrence.
Examples: Incident response procedures guide coordinated response, automated backups enable data recovery, patch management closes vulnerabilities, business continuity plans maintain operations, disaster recovery systems restore services.
Effectiveness: 30-50% impact reduction by shortening recovery time. Reduces downtime from days to hours.
Limitations: Incident has already occurred. Focus is on damage control rather than prevention.
⚖️ Compensating Controls
Provide alternative protection when primary controls aren't feasible due to cost, compatibility, or operational constraints.
Examples: Enhanced monitoring when encryption isn’t possible, manual approval workflows when automated controls fail, segregation of duties when system access can’t be restricted, additional logging when real-time detection unavailable.
Effectiveness: 20-40% risk reduction. Less effective than primary controls but better than no control.
Use Cases: Legacy systems, compliance requirements, temporary solutions during transitions.
✅ Layered Defense: Combining Controls
Defense in Depth Strategy
- Multiple control types work together
- If one control fails, others provide backup
- Preventive + Detective + Corrective = 85-95% risk reduction
Example: Protecting Customer Data
- Preventive: Encryption, access controls, firewalls
- Detective: Log monitoring, intrusion detection, audits
- Corrective: Incident response, backups, breach notification
- Compensating: Enhanced monitoring for legacy systems
Result: Layered approach provides comprehensive protection. Single control failure doesn't result in complete compromise.
Effective risk management uses multiple control types. Preventive controls reduce likelihood. Detective controls enable rapid response. Corrective controls minimize impact. Compensating controls fill gaps. Combined, they create resilient security posture that significantly reduces overall risk.
Key Risk Areas
Certain risk areas demand special attention:
Data Security and Privacy
Data breaches create severe consequences:
🚨 Data Security Risks
Threats
- External hackers
- Insider threats
- Lost or stolen devices
- Misconfigured systems
- Third-party breaches
Impacts
- Regulatory fines (GDPR, HIPAA, etc.)
- Lawsuit costs
- Notification expenses
- Reputation damage
- Customer loss
Controls
- Encryption at rest and in transit
- Access controls and authentication
- Data classification
- DLP (Data Loss Prevention)
- Regular security assessments
Data security requires layered defenses. Encryption protects data if systems are compromised. Access controls limit exposure. DLP prevents unauthorized transmission. Regular assessments identify vulnerabilities.
Business Continuity and Disaster Recovery
System failures disrupt operations:
⚠️ Continuity Risks
Threats
- Hardware failures
- Natural disasters
- Cyber attacks
- Human errors
- Power outages
Impacts
- Revenue loss during downtime
- Productivity loss
- Customer dissatisfaction
- Contractual penalties
- Competitive disadvantage
Controls
- Regular backups
- Redundant systems
- Disaster recovery plans
- Business continuity procedures
- Regular testing
Business continuity planning ensures operations continue despite disruptions. Backups enable data recovery. Redundant systems prevent single points of failure. Documented procedures guide response. Regular testing validates plans.
Third-Party Risk
Vendors and partners introduce risks:
⚠️ Third-Party Risks
Concerns
- Vendor security practices
- Data access and handling
- Service availability
- Compliance with regulations
- Vendor financial stability
Impacts
- Inherited security breaches
- Service disruptions
- Compliance violations
- Contractual disputes
- Reputation damage
Controls
- Vendor security assessments
- Contractual security requirements
- Regular audits and reviews
- Incident notification clauses
- Exit strategies
Third-party relationships extend your risk surface. Vendors with access to your data or systems can compromise your security. Thorough vendor assessments, strong contracts, and ongoing monitoring mitigate these risks.
Change Management
Uncontrolled changes create vulnerabilities:
⚠️ Change Management Risks
Problems
- Unauthorized changes
- Inadequate testing
- Poor documentation
- Conflicting changes
- Failed rollbacks
Impacts
- System outages
- Security vulnerabilities
- Data corruption
- Compliance violations
- Productivity loss
Controls
- Formal change approval process
- Testing requirements
- Rollback procedures
- Change documentation
- Segregation of duties
Change management balances agility with control. Formal processes prevent unauthorized changes. Testing requirements reduce failures. Documentation enables troubleshooting. Rollback procedures enable recovery.
Risk Monitoring and Reporting
Risk management is continuous, not one-time:
Continuous Monitoring
Risks evolve as threats and environments change:
📈 Monitoring Activities
Technical Monitoring
- Vulnerability scanning
- Log analysis
- Performance monitoring
- Security event correlation
- Threat intelligence feeds
Process Monitoring
- Control effectiveness reviews
- Incident trend analysis
- Audit findings tracking
- Compliance assessments
- Policy compliance checks
Environmental Monitoring
- Threat landscape changes
- Regulatory updates
- Technology changes
- Business changes
- Vendor changes
Continuous monitoring detects emerging risks and validates control effectiveness. Automated tools provide real-time visibility. Regular reviews ensure controls remain appropriate.
Risk Reporting
Effective reporting keeps stakeholders informed:
📊 Risk Reporting Best Practices
Executive Reporting
- High-level risk dashboard
- Critical risks and trends
- Control effectiveness
- Resource requirements
- Strategic recommendations
Management Reporting
- Detailed risk registers
- Control status
- Incident summaries
- Remediation progress
- Compliance status
Technical Reporting
- Vulnerability details
- Incident analysis
- Control configurations
- Technical metrics
- Remediation plans
Different audiences need different information. Executives need strategic context. Managers need operational details. Technical teams need implementation specifics. Tailor reports to audience needs.
Building a Risk-Aware Culture
Technology alone doesn’t manage risk—people do:
Security Awareness
Users are both the weakest link and strongest defense:
✅ Effective Security Awareness
Training Topics
- Password security
- Phishing recognition
- Data handling procedures
- Incident reporting
- Social engineering tactics
Delivery Methods
- Regular training sessions
- Simulated phishing exercises
- Security newsletters
- Posters and reminders
- Gamification
Measuring Effectiveness
- Training completion rates
- Phishing simulation results
- Incident reporting rates
- Security survey responses
- Behavioral changes
Security awareness transforms users from vulnerabilities into assets. Regular training builds knowledge. Simulated attacks build skills. Positive reinforcement builds culture.
Governance and Accountability
Clear governance establishes accountability:
🏛️ Risk Governance Structure
Board/Executive Level
- Risk appetite definition
- Strategic risk oversight
- Resource allocation
- Policy approval
Risk Committee
- Risk strategy development
- Risk assessment review
- Control effectiveness oversight
- Exception approval
Business Units
- Risk identification
- Control implementation
- Incident response
- Compliance adherence
IT/Security Teams
- Technical controls
- Monitoring and detection
- Vulnerability management
- Incident investigation
Governance clarifies roles and responsibilities. Executives set risk appetite. Committees provide oversight. Business units own risks. Technical teams implement controls.
Real-World Applications
Seeing risk management in practice clarifies concepts:
Financial Services: Regulatory Compliance
A bank manages compliance risks:
🏦 Banking Risk Management
Context
- Strict regulatory requirements
- Customer financial data
- Transaction processing systems
- Multiple compliance frameworks
- High breach consequences
Approach
- Comprehensive risk assessments
- Layered security controls
- Regular compliance audits
- Incident response procedures
- Third-party risk management
Controls
- Encryption and tokenization
- Multi-factor authentication
- Network segmentation
- Continuous monitoring
- Regular penetration testing
Results
- Regulatory compliance maintained
- Zero data breaches
- Audit findings minimized
- Customer trust preserved
- Operational efficiency maintained
Financial institutions face intense regulatory scrutiny. Comprehensive risk management isn’t optional—it’s required. Layered controls, continuous monitoring, and regular assessments ensure compliance while protecting customer data.
Healthcare: Patient Data Protection
A hospital protects patient information:
🏥 Healthcare Risk Management
Context
- HIPAA compliance requirements
- Electronic health records
- Medical device security
- Multiple access points
- Life-critical systems
Approach
- Risk assessments for all systems
- Role-based access controls
- Encryption of patient data
- Business continuity planning
- Vendor security assessments
Controls
- Access logging and monitoring
- Data encryption
- Network segmentation
- Backup and recovery systems
- Security awareness training
Results
- HIPAA compliance achieved
- Patient privacy protected
- System availability maintained
- Audit findings addressed
- Staff security awareness improved
Healthcare organizations balance security with accessibility. Clinicians need rapid access to patient data in emergencies. Security controls must protect privacy without impeding care. Risk management finds this balance.
E-Commerce: Transaction Security
An online retailer secures transactions:
🛒 E-Commerce Risk Management
Context
- Credit card processing
- Customer personal data
- High transaction volumes
- PCI DSS compliance
- Competitive pressure
Approach
- PCI DSS compliance program
- Secure payment processing
- Fraud detection systems
- DDoS protection
- Regular security testing
Controls
- Payment tokenization
- SSL/TLS encryption
- Fraud detection algorithms
- Rate limiting
- Web application firewall
Results
- PCI DSS compliance maintained
- Fraud rates minimized
- Customer trust established
- System availability ensured
- Business growth enabled
E-commerce depends on customer trust. Payment security is non-negotiable. PCI DSS compliance provides a framework. Additional controls address fraud and availability. Risk management enables business growth.
Common Pitfalls
Organizations make predictable mistakes:
🚫 Risk Management Anti-Patterns
Checkbox Compliance
- Focus on compliance over security
- Implement controls without understanding risks
- Ignore business context
- Result: Compliant but insecure
Risk Assessment Theater
- Conduct assessments but ignore results
- Document risks without treatment plans
- No follow-up or monitoring
- Result: Wasted effort, unchanged risk
Technology-Only Approach
- Rely solely on technical controls
- Ignore people and processes
- No security awareness
- Result: Users circumvent controls
Analysis Paralysis
- Endless risk assessments
- Perfect documentation
- No actual risk treatment
- Result: Known risks remain unaddressed
Siloed Risk Management
- IT manages IT risks in isolation
- No business involvement
- Disconnect from business objectives
- Result: Misaligned priorities
The most common mistake is treating risk management as a compliance exercise rather than business protection. Checkbox compliance creates false security. Effective risk management aligns with business objectives and actually reduces risk.
Measuring Success
How do you know if risk management is working?
Key Metrics
Track these indicators:
📊 Risk Management Metrics
Leading Indicators
- Vulnerability remediation time
- Security awareness training completion
- Control implementation progress
- Risk assessment coverage
- Patch compliance rates
Lagging Indicators
- Security incidents
- Audit findings
- Compliance violations
- System downtime
- Data breach costs
Efficiency Metrics
- Cost per control
- Risk assessment cycle time
- Incident response time
- Control automation percentage
- Resource utilization
Leading indicators predict future performance. Lagging indicators measure actual outcomes. Efficiency metrics ensure cost-effectiveness. Track all three for comprehensive visibility.
Continuous Improvement
Risk management evolves:
✅ Improvement Practices
Regular Reviews
- Quarterly risk assessments
- Annual control effectiveness reviews
- Post-incident lessons learned
- Emerging threat analysis
Feedback Loops
- Incident data informs risk assessments
- Audit findings drive improvements
- User feedback shapes awareness programs
- Metrics guide resource allocation
Adaptation
- Update risk assessments for business changes
- Adjust controls for new threats
- Refine processes based on experience
- Adopt new technologies appropriately
Effective risk management improves continuously. Incidents provide learning opportunities. Metrics reveal gaps. Regular reviews ensure relevance. Adaptation maintains effectiveness.
Conclusion
IT risk management protects business value by systematically identifying, assessing, and mitigating technology-related threats. Rather than reacting to incidents, organizations proactively manage risks through structured frameworks and appropriate controls.
The risk management process follows a continuous cycle: identify risks, assess their impact and likelihood, prioritize based on business context, implement appropriate controls, and monitor effectiveness. This cycle repeats as threats evolve and business needs change.
Risk treatment follows four strategies: transfer risk through insurance or outsourcing, tolerate acceptable risks, treat significant risks with controls, or terminate unacceptable risks by eliminating activities. The choice depends on risk level, control costs, and business objectives.
Key risk areas include data security and privacy, business continuity and disaster recovery, third-party relationships, and change management. Each area requires specific controls and monitoring approaches. Layered defenses provide depth—preventive controls reduce likelihood, detective controls enable rapid response, and corrective controls minimize impact.
Effective risk management requires more than technology. Security awareness transforms users from vulnerabilities into assets. Clear governance establishes accountability. Risk-aware culture makes security everyone’s responsibility. People, processes, and technology work together.
Common pitfalls include checkbox compliance without actual security, risk assessments without treatment, technology-only approaches that ignore people, analysis paralysis that delays action, and siloed risk management disconnected from business objectives. Avoiding these mistakes requires business alignment and practical action.
Success metrics include both leading indicators (vulnerability remediation time, training completion) and lagging indicators (incidents, audit findings). Continuous improvement through regular reviews, feedback loops, and adaptation ensures risk management remains effective as threats and business needs evolve.
Real-world examples demonstrate risk management in practice. Financial institutions use comprehensive controls for regulatory compliance. Healthcare organizations balance security with accessibility. E-commerce companies secure transactions while enabling business growth. Each context requires tailored approaches.
The goal isn’t eliminating all risk—that’s impossible and would prevent business operations. The goal is managing risk to acceptable levels while enabling business objectives. Effective risk management protects critical assets, ensures compliance, maintains operations, and preserves reputation.
Before implementing risk management, understand your business context. What are your critical assets? What threats do you face? What regulations apply? What resources are available? The answers guide your approach more than generic best practices.
Risk management is not a project with an end date. It’s an ongoing process that adapts to changing threats, technologies, and business needs. Organizations that embrace this continuous approach protect themselves while maintaining the agility to innovate and grow.
Whether you’re starting a risk management program or improving an existing one, remember: the goal is protecting business value, not perfect security. Focus on outcomes—reduced incidents, maintained compliance, operational resilience, stakeholder confidence. If your risk management achieves these outcomes, you’re succeeding. That’s what effective IT risk management actually means.