Managing risk in the complex security landscape today means that organizations large and small can all benefit from risk assessments. Regulatory frameworks such as GDPR, SOX/EuroSOX, and HIPAA all require organizations to perform risk assessments but are not prescriptive in methods. Even organizations outside of regulatory oversight benefit from risk assessments in several ways:
- Prioritization of efforts - a well managed risk register will be very illuminating to which processes are key to mitigating risks, which areas need more focus, and even control areas that may not have previously been considered
- Drives a security culture - when regular risk assessments leverage common and approachable methods that do not require IT expertise or security knowledge, it allows everyone in the organization to take ownership of the security of systems, processes, and data
- Helps justify security costs - when common methods are used to identify and categorize risk the outcome should always be useful in justifying current and future security costs
Where to start
It is important that leadership supports this initiative, and is prepared to drive results. Leadership has to start by defining two crucial terms for the organization
- Risk Appetite - this is the amount of a risk an organization is willing to take on during the course of business.
- Risk Tolerance - this is the amount that an organization is willing to deviate from the risk appetite.
These two terms are used in conjunction to set expectations around managing risk, and they may be different based on different lines of business or control areas. The FAIR Institute, a non-profit committee for risk management, uses an analogy of traveling on the highway. The speed limit is the amount of speed that is accepted by the appetite, but many drivers will exceed that speed. The tolerance defines what variance is acceptable before intervention is required.
With these expectations established up front, leadership has to be prepared to provide accountability in driving expected results. Risk that falls within the appetite, and should be accepted as a cost of doing business, but based on the risk tolerance immediate action may be required to mitigate other risks.
Consider Inherent Risk versus Residual Risk
As we cover in our next post on the topic, when performing an assessment you will generate an inherent risk calculation, as well as a residual risk calculation. It is easy to think of the inherent risk as the level of risk in the absence of direct controls, and residual risk as the risk level after the controls have been applied. When defining the risk appetite and tolerance, you should consider both types of risk and the scoring model you use for them in establishing your appetite
First year jitters
A common mistake when assessing the risk profile of an organization for the first time is to consider everything a catastrophic risk. It is very common when considering the risk taken on every day in quantifiable terms to go right to a worst case scenario. It is important to have two tools in your tool belt when assessing risk for the first time:
- Leverage documented guardrails - Do not rely on qualitative measurements, but instead focus on quantitative values that are established before the assessment. When considering a possible financial loss, “bad” is not a suitable impact. But if you have previously established a range in dollar amounts that correlates with a score, you will get much more meaningful work done
Be prepared to reassess - It is important to understand that risk assessment is an iterative process, especially when it is new to an organization. Reassessing risk is very important, but so is reassessing the processes used to assess risk. If you have previously established a value for financial loss to correlate to a potential impact score, but no risks in your entire portfolio fall within it, it could be worth reassessing the ranges used in the assessment process
If all of this seems like a LOT of information to take in, the good news is that you’re not alone and there are many organizations that have laid out established methods for risk management to help you on your journey.
The End Result
The goal of a risk assessment is to communicate the risks facing your organization in meaningful terms to management, so that risk can be addressed accordingly. Risk assessments should always be objective and never punitive - the goal is to drive change forward. Some of the components to assessments are standard across all models, some may need to be fine tuned to fit your organization.
The artifact that holds the assessment of your risks can have many names and forms, but there are two very common models
- Risk and Controls Self Assessment - Also known as an RCSA, this is a document that captures an assessment of the risks facing an organization as well as the controls in place and their effectiveness. This model is performed directly by the business unit who takes on these risks and performs these processes, and serves as a way for them to make constant updates and get real time feedback to their risk environment
- Risk Register - this model is usually run in conjunction with an RCSA, and is performed by a person removed from the performance of the processes being assessed. Risk registers are helpful in collecting and cumulating risks that may be occuring in different and distinct departments. These can also be helpful in aligning risk values to strategic objectives instead of tactical ones
If you use either model or both, reporting needs to be generated and retained for management and any regulatory oversight you may have. Live reporting and responsive metrics are very helpful in understanding changing risk posture, but don’t forget the importance of point-in-time reporting for artifacts as well.