Terms and Definitions
Herewith are clarifications for terms needed to understand and clarify the risk management concept:
Good Risk Management
A risk is an uncertain event that could affect a process either negatively or positively if it occurs. A good risk management process will:
Cyber Security Strategy
Cyber security strategy should aim to protect the organization's Information System's Confidentiality, Integrity, and Availability (CIA). Altogether, these three elements are referred to as the CIA triad. It is crucial that when cyber security strategies are developed, the consequent policies and procedures are aligned with business objectives to support the organization's Information Systems. Furthermore, the support should extend to all Information Systems managed by the organization or third-party services.
Cyber Risk is the risk of being exposed to harm, loss, or danger due to using or depending too much on Information Technology. Risk management is integral to governance. Governance is the baseline from which effective risk management takes shape, considering the following points:
Cyber Security Resilience
To build cyber security resilience of the Information System, consider the following points:
- Establishing collective governance structure – stakeholders, participants, and regulators/overseers/supervisors
- Applying regulatory convergence and ensuring baseline standards and evolving maturity levels
- Implementing systemic risk management
- Managing outsourcing and third-party providers – the supply chain
- Building collective training and awareness
- Mapping of all Information Systems flow
- Developing crisis management protocols, system recovery, and operational controls
- Conduct testing
- Developing information sharing and incident reporting and ensuring a sound situational awareness program
Risk Management Approach
Any organization needs a comprehensive risk management process to identify, measure, evaluate, monitor, report, and control or mitigate all material risks. During the risk management process, the following areas of focus:
An organization must assess and mitigate operational risks to the end-to-end flow of all Information systems internally and across external entities such as third-party service providers. This may involve:
Risk Management Process
The specific goal of the risk management process is to identify, analyze, mitigate, and monitor each currently active and latent risk known to exist within the organization. Therefore, risk management is an information-gathering and decision-making function. It focuses on understanding all feasible forms of risk and threats, then classifies and assesses those risks and threats to determine their importance.
Risk management ensures sufficient knowledge about each relevant threat available for decision-making. And then, it takes the required steps to react to and mitigate all priority risks. Risk management also monitors the effectiveness of those mitigations once they have been put in place.
Threat assessments ensure that all risks in the organization's risk environment are correctly identified and categorized. Therefore, the performance of a threat assessment is a prerequisite to implementing a formally executed risk management operation. After the initial identification and characterization is made, the risk management process typically involves generic steps:
The risk management process is a formal organizational function. The who, what, when, and where of each practice's implementation must be planned as part of the organization's stated risk management strategy. In addition to providing the information that helps guide strategic decision-making about risks.
A risk management plan also ensures that a commonly accepted and systematic set of policies and procedures are in place to handle known risks.
Those procedures ensure that the routine risk planning, analysis, response, and process management function are always directly aligned with the business operation's goals. Nevertheless, the primary purpose of risk management is to sustain a disciplined and systematic set of controls that will respond to the risks that the organization considers a priority throughout the business operation.
A risk management plan is a high-level document detailing the overall approach employed to control the risks the organization deems worth addressing. That set of controls is conceived, organized, and managed by the plan.
A formal oversight process has to be in place to sustain the security strategy. This process aims to monitor and effectively report the organization's risk situation. An oversight process should be created to continuously and reliably depict the current status of identified risks. All factors that comprise that organizational context must be identified and understood to design an effective set of risk controls. The definition of the scope of coverage and the required level of assurance are the primary influences that define that context.
The overall purpose of the risk management function is to establish and maintain an appropriate set of controls. Because of that generic purpose, risk assessments are an especially critical part of the overall risk management process.
Risk assessments ensure effective risk management responses because they identify threats to the organization that appear on the threat horizon and then decide how likely those threats are ft have a meaningful impact, as well as the elements of the organization that are cited by each threat.
The risk management process aims to mitigate risk. To maintain an adequate understanding of risk, the organization must deploy and maintain a comprehensive risk analysis function.
Risk analysis is the information-gathering function that provides the necessary knowledge of the nature of all identified risks; it is also a prerequisite to implementing the risk management function. That is because a systematic risk analysis can precisely direct the prioritization of the steps the organization will then deploy to do risk management.
The outcome of the risk management function should be to confirm that the risks that the organization considers priorities are identified, agreed on, and addressed and that any emerging risks will be recognized and dealt with as they appear. The risk analysis function should also be able to conduct qualitative and quantitative analyses of any newly identified or emerging risk event.
The risk analysis function should also be able to perform all necessary analyses to confirm that presently operational risks are fully characterized and contained.
Once the risk analysis function is established and operating, the organization's chosen responses to facilitate any significant risk must be designed and deployed. The response to each substantial risk should always be a substantive and correct set of operational procedures supported by the appropriate technology. Because the whole organization is involved, the response should be feasible and understandable to the general constituencies of the organization. Finally, the response should be shown to mitigate the predictable impacts of any identified risk provably.
Once the risk response is appropriately targeted, a set of optimum risk management policies can be defined and implemented. The risks themselves are analyzed as they are identified, and the priority that the mitigation ought to receive is determined. This is normally dictated by the danger of the risk and the resources required to ameliorate it. Then, once the risk mitigation decision has been made, the prescribed mitigations are designed, developed, applied, and then continuously evaluated to determine whether progress has been made toward the proper mitigation of the risk.
Continuous Monitoring and Reviewing
Constant vigilance is central to risk management because damaging risks can appear at odd times and unanticipated places. The organization must also regularly survey the existing risk environment. That is necessary to identify and mitigate any new threats that might arise. Formal testing and reviews and periodic audits of the security function typically underwrite the monitoring. Continuous monitoring must apply uniformly across the organization.
The strategic planning for risk management develops and implements the organizational policies about risk. These are documented/written in a detailed risk management plan. The plan is then utilized to organize and run a rational risk management operation. In most cases, that planning process will dictate specific actions to produce the desired outcome for every meaningful risk. Those outcomes are prioritized in terms of their criticality.
The strategic planning process for risk monitoring aims to maintain an effective set of formal controls to manage each risk. Along with those controls, the strategic risk management plan is also responsible for assigning the specific employee roles and responsibilities required for managing each risk. Finally, the plan describes the process that will be used to evaluate and improve the overall risk management function, including how to use the lesson learned to change the form of the response.
Because cost is always a factor in business decision-making, a precise specification of the maximum degree of acceptable risk is necessary to guide decisions about the degree of risk, the organization is willing to underwrite. A specification of the maximum level of acceptable risk drives the tradeoff process that requires making a real-world planning decision about risk acceptance for each specific conclusion about the degree of risk will also drive the decision about the practice form of the monitoring process. Consequently, the risk management plan process usually involves the formation of a substantive, usually resource-based, map between each risk and the various options for mitigating it. The actual response will be based on the level of practical acceptability of the risk.
Communicate and Consult
Good communication and consultation are essential for risk management and attempts to:
In the organization, the risk profiles underwrite the operational plan that is used to manage risk. Risk profiles capture and maintain up-to-date knowledge about the risk situation. It does that by evaluating each identified threat against established risk thresholds. Those thresholds are stipulated in the profile. Risk management then documents mitigation strategies for every risk above its threshold and entails any procedures used to evaluate the effectiveness of potential mitigation alternatives.
Risk Management Plan uses a Risk Profile
Strategic risk management works in conjunction with a risk profile. A continuous risk profile maintains the connection between the risk environment and the mitigations deployed to address it.
The risk profile lashes an explicit policy link between the overall risk management process and the constantly changing overall environment of the project. The risk profile document is a specific risk management context, including the present threat status of each risk, its probability of occurrence, the consequences of occurrence, and the threshold where the occurrence will become active.
The risk management profile also usually includes a description of stakeholder perspectives and organizational risk categories and often involves the technical and managerial objectives, assumptions, and constraints laid out by stakeholders. The consensus of the stakeholders then dictates the priority of each risk. That priority is based on the interpretation of the organization's risk acceptance policy and the risk's current status.
The risk management plan provides explicit policy guidance for the customization of the risk management process to meet the specifications of the risk environment. The priorities set in the general risk management profile are used to determine the resources for treatment. Since the assignment of priorities is a business decision, the profile is periodically disseminated to relevant stakeholders for feedback based on their needs.
Risk thresholds are then defined or adjusted for each risk category within the profile. Those thresholds dictate the conditions under which a level of risk may be accepted or escalated. The risk profile is updated when changes in an individual risk's state or form exist.
To identify and relate the various resource elements within the profile, each risk has to be categorized in terms of its general priority. Priority is directly related to the criticality of the organizational component being controlled. It is essential to know each component's sensitivity requirements to decide how many resources to commit to its protection.
The risk profile management process ensures the most efficient use of security resources within the organization's assumptions as a whole.
Because knowing where the priority risks are is a fundamental precondition for managing them, the term "Risk Analysis" is sometimes used interchangeably with maintaining the risk management profile. However, those two are not the same activity. The risk management profile is unique to the particular organization. It is maintained by the performance of the ongoing risk analyses; thus, it is a product in and of itself.
Risk management is an enterprise-level activity; many organizations split the risk into different categories: business risk, market risk, financial risk, operational risk, IT risk, cyber security risk, etc. Looking at all risks from the organization's perspective is essential; it gives the organization more insight into lowering risks and raising compliance.
Risk management is a complex organizational function that aims to underwrite the organization's obligation to identify and mitigate risks. Every organization should adopt and implement comprehensive risk management to identify, measure, monitor, and manage all risks it might be exposed to. Attention should be given to the risk of critical operations and services disruption.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.