Security with Intent – Risk Management: Part 2

May 26, 2022

Now that we’ve spent a little time discussing some of the decision criteria that can go into performing a risk assessment, let’s now move into the broader topic of building an end to end risk management program. After all, if one is going to go through the trouble of assessing risk, they are probably going to need to do something with the results.

Fundamentals of a Risk Management Program – The “what” of risk management

While I’ve been involved in developing strategies and executing on implementation for some pretty complex risk management programs, each of them needed to start with some basic building blocks that are fundamental to any risk management program. I tend to align these fundamentals to the “what” side of intent for this initiative as I feel they are necessary regardless of complexity that may be added in down the road. At a minimum every risk management program should have the following procedural components:

• Ability to Assess Risk: A defined methodology for measuring impact and likelihood of a threat event occurring. I covered some aspects of this in part 1 of this risk management series.

• Guidelines for Responding to Risk: Important boundaries and guidance for what you will do about risk once it’s identified.

• Ability to Monitor Risk: An ability to monitor changes to identified risk.

In addition to the above procedural components, the “what” side of intent for risk management will also require the ability to get requisite threat, vulnerability and asset information as key inputs. While these elements are typically outside of the remit of the risk management team themselves, getting these inputs are crucial to the ability to effectively assess, respond to and monitor risk and therefore will require cross-team collaboration in order to determine best means of attaining the right types and amounts of data at the right intervals. While I don’t intend on immediately detailing programmatic elements and intent for threat, vulnerability or asset programs as part of this blog series, I have written previously on these topics and may revisit again soon.

Risk Response

The reason that your risk management program requires guidelines for how you will respond to risk is because risk mitigation is not the only option and sometimes not the best or most practical option. For those of you new to risk management and risk response, one generally has five options to choose from:

• Accept: Acknowledgement of the existence of risk and typically implies that the risk is within an acceptable tolerance level.

• Avoid: Taking alternative approaches when an activity or initiative is identified to have a risk level considered beyond the acceptable tolerance level. Usually this response suggests that mitigating, sharing or transferring risk are not feasible or practical.

• Mitigate: Taking action(s) that will reduce likelihood or impact of a risk to an acceptable level.

• Share: Shifts part of the risk liability to another organization.

• Transfer: Shifts all of the risk liability to another organization.

Part 4 of this mini-series on risk management will explore risk response in more depth. For now, know that you will likely want and need executive leadership input on this area of risk management in order to manage risk in line with expectations of the business.

Risk Monitoring

The third fundamental procedural area that will need to be addressed in building out your risk management program will be to define how you will monitor risk. This component is critical because risk and the variables that define risk are dynamic, not static. Internal and external influences can also change tolerance levels for risk and will require ongoing input from the business in order to understand and accommodate your risk responses accordingly. This last piece can be difficult in many organizations to nail down the appropriate review intervals and adaptability required, and consequently this element is often not present except in more sophisticated risk management programs.

An important input that should be considered part of a fundamental risk monitoring capability however is in tracking changes to threat variables. Without getting into a detailed discussion about threats, an organization should strive to monitor changes to threat actors, their motives as well as capabilities in relation to your environment. Note that when I refer to threat actors, this does not necessarily mean threats are necessarily people or even cyber related but could apply to weather, competition, customer sentiment or any number of threat types and the type of risk one is trying to measure. As threat dynamics change, one needs to have an ability to pick up on these changes and re-evaluate how those changes impact a particular risk you are monitoring.

Additionally, risk monitoring also needs to be able to account for changes in where the organization is vulnerable to a particular threat event. Within the cyber space, these changes could be brought on by changes within the IT environment or in newly discovered coding flaws or even in how particular applications are being accessed. As the environment shifts with the business, changes to vulnerability need to be accounted for so that risk posture can be remeasured and risk responses can be adjusted to accommodate. As you can probably see, just getting the fundamentals of a risk management program can demand attention and thought. It is absolutely critical to the success of these programs that organizations get these building blocks in place first and set up correctly before getting into the “why” aspects, which implies additional sophistication and complexity of managing risk. Some of the areas that will require a strong foundation be in place first include Enterprise Risk Management, Third Party and/or Supplier Risk, incorporation of dynamic Risk Strategy and use of strong asset classification. In part 3 of this series on risk management we’ll start diving into some of these topics and start to address the “why”.