As a control I love risk management for two reasons. One, it allows me to document all the risks a business faces so I don’t have to worry about them. Secondly, it makes decision making far easier as it becomes a transparent business decision.
As we now have an inventory we know about our assets, we also have lots of vulnerability and configuration data about them. We also have penetration testing findings that need remediating. We use risk management to manage all of these security risks against running the business.
A good first step is to carry out a Business Impact Analysis (BIA). This takes either assets or services and allocates a rating of impact to the business if affected, for example the ecommerce website where you sell all of your organisations product would likely be critical, whereas email could be medium to low. By carrying out a high level BIA, the next step in risk assessment becomes easier.
In its simplest form we create a spreadsheet where we document any risks to the business or its assets. Now create a monthly process to review all the risks and associate a risk rating and likelihood with each one.
Free Risk Register Template
See the Control Environment – Part 10 – Risk Register Template blog post for the free download.
We can now define what remediating action is required. This should now be review with a senior group of stakeholders who can decide whether the risk and the associated cost of remediation are really worth proceeding with in a business context. For example, a risk of £10,000 which could cost £500,000 to remediate may not be the right decision. By including the right stakeholders, it’s the business as a whole who are consciously considering the risk from a wider business perspective.
Below are four standard actions you should take on a risk:
- Accept – Accept the risk and its impact
- Reduce – Put mitigations in place
- Remove – Stop doing the activity which creates the risk
- Transfer – Give the risk to someone else (Difficult in reality)
Any time worry and uncertainty can be reduced is always a positive. Risk management allows your business to not ignore risks, but actively identify them and gain agreement about their impact and mitigation.