In the face of ESG (Environmental, Social and Governance) obligations, increasingly organised well-orchestrated cyber attacks and threats to the supply chain due to current macro-economic conditions, risk management has never been more important. It’s vital in enabling the organisation to identify, understand and manage risks. But in controlling these risks, it also seeks to enable the business to more effectively exploit opportunities.
However, only 13 percent of organisations thought their risk management provided them with competitive advantage, according to the 2022 Global State of Enterprise Risk report and only half thought their risk management processes were focused on emerging risks. Both these issues indicate that risk management is not being adopted in a way that is aligned with the business need or one which serves its best interests.
Fundamentally, this is because there is no one-size fits all approach and yet time and again we see businesses seeking to shoe-horn their requirements into a risk methodology. Making risk management relevant to business is all about making sure the risk methodology fits the organisation not the other way round, and that it is understood by those with responsibility for identifying, measuring and communicating risk.
To begin with, it’s necessary to have a clear understanding of the organisation’s goals and priorities to ensure the risk management profile can support those needs while managing any risk which may prevent the organisation from meeting them.
We also need to understand what matters to the organisation in terms of the information it needs to collect, process, store and share to meet those business goals and priorities. If we don’t know what we have we can’t hope to understand the risks related to it which means we can’t effectively safeguard data as it is leveraged using the appropriate controls.
In addition to these considerations, there are internal and external factors which will help define an organisation’s risk arena such as legislative, regulatory and contractual requirements together with the organisation’s risk appetite. All these factors will impact the level of tolerance awarded to specific risks and how the business will react in the event they are realised. Don’t overfocus on the likelihood of a risk happening, however. It’s not nearly as important as people think – in fact it’s the likely impact that’s far more relevant and which will influence decisions.
Ownership is also vital but it’s not enough to simply assign responsibility. Those managing information risk within the organisation also need to have the right skills and support. However, the same report found fewer than a third of organisations had provided any formal guidance or training and any such responsibilities weren’t reflected in job performance or pay, demeaning the value of the role.
Those delegated responsibility also need access to the right information with input from the right people at the right time. This includes SME’s (technical/data protection specialists/vendors etc) to ensure that an accurate picture of the risk can be formed and articulated. Yet this ownership is by no means set in stone. It needs to be reviewed periodically and when certain triggers occur, such as a change in the direction of the business, any elevation of risk and, of course, in the event of a security incident.
To make risk truly relevant it also needs to become part and parcel of the decision-making process and so must permeate through the business. One way of doing this is to ensure a risk management ‘Champion’ who operates at board level is nominated and so can carry out regular reporting on the top risks to the C-suite. However, the report found that while half of those companies in the UK and Europe had appointed a senior executive to lead the process, only 44 percent formally discussed risk when the board met to determine the organisation’s strategic plan. By far the most common practice was to separately discuss risk oversight from strategic planning.
At the grass roots level, the security team need to be able to communicate risk in meaningful business specific terms. Doing so can expedite decision making but also make the risk more intelligible to others. For example, typically security teams will evaluate risk using a Red, Amber, Green (RAG) traffic light system with the level of risk numerically indicated after that ie RED42 will have very little meaning outside of the team. An analysis that confers far greater value would be to state the impact of the risk in terms of loss of business/contract, loss of reputation, financial impact and punitive regulatory measures/penalties.
Instinctive and influential
Once risk management becomes integral to business decision-making it eventually becomes instinctive. This can yield real dividends as once specific risk criteria are implemented some business decisions can rely on repeatable “canned” mitigations, allowing delegated risk decisions which then increases agility in the marketplace.
Finally, risk management needs to be adaptive to the climate in which it is used. If the business is to remain in control it will need to regularly attend to its risk management by adapting it to any changes such as a change in the direction of the business, new or aging technology and or external influences. Controls should then be reviewed to ensure that they remain effective.
For example, the addition of any systems used to collect, process or store information must have appropriate risk mitigation controls applied throughout their lifecycle but don’t forget about the systems you are retiring. We have all heard the horror stories around IT being disposed of improperly without the appropriate data sanitisation thanks to poor investment in the secure disposal or reuse of old IT systems.
Risk management is not a static process but nor does it need to be a cost centre. Risk can and should be used to bring about improvement, resulting in gains or business growth. But for that to happen, businesses need to embed risk management throughout and make it integral to their decision making.
David Adams is GRC Consultant at Prism Infosec and has specific expertise in governance risk and compliance (GRC). He oversees cyber security incident exercise training and compliance with numerous industry standards. David has over 16 years’ experience in cyber security and is a CISSP, ISO 27001 Lead auditor, GDPR Practitioner, and an IASME Cyber Essentials assessor/IoT assessor