Importance of Risk Management in an Organization

madunixExecutive IT Director
CERTIFIED EXPERT
Name: Fadi Sodah, Experience: +25 years in Information Technology.
Published:
Risk management is a complex organizational function that aims to underwrite the organization's obligation to identify and mitigate risks.


 

Terms and Definitions

 

Herewith are clarifications for terms needed to understand and clarify the risk management concept:

 

  • Availability - the state that exists when information resources are accessible and usable upon demand by an authorized user.
  • Confidentiality - the state that exists when data is held in confidence and is protected from unauthorized disclosure to unauthorized individuals, entities, or processes. Misuse of data beyond the scope of their duties by those authorized to use it is also considered to be a violation of data confidentiality.
  • Integrity - the state that exists when data is the same as that in the source documents, has been correctly computed from source data, and has not been exposed to accidental alteration or destruction. Incomplete data, unauthorized changes or additions, and erroneous source data are all violations of data integrity.
  • Risk - the result of a threat acting on a vulnerability, expressed as a product of likelihood (probability) and severity (impact).
  • Risk Analysis – this is a process to comprehend the nature of risk and determine the risk level.
  • Risk Assessment –  an assessment that provides essential information required to determine the appropriate risk response. To assess IT Risk, threats and vulnerabilities must be evaluated using qualitative or quantitative risk assessment approaches. Ultimately, it is the overall risk identification, analysis, and evaluation process. Determining the quantitative or qualitative value of risk related to a concrete situation and a recognized threat or hazard. The result of a risk assessment is typically a report that shows assets, vulnerabilities, the likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs, and estimated probable savings from better protection.
  • Risk Management Process – is a systematic application of management policies, procedures, and practices to communicate, consult, establish the context, and identify, analyze, evaluate, treat, monitor, and review risk.
  • Risk Profile  – identifies the IT-related risk to which the organization is exposed and indicates which risk factors exceed the risk appetite.
  • Risk Appetite – an overall level of risk that an organization is ready to take to fulfill its mission.
  • Residual Risk – the risk that remains after control is applied to an identified risk, and that control does not eliminate the risk.
  • Risk Mitigation – the process of prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the risk assessment process.
  • Controls – are implemented top-down in a hierarchy. Control is a security mechanism implemented to prevent, detect, reduce or eliminate risks. In doing so, controls maintain the properties of availability, integrity, and confidentiality. Furthermore, process and business owners evaluate and enforce controls based on the organization's risk appetite.
  • Monitor – continual checking, supervising, critically observing, or determining the status to identify change from the performance level required or expected.
  • Governance –  is the combination of rules, processes, and laws by which businesses operate, regulate, and control.
  • Cyber Security – the use of technology, procedures, and controls to defend against cyberattacks on systems, networks, programs, devices, and data is known as cyber security.
  • Threat - any person, object, or event that, if realized, could potentially cause damage to an information resource or the data processed on those resources. This includes damage to the availability, integrity, and/or confidentiality of resources or information.
  • Vulnerability -  is a weakness in an information resource that a threat can exploit.

 

Good Risk Management

 

A risk is an uncertain event that could affect a process either negatively or positively if it occurs. A good risk management process will:


  • Help prevent the identified risk.
  • Mitigate the effect of the risk.
  • Guide on the preparation of a contingency plan to react to the risk.

 

Cyber Security Strategy

 

Cyber security strategy should aim to protect the organization's Information System's Confidentiality, Integrity, and Availability (CIA). Altogether, these three elements are referred to as the CIA triad. It is crucial that when cyber security strategies are developed, the consequent policies and procedures are aligned with business objectives to support the organization's Information Systems. Furthermore, the support should extend to all Information Systems managed by the organization or third-party services.

 

Cyber Risk is the risk of being exposed to harm, loss, or danger due to using or depending too much on Information Technology. Risk management is integral to governance. Governance is the baseline from which effective risk management takes shape, considering the following points:

 

  • Cyber is not only an IT issue
  • People, Processes, Technology issues
  • Cyber has unique characteristics
  • Enemy unknown – cross border
  • Insider threat is as significant as the external threat
  • Hygiene plays an important role
  • Could undermine the confidence of stakeholders
  • Has potential financial stability implications

 

Cyber Security Resilience

 

To build cyber security resilience of the Information System, consider the following points:


  • Collective strategic planning and collaboration

- Establishing collective governance structure – stakeholders, participants, and regulators/overseers/supervisors

- Applying regulatory convergence and ensuring baseline standards and evolving maturity levels

- Implementing systemic risk management


  • Stakeholder considerations

- Managing outsourcing and third-party providers – the supply chain

- Building collective training and awareness


  • Identification

- Mapping of all Information Systems flow 


  • Response and recovery

- Developing crisis management protocols, system recovery, and operational controls

- Conduct testing


  • Situational awareness

- Developing information sharing and incident reporting and ensuring a sound situational awareness program

 

Risk Management Approach

 

Any organization needs a comprehensive risk management process to identify, measure, evaluate, monitor, report, and control or mitigate all material risks. During the risk management process, the following areas of focus:


  • Strategy, structure, and sensitivity 
  • Governance, capacity, and character.
  • Identify, prevent, detect, respond, recover, and be situationally aware – risk management.
  • Outsourcing – supply chain – third-party risk.
  • Business Continuity Plan / Disaster Recovery. 
  • Projects, processes, people, proactive testing.
  • Oversight, audit, awareness, training, security consciousness.
  • Verifying various data sets/information submitted.

 

An organization must assess and mitigate operational risks to the end-to-end flow of all Information systems internally and across external entities such as third-party service providers. This may involve:


  • Setting rules, standards, Service Level Agreements (SLAs) or similar for participants of, and critical service providers to organization assessing appropriate delivery against such regulations, standards or SLAs; and taking appropriate action in the event of any noncompliance.
  • Identifying and managing any incidents or issues that could cause, or are causing, widespread disruption to the smooth flow of the Information System across the organization and/or reputational risk to the organization and service providers, and assessing lessons learned from such incidents and reflecting these in rules, standards, procedures or SLA, as appropriate.
  • Undertaking end-to-end testing of the Information System, including simulating the operation of the system under extreme scenarios; and
  • Putting in place and maintaining Business Continuity Plans considering risks to the end-to-end Information Systems.

 

Risk Management Process

 

The specific goal of the risk management process is to identify, analyze, mitigate, and monitor each currently active and latent risk known to exist within the organization. Therefore, risk management is an information-gathering and decision-making function. It focuses on understanding all feasible forms of risk and threats, then classifies and assesses those risks and threats to determine their importance.

 

Risk management ensures sufficient knowledge about each relevant threat available for decision-making. And then, it takes the required steps to react to and mitigate all priority risks. Risk management also monitors the effectiveness of those mitigations once they have been put in place. 

 

Threat assessments ensure that all risks in the organization's risk environment are correctly identified and categorized. Therefore, the performance of a threat assessment is a prerequisite to implementing a formally executed risk management operation. After the initial identification and characterization is made, the risk management process typically involves generic steps:


  • Planning
  • Oversight
  • Risk Analysis 
  • Risk Response
  • Continuous Monitoring and Reviewing
  • Communicate and Consult

 

Planning

 

The risk management process is a formal organizational function. The who, what, when, and where of each practice's implementation must be planned as part of the organization's stated risk management strategy. In addition to providing the information that helps guide strategic decision-making about risks.

 

A risk management plan also ensures that a commonly accepted and systematic set of policies and procedures are in place to handle known risks. 

 

Those procedures ensure that the routine risk planning, analysis, response, and process management function are always directly aligned with the business operation's goals. Nevertheless, the primary purpose of risk management is to sustain a disciplined and systematic set of controls that will respond to the risks that the organization considers a priority throughout the business operation. 

 

A risk management plan is a high-level document detailing the overall approach employed to control the risks the organization deems worth addressing. That set of controls is conceived, organized, and managed by the plan. 

 

Oversight

 

A formal oversight process has to be in place to sustain the security strategy. This process aims to monitor and effectively report the organization's risk situation. An oversight process should be created to continuously and reliably depict the current status of identified risks. All factors that comprise that organizational context must be identified and understood to design an effective set of risk controls. The definition of the scope of coverage and the required level of assurance are the primary influences that define that context. 

 

The overall purpose of the risk management function is to establish and maintain an appropriate set of controls. Because of that generic purpose, risk assessments are an especially critical part of the overall risk management process. 

 

Risk assessments ensure effective risk management responses because they identify threats to the organization that appear on the threat horizon and then decide how likely those threats are ft have a meaningful impact, as well as the elements of the organization that are cited by each threat. 

 

Risk Analysis

 

The risk management process aims to mitigate risk. To maintain an adequate understanding of risk, the organization must deploy and maintain a comprehensive risk analysis function. 

 

Risk analysis is the information-gathering function that provides the necessary knowledge of the nature of all identified risks; it is also a prerequisite to implementing the risk management function. That is because a systematic risk analysis can precisely direct the prioritization of the steps the organization will then deploy to do risk management.

 

The outcome of the risk management function should be to confirm that the risks that the organization considers priorities are identified, agreed on, and addressed and that any emerging risks will be recognized and dealt with as they appear. The risk analysis function should also be able to conduct qualitative and quantitative analyses of any newly identified or emerging risk event. 

 

The risk analysis function should also be able to perform all necessary analyses to confirm that presently operational risks are fully characterized and contained.

 

Risk Response

 

Once the risk analysis function is established and operating, the organization's chosen responses to facilitate any significant risk must be designed and deployed. The response to each substantial risk should always be a substantive and correct set of operational procedures supported by the appropriate technology. Because the whole organization is involved, the response should be feasible and understandable to the general constituencies of the organization. Finally, the response should be shown to mitigate the predictable impacts of any identified risk provably.

 

Once the risk response is appropriately targeted, a set of optimum risk management policies can be defined and implemented. The risks themselves are analyzed as they are identified, and the priority that the mitigation ought to receive is determined. This is normally dictated by the danger of the risk and the resources required to ameliorate it. Then, once the risk mitigation decision has been made, the prescribed mitigations are designed, developed, applied, and then continuously evaluated to determine whether progress has been made toward the proper mitigation of the risk.

 

Continuous Monitoring and Reviewing

 

Constant vigilance is central to risk management because damaging risks can appear at odd times and unanticipated places. The organization must also regularly survey the existing risk environment. That is necessary to identify and mitigate any new threats that might arise. Formal testing and reviews and periodic audits of the security function typically underwrite the monitoring. Continuous monitoring must apply uniformly across the organization.  

 

The strategic planning for risk management develops and implements the organizational policies about risk. These are documented/written in a detailed risk management plan. The plan is then utilized to organize and run a rational risk management operation. In most cases, that planning process will dictate specific actions to produce the desired outcome for every meaningful risk. Those outcomes are prioritized in terms of their criticality. 

 

The strategic planning process for risk monitoring aims to maintain an effective set of formal controls to manage each risk. Along with those controls, the strategic risk management plan is also responsible for assigning the specific employee roles and responsibilities required for managing each risk. Finally, the plan describes the process that will be used to evaluate and improve the overall risk management function, including how to use the lesson learned to change the form of the response. 

 

Because cost is always a factor in business decision-making, a precise specification of the maximum degree of acceptable risk is necessary to guide decisions about the degree of risk, the organization is willing to underwrite. A specification of the maximum level of acceptable risk drives the tradeoff process that requires making a real-world planning decision about risk acceptance for each specific conclusion about the degree of risk will also drive the decision about the practice form of the monitoring process. Consequently, the risk management plan process usually involves the formation of a substantive, usually resource-based, map between each risk and the various options for mitigating it. The actual response will be based on the level of practical acceptability of the risk.

 

Communicate and Consult

 

Good communication and consultation are essential for risk management and attempts to:


  • ensure a better understanding of risks and the risk management processes
  • ensure all relevant stakeholders/partners are heard
  • ensure that everyone is aware of their respective obligations

 

Risk Profile

 

In the organization, the risk profiles underwrite the operational plan that is used to manage risk. Risk profiles capture and maintain up-to-date knowledge about the risk situation. It does that by evaluating each identified threat against established risk thresholds. Those thresholds are stipulated in the profile. Risk management then documents mitigation strategies for every risk above its threshold and entails any procedures used to evaluate the effectiveness of potential mitigation alternatives.

 

Risk Management Plan uses a Risk Profile

 

Strategic risk management works in conjunction with a risk profile. A continuous risk profile maintains the connection between the risk environment and the mitigations deployed to address it. 

 

The risk profile lashes an explicit policy link between the overall risk management process and the constantly changing overall environment of the project. The risk profile document is a specific risk management context, including the present threat status of each risk, its probability of occurrence, the consequences of occurrence, and the threshold where the occurrence will become active. 

 

The risk management profile also usually includes a description of stakeholder perspectives and organizational risk categories and often involves the technical and managerial objectives, assumptions, and constraints laid out by stakeholders. The consensus of the stakeholders then dictates the priority of each risk. That priority is based on the interpretation of the organization's risk acceptance policy and the risk's current status.

 

The risk management plan provides explicit policy guidance for the customization of the risk management process to meet the specifications of the risk environment. The priorities set in the general risk management profile are used to determine the resources for treatment. Since the assignment of priorities is a business decision, the profile is periodically disseminated to relevant stakeholders for feedback based on their needs. 

 

Risk thresholds are then defined or adjusted for each risk category within the profile. Those thresholds dictate the conditions under which a level of risk may be accepted or escalated. The risk profile is updated when changes in an individual risk's state or form exist. 

 

To identify and relate the various resource elements within the profile, each risk has to be categorized in terms of its general priority. Priority is directly related to the criticality of the organizational component being controlled. It is essential to know each component's sensitivity requirements to decide how many resources to commit to its protection. 

 

The risk profile management process ensures the most efficient use of security resources within the organization's assumptions as a whole. 

 

Because knowing where the priority risks are is a fundamental precondition for managing them, the term "Risk Analysis" is sometimes used interchangeably with maintaining the risk management profile. However, those two are not the same activity. The risk management profile is unique to the particular organization. It is maintained by the performance of the ongoing risk analyses; thus, it is a product in and of itself.

 

Conclusion

 

Risk management is an enterprise-level activity; many organizations split the risk into different categories: business risk, market risk, financial risk, operational risk, IT risk, cyber security risk, etc. Looking at all risks from the organization's perspective is essential; it gives the organization more insight into lowering risks and raising compliance.


Risk management is a complex organizational function that aims to underwrite the organization's obligation to identify and mitigate risks. Every organization should adopt and implement comprehensive risk management to identify, measure, monitor, and manage all risks it might be exposed to. Attention should be given to the risk of critical operations and services disruption.

 

References

 

1
464 Views
madunixExecutive IT Director
CERTIFIED EXPERT
Name: Fadi Sodah, Experience: +25 years in Information Technology.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.