How do organizations structure risk management operations?: Risk management has in some organizations traditionally been multicentric, with different departments or individuals within the org implementing risk management techniques in their work: Risk management is a component of good project management, for instance. IT leaders in particular must be able to integrate risk management philosophies and techniques into their planning, as IT infrastructure and spending can represent within the company an intense combination of risk (of cyberattacks, downtime, or botched rollouts, for instance) and benefits realized as increased capabilities or efficiencies.Some companies, particularly those in heavily regulated industries, such as banks and hospitals, centralize risk in a single department under a top-level chief risk officer (CRO) or similar executive role. A CRO might find themselves with responsibilities that overlap or conflict with CSOs, CISOs, and CIOs, and in some orgs without a clearly defined risk leader, ambitious infosec or infosecurity execs might try to take on that role for themselves. In any case, IT leaders need to understand and apply risk management in the areas under their purview.
Risk assessment vs. risk analysis vs. risk management: When reading about this topic, you might encounter the term risk assessment, which refers to the process of evaluating a safeguard or countermeasure against potential threats. You might also hear about risk analysis, which involves identifying potential risks your organization faces and analyzing specific vulnerabilities related to those threats. Risk assessment and risk analysis are key elements to the risk management process, which offers a bigger picture on an organization’s total risk, though sometimes you will see the three terms eliding into one another in casual use.
Risk management vs. enterprise risk management: You might also encounter a distinction between risk management (sometimes back-labelled “traditional risk management”) and enterprise risk management. Enterprise risk management (ERM) has tried to move away from some of the risk management practices seen as antiquated; instead of having each organizational silo manage its own risk, centralized ERM teams, often under the umbrella of a CRO or similar exec as part of a larger governance, risk, and compliance strategy, assess and analyze risk in a more holistic way. Under ERM, business risks are quantified to determine which risks are worth taking. This is the risk management philosophy that most organizations aspire to follow today, with varying degrees of success.
Risk management frameworks: Organizations implement these high-minded principles through risk management frameworks, detailed documents that lay out how risk is to be assessed, analyzed, quantified, and mitigated.ISO 31000, issued by the International Organization for Standardization, is one of the most widely used and comprehensive frameworks, a framework of frameworks, actually, as it relies on other ISO documents to define how risk is managed in specific areas. (ISO 27005 focuses on information security, for instance.)Some frameworks focus on specific topics, or began that way and expanded to become more general. For instance, the COSO framework grew out of risk management in the world of financial auditing but grew to provide guidance for establishing an overall ERM program.There are a number of frameworks that have a focus on infosec and IT, including:
Factor Analysis of Information Risk (FAIR), an international standard quantitative model for information security and operational riskThe Risk Management Framework, a suite of NIST standards and guidelines to support the implementation of risk management programs to meet FISMA requirementsCOBIT, a broad and comprehensive framework from ISACA focused on IT management and governance.CSO Online has more details on these and other frameworks.
Risk management process: At the heart of each of these frameworks is a process outlining the steps necessary for an organization to implement a risk management regime at their company. These steps vary from framework to framework, but let’s take a closer look at the risk management process as outlined in ISO 31000, since it’s something of a gold standard. Note that these steps are not a strict sequence; rather, they are iterative activities your organization should pursue regularly.Communicate and consult. You need to help stakeholders throughout your organization understand risks associated with their job duties and how those risks inform specific decisions and actions they’ll take. This phase involves communication to help team members understand the nature of risk management generally and consultationto gather information to help make informed decisions about individual departments.Define scope, context, and criteria. You should understand each department’s objectives, along with the environment in which the department operates. That way you can define the scope of your risk management activities, that is, where you’re going to apply them within the organization, along with the context in which they take place.In this phase you’ll also be defining “risk criteria” “, essentially, the standards or parameters that you use to evaluate how risky a potential action is.Assess risks. In this phase, you’ll identify, analyze, and assess risks that could affect each area of your organization. In risk analysis, you not only identify potential risks and the specific vulnerabilities related to them, but also consider their likelihood and potential consequences. In risk assessment, you’ll weigh the results of your analysis against the criteria you’ve established, which can help you determine the best mitigation path.Treat risks. This is the phase where you choose and then actually implement the steps to address potential risk.Monitor and analyze. This is where the iteration comes in: You will want to assess your mitigation plans for effectiveness and adjust accordingly. The risk team should be monitoring the results of actions taken, assessing to make sure everything is going to plan, and analyzing where improvements are warranted.Record and report. The whole risk management process should be documented, both to meet any regulatory reporting requirements and to serve as a basis for future iteration.
Risk appetite and risk tolerance: To make that a little less abstract, let’s consider what happens at the core of the process described above, the steps where you define criteria and then assess and treat risk.To define risk criteria, you also need to establish your risk appetite(a high-level description of your attitude towards risk) and your risk tolerance(a more quantified description of what you’re willing to risk in specific areas). Consider an example from an information security context:
Risk appetite: “We’re not willing to risk significant data breaches, and we’re willing to spend money on security measures to mitigate that risk.”Risk tolerance: “No more than 1% of our systems should have critical vulnerabilities, like unpatched software, at any given time.”Risk criteria: “We scan each system monthly; any unpatched software with a flaw that has a CVS score higher than 7 must be remediated within 24 hours, and if more than 1% of systems are that vulnerable, the CISO must be alerted.”More than one quantified risk tolerance statement can emerge from a risk appetite statement, and more than one criteria can be derived from a risk tolerance statement. The risk management process consists of iterating over these sorts of controls as necessary throughout your organization.
Challenges to risk management: Hopefully it’s clear why in theory you might want to implement a risk management program, or centralize current risk management efforts into an ERM program. But some of the challenges to implementing risk management should suggest themselves to you as well:
Time and money. Risk management programs aren’t cheap. Organizations need to invest in specialized software tools, but that sort of spending is just the beginning. A bigger issue is that a risk management will occupy time”, work hours by people across the organization both as the program is ramped up and as risk assessed on an ongoing basis. Executives may have difficulty seeing the value of such investments.Getting to a consensus on risk. It would be great if you could simply connect a risk-o-meter to your organization’s servers and get a scientifically quantified level of risk. In fact, even the “quantitative” aspects of risk management (like the values we used in our cyber vulnerability example above) can emerge only from consensus among the humans that work at your organization. They may not all agree, especially in cases where taking a more risk-averse stance can make an organization less nimble, or less profitable.Risk can arise outside your organization. As you build a risk management program, it will become clear how much day-to-day risk for any company arises from other organizations you do business with, which you cannot directly control. This is a thorny challenge for any organization; CSO’s Mary K. Pratt has tips for managing third-party risk.
Risk management certification: If your company already has a risk management program that you want to get involved in, or if you want to start one yourself or look for a role in the risk realm, there are certifications that can give you a leg up:
CRISC (Certified in Risk and Information Systems Control) is an upper-level IT professional certification focused on enterprise risk management from an information technology perspective.CRMP (Certified Risk Management Professional) allows you to show off your specialized knowledge of risk management topics and ability to manage a risk management program.COSO’s ERM Certificate is for anyone whose work touches on risk management to demonstrate their mastery of the concepts involved.There are other more specialized certifications with specific focuses such as healthcare, insurance, or financial auditing; Indeed has a comprehensive list that can help you being your journey!
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3839272/what-is-risk-management-quantifying-and-mitigating-uncertainty.html
