Close-up Photo of Spreadsheet

Building Blocks of Risk Management

ByAaron Balchunas

To some, risk management sounds tedious. It evokes images of long meetings, boring analysis, and pocket protectors.

To each their own. For the rest of us nerds, there is thrill in the ‘hunt.’ Ignoring risk can be crippling or fatal to an organization. Risk-focused teams, in all their incarnations, serve on the front lines to protect an organization.

Not convinced? See that unpatched, 20-year-old server left unfirewalled in the closet? Not a big deal right? Then boom – your sensitive corporate data is stolen and posted to the dark web.

Unlikely, you say? How about that upstart new competitor in your market, with the fancy new product? They will probably fail right? No reason to worry or adapt? Boom again – you find your business irreversibly disrupted. Your customers and profits evaporate. (apologies to Kodak, Novell, Nokia, Netscape, BlackBerry, Blockbuster… probably should stop there).

Risk is unavoidable. Risk manifests in many forms – financial, operational, security, compliance, competitive, strategic, and many more. Regardless of the form, consequences can range from trivial to severe. Healthy organizations understand, prioritize, and mitigate risk effectively.

Risk will never reach zero. That is not the goal. Risk teams can become over-zealous. Risk should not needlessly shut down projects, products, or ideas. An organization that avoids all risk will stagnate. Find the right balance. As a risk team, be a partner. Do not be feared. Find the right path forward.

Building a risk management process may seem daunting. Fortunately, numerous models exist to borrow from. Terms may vary, but all share similar ‘components’ to manage risk:

  • Identify
  • Document
  • Assess
  • Mitigate
  • Monitor

A model like this can be applied to virtually any type of risk. My background is security. For entirely unselfish reasons, the examples below will focus on security. Modify as needed to fit your own discipline.

Let’s explore the basics of each component.

Identify

Identifying risk is the first step of any risk management model. To stop a threat, you must know the threat exists.

Cast a wide net. The more inputs the better. Do not fear an avalanche of information. Filtering and prioritizing risk will come later. You want to encourage, not hinder, awareness of risks to avoid blind spots.

What inputs help identify risk?

1. People are knowledgeable and observant. Listen to them – you will gain astonishing awareness of risks. Expand this beyond the people working on risk teams. People throughout an organization have insight, and often want to help.

Two ways to approach this:

  • Active solicitation – you go to them. Send surveys. Meet with people. Ask questions about concerns they have in their domain. Does anything keep them up at night?
  • Feedback mechanisms – they come to you. Keep an open door. Offer easy tools to submit concerns or threats. Encourage this as part of your culture.

Preferably, use both approaches. Reward people for their help. Gamify this to get more enthusiastic participants. Simple thankfulness goes a long way too.

Never punish or harass people for raising risk. Why destroy your most valuable means to gain better insight?

2. Testing helps detect gaps and deficiencies. In security, we should test all the time. Testing takes on numerous forms – app testing, penetration testing, vulnerability scanning, social engineering testing, and many more. In every case, use the results as inputs into the risk management process.

3. External resources can fill knowledge gaps on existing or emerging risks. Attend conferences and trainings. Read blogs. Network with peers. Engage with independent consultants to gain insight on threats in your industry.

4. Formal assessments can be broad or targeted in nature. Perhaps you want to assess all risks for a particular product line. Or perform a top-to-bottom review of a critical process. Or explore competitive threats in your market. Assessments of this nature require time and coordination, but often yield very actionable results.

In the end, how a risk is identified is largely irrelevant. Awareness, however it arrives, allows you to continue through the process and achieve the correct outcome.

Document

Step 1 is complete. You successfully identified a risk. Next step? Document the risk!

This may seem obvious. Not every model calls this out as a separate ‘step.’ However, with busy teams at busy organizations, documentation can be missed. Risks can be overlooked or forgotten. Stay disciplined.

Risks are usually documented in a risk register or log. A simple spreadsheet can suffice, especially in early stages of maturation.

Advanced tools are available for a cost. They may provide more robust tracking, integration, and analytical capabilities. Be practical though. Tooling alone will not miraculously make you world class at risk management. Ignore the marketing noise. Invest only when convinced of tangible benefit to your program.

Regardless of the tool used, document the following at a minimum:

  • Description of the risk
  • Date identified
  • Input to identify the risk
  • Potential impact of the risk
  • Probability of the risk
  • Overall risk rating
  • Risk owner
  • Mitigation strategy (including tactics)
  • Date remediated
  • Ongoing monitoring plan

Likely, not everything will be known ‘up front.’ That is fine and expected. Update the risk register as you continue through the process.

Assess

Ok – you identified a risk, then documented it. What’s next?

Assessing a risk involves determining its severity. You then assign a score or rating. This allows you to effectively prioritize the risk, and determine the correct next step.

This can be challenging. Risk is a product of likelihood and impact. Measuring each component can be daunting. A risk matrix can help to frame risk. Usually, a risk matrix is represented as a grid, with likelihood on one axis and impact on the other.

Organizations often use Critical, High, Medium, and Low to categorize risks. Some organizations may assign a numerical value with (or instead of) this label. Regardless, a higher risk rating should drive more immediate action.

Ultimately, strive for three things when assessing risk:

  • Accuracy – to focus on the correct risks
  • Speed – to quickly identify critical risks to ensure timely action
  • Repeatability – to ensure the same result or conclusion, regardless of the person executing the assessment process

Assessing risk is complex. For a more detailed review, check out this companion guide: Beginner’s Guide to Assessing Risk.

Mitigate

You successfully assessed a risk. How should you mitigate that risk? Remember, the severity of a risk dictates the urgency of action:

  • Critical risks may require immediate action, perhaps even treated as an incident
  • High risks may be given priority in the next planning cycle
  • Medium or Low risks may be put on a backlog for future prioritization

Mitigation strategies can take on one of several forms:

1. Avoidance intends to eliminate any exposure to the risk. This may involve entirely removing an offending system, process, feature, or product. Or, your organization may decide not to proceed with a particular project or line of business. Avoidance is the most drastic, and often most expensive, mitigation strategy.

2. Reduction or limitation intends to minimize exposure through some intervening action. Often, this involves implementing one or more compensating controls. For example, launching a customer portal on the Internet involves security risk. Bad actors may attempt to compromise the portal and steal customer information. To reduce this risk, you may regularly patch the portal, test it for vulnerabilities, implement multifactor for authentication, and monitor for anomalies. Risk reduction is arguably the most common mitigation strategy, especially in security.

3. Transfer involves handing off risk to a willing (or contracted) third-party. Consider the following example. Your organization wishes to take credit card payments. This incurs PCI compliance risk. If you handle this ‘in-house’, you absorb 100% of the risk. Instead, you may decide to outsource payment processing to a company specializing in that field, thus offloading most of that PCI risk.

4. Acceptance involves taking no action. For many risks, this is warranted. Perhaps the risk severity is too low, or the cost to mitigate too high. The risk may also be irrelevant to your organization or industry. Accepting risk is common, but should be explicitly signed-off by appropriate stakeholders. Document the sign-off and acceptance rationale in the risk register.

Each strategy has its place. Time, cost, and resources are all factors. Be practical and data-driven. Regardless of the strategy you choose, remember to document the strategy, tactics, and ultimate results in the risk register.

Monitor

You successfully mitigated a critical risk – excellent work!

Many organizations stop there. Mature organizations continuously monitor to ensure the risk stays mitigated.

The more severe the risk, the more vital monitoring becomes. Mitigation controls may be removed, either accidentally or maliciously. Controls may be rendered ineffective by some other change – the law of unintended consequences.

Monitoring can take many forms – auditing, testing, or tooling. Automate where possible to make this less arduous and more repeatable. Where warranted, choose a monitoring plan before closing out a risk. Stay vigilant!

Closing Thoughts

Start simple and small with risk management. Do not spend on lavish tooling. Do not create a needlessly complex process. Be practical. Focus on what matters – achieving the correct outcome.

Risk is complex, but the building blocks are straightforward. Get your feet wet. Make mistakes and learn. Refine as you go. Maturation will come.

Remember – risk management exists to help an organization move forward safely. Not to obstruct. Be the partner and helping hand, not the hammer. That will create a culture that embraces the important work performed by risk teams. Best wishes!

© 2024 Aaron Balchunas
Lucid Resource content is free to use and distribute under two conditions:
(1) my name and copyright remain attached, and
(2) this content is not sold or altered without my written permission