Risk Management Process
Risk management process is the cyclical process of identifying, assessing, analyzing, and responding to risks.
- Identity Mission Essential Functions
- focus on mission essential functions that could cause the whole business to fail if they are not performed
- involves identifying critical systems and assets that support these functions
- Identify Vulnerabilities
- for each function or workflow,
- analyze systems and assets to discover and list any vulnerabilities or weaknesses
- start with the most critical
- for each function or workflow,
- Identify Threats
- for each function or workflow,
- identify the threat sources and actors that may take advantage of or exploit or accidentally trigger vulnerabilities
- for each function or workflow,
- Analyze Business Impacts
- the likelihood of a vulnerability being activated as a security incident by a threat
- and the impact of that incident on critical systems are the factors used to assess risk
- are quantitative and qualitative methods of analyzing impacts and likelihood
- Identify Risk Response
- for each risk,
- identify possible countermeasures
- and assess the cost of deploying additional security controls
- for each risk,
Risk Register
Risk register is a document highlighting the results of risk assessments in an easily comprehensible format.
- tracks the nature and status of risks
- includes:
- information regarding risks
- description
- category
- severity
- risk owner
- probability and impact
- risk rating
- and all identified mitigation strategies
- information regarding risks
- risk register information sources:
- risk assessment results
- audit findings
- team member output
- threat intelligence
- may include a heat map risk matrix
- A graphical table indicating the likelihood and impact of risk factors identified
- commonly depicted as scatterplot graphs
- impact and likelihood are each an axis
- the plot point is associated with a legend that includes more information about the nature of the plotted risk
- should be shared among stakeholders
Risk Level
- For each business process and each threat, you must assess the degree of risk that exists
- variables include:
- Likelihood
- the chance of an event is expressed as a subjectively-determined scale,
- used in qualitative risk analysis
- typically expressed using
- “low,” “medium,” and “high”
- or scored on a scale from 1 to 5
- Probability
- is a mathematical measure of the possibility of a risk occurring
- expressed as a numerical value
- between 0-1
- or as a percentage
- aims to precisely measure the chance of a risk event occurring
- Impact
- is the severity of the risk if realized as a security incident
- determined by factors such as:
- scope
- value of the asset
- financial impacts of the event
- Likelihood
- variables include:
Risk Threshold
Risk threshold defines the limits or levels of acceptable risk an organization is willing to tolerate.
- represents the boundaries within which risks are considered to be acceptable and manageable
- based on various factors
- regulatory requirements
- organizational objectives
- stakeholder expectations
- and the organization’s risk appetite
- help establish clear guidelines for decision-making
- often define different risk thresholds for different types of risks
- based on their potential impact and criticality
Key Risk Indicator (KRI)
Key Risk Indicator (KRI) is critical predictive indicator organizations use to monitor and predict potential risks.
- provide an early indication of increasing risk exposures
- assess the potential impact and likelihood of various risks
- closely associated with risk registers and risk management practices
- KRIs provide the data needed to assess the likelihood and potential impact of each risk item tracked in a risk register
Risk owner is an individual who is accountable for developing and implementing a risk response strategy for a risk documented in a risk register.
- often assigned to leadership team members with the authority to
- make decisions
- and the ability to allocate resources for risk mitigation
Risk tolerance describes the specific amount of variance an organization is willing to accept regarding measured risk levels and the established risk appetite.
- thresholds that separate different levels of risk
- If a risk’s potential impact or likelihood exceeds the risk tolerance,
- risk is added to the risk register for appropriate management and monitoring
Levels of Risk Appetite
| Level | Description |
|---|---|
| Expansionary | An organization with an expansionary risk appetite is willing to take on higher levels of risk in the pursuit of high returns or aggressive growth. These organizations typically operate in rapidly evolving markets or industries and must take risks to remain competitive. Expansionary risk appetites are associated with organizations launching new products, entering new markets, or making major corporate acquisitions. |
| Conservative | An organization with a conservative risk appetite prioritizes risk avoidance. This type of organization takes a cautious approach to risks and prioritizes preserving cash, maintaining a good reputation, or ensuring regulatory compliance over pursuing aggressive growth. |
| Neutral | An organization with a neutral risk appetite balances expansionary and conservative approaches and is willing to take on risks if they align with strategic objectives and can be managed effectively. |
Risk Reporting
Risk reporting describes the methods used to communicate an organization’s risk profile and the effectiveness of its risk management program.
- Effective risk reporting:
- supports decision-making
- highlights concerns
- ensures stakeholders understand the organization’s risks
- content:
- must be tailored for audience
- i.e. strategic or operational
- must clearly convey recommended risk responses
- must be tailored for audience