Risks are Everywhere - How to Respond and Manage Them

Let’s talk about herbs for a moment.

To be more specific, let's talk about that flat bright green leaf, parsley. (No, you’re not in the wrong place, stick with it for like, four lines.) Parsley is ubiquitous. Throw it in a salad for perked-up flavor; Mince it up for a vibrant Chimichuri dip. Use it as a super-effective breath freshener. This culinary classic goes with just about any dish and can be found just about everywhwere.

Now let’s talk about risk (perhaps for more than just a moment). Risk is a lot like parsley. It shows up everywhere.

And not just in Compliance, or business, but in life. Think about crossing the street when the light’s been green for a while. Our minds have assessed the risk in milliseconds: i.e., what is the likelihood it’ll turn red before you reach the curb and what are the chances a driver will refuse to stop? And business is nothing but risks: big and small, smart and dangerous, necessary and foolish, expected and not.

Let’s consider what we really know about risk and how to manage it. Yes, books are written solely about risk management. Since this is just a blog post, please don’t consider this the last word on risk—just some (hopefully) helpful insight.

What is risk?

A basic definition of risk: the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.

While we’re at it, here are some other key terms:

• Risk management - A process of proactively identifying issues and assessing their potential likelihood and impact on a business.
• Threat (or threat agent) - Anything (for example, an object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
• Vulnerability - A weakness in the design, implementation, operation, or internal controls in a process that could expose the system to adverse threats from threat events.
• Risk source - The source of the risk, which is usually the source of the threat (for example, insider threat, hacker, human error, natural disaster).
• Risk owner - The owner of the business unit facing the risk who will invest in handling the risk. Evaluating a risk requires the cooperation of the risk owner.
• Risk appetite and risk tolerance - According to Deloitte, risk appetite is “the amount of risk, on a broad level, an entity is willing to accept in pursuit of its strategic objectives.” That’s not quite the same as risk tolerance, which is more granular than risk appetite and represents the level of risk that an organization can accept per individual risk.

OK. First, why manage risk?

If you want to keep a high level of security without managing risks and prioritizing resources, you’ll have to invest everything you have on all assets regardless of their importance to the business. That can be a very expensive proposition and a waste of resources. Some Compliance frameworks define risk management as a mandatory process simply because investing everything everywhere is cleary impossible.

Assessing the level of risk: impact and likelihood

Do the math. Since the definition of risk depends on the likelihood of a bad event and how bad the impact will be, evaluating risk requires quantifying both of those factors and then multiplying the potential impact by the probability of its materializing. So, for a simple example, if a company doesn’t use antivirus protection and, as a result, there is unauthorized access and all systems are suddenly infected by the virus, what impact will that have on the organization? And how likely is this scenario to happen?

Qualitative vs. quantitative analysis. Deciding which method of assessment to use in analyzing risk can make a difference in how accurate the assessment turns out to be. Two of the most-often used methods are qualitative and quantitative analysis. They both have advantages and drawbacks:

• Qualitative analysis. This method is more likely to rely on rough estimations. It’s usually quicker because it doesn’t rely on statistical and numerical data, but if those doing the assessment lack experience or are biased, that can make this method less reliable and more subjective.

• Quantitative analysis. This method uses realistic, measurable data to assess risk. It therefore provides more objective and accurate measurement of the impact and probability of a risk event. One hurdle that can arise, however, is when there is just not enough historical data to assess in the business or, where relevant, in similar companies, the industry, etc. Quantitative analysis generally takes longer and is more complex than qualitative analysis.

Inherent versus residual risk

Since the goal of risk management is to eventually reduce the risk level, we need to consider what effect the controls will have on the risk level. The level of risk before implementing corrective measures is “inherent risk.” The risk level after eliminating risk, mitigating risk, and/or implementing controls is known as “residual risk.” Not all controls are equal: some will dramatically reduce the risk and some will only slightly reduce risk.

Responses to risk

After we’ve calculated risk, how do we respond? There are generally four ways:

• Acceptance
• Mitigation
• Transfer, and
• Avoidance

Let’s discuss these in more detail:

1. Acceptance: Risks that can be accepted conform to pre-defined conditions outlined in governance policies, the organization's 'risk appetite.' Accepted, known risks usually require senior management approval. Still, a risk might be at an acceptable level under your company’s policies, but if it turns out that mitigating it makes sense under a cost/benefit analysis, you might choose that route.

2. Mitigation: Some risks are “too scary” for our business, and as such, we might prefer to reduce the risk level to an acceptable level (a decision to be made by the risk owner, who is ultimately responsible for both the risk and approving the efforts to reduce it). That “acceptable level” needs to be based on the organization’s risk appetite. This is a common approach. For example, if you're concerned about the risk of malware, you'll install anti-malware protection on your company’s computers, if you've determined that that’s how to reduce the likelyhood that the event will occur to an acceptable level.

3. Transfer: The most common way of transferring risk is buying an insurance policy. If we’re contemplating how to respond to the risk of a cyber attack, and acceptance is not an option, we might take out cyber insurance. While this seems a straightforward approach, it’s become more complicated. Cyber insurance pricing in the U.S. increased an average of 96% in the third quarter of 2021, as compared to the previous year. Deductibles have also risen. In addition, steeper losses have made cyber insurers increasingly selective. While insurance premiums are based on a number of factors, companies that demonstrate they use robust controls to minimize cyber risk are more likely to be offered a policy and to pay lower premiums. So it can make sense to first mitigate a risk and then transfer all or part of the residual risk by purchasing cyber insurance.

4. Avoidance: A business can choose not to take advantage of an opportunity that poses a risk, and thus avoid the risk, leaving it with a residual risk of zero. But that’s a response that’s not so easily used in business, if the risk relates to a business process that is a necessary part of business. So, for example, we’re not going to simply tell all our employees to stop using the internet, because while that will eliminate the risk of virus attack, it will eliminate our chance to do business…not a desired outcome. Avoidance is possible if a less-risky alternative is identified. For example, if you've been using a vendor, and new information indicates they have poor information security maturity, you can stop using them and replace them with a vendor that has a highly mature information security level. Of course, doing that doesn’t excuse you from assessing whether this latter vendor poses risk, but you've avoided the entire risk that the first vendor posed.

A possibly obvious point: Ignoring the risk is not the same as accepting it. The risk owner who wants to keep their job and try to avoid legal action must consciously decide what to do about risk—even if that’s to accept the inherent risk—and be able to explain the reason for the decision.

Why it’s smart to link risks to controls

The controls assigned to reduce the risk level from inherent to residual are assumed to effectively reduce the risk. But as noted earlier, some controls are automated and others may be manual. How can we always be sure the risk level remains in the green zone identified as acceptable? By linking risks to controls. When you link risks to controls you already automate, you can achieve a smart view of how controls affect the risk level, and quickly respond to cases where the effectiveness of those controls is impacted. The goal: keeping the residual risk level as close as possible to your target level, which, in turn, means avoiding the rise of risks and damage to your business.

Of course, linking risks to controls doesn’t replace the entire array of information security activities you do. Instead, it gives you another benefit from the Compliance program you already maintain.

Managing risk: Are you aiming to pass the audit? Or aiming higher?

Though it seems like risk management is a process that requires a lot of effort (and it does, to some extent), the outcome is improved security. Doing it only for the audit, though, will help with just the audit without providing any further benefit. So if you’re doing risk management anyway, you might find it makes sense to spend an additional, incremental amount of resources to channel the work into enhancing your company’s security posture and improving the maturity level of your business. This means determining your organization’s risk appetite, discussing the risks with relevant stakeholders, considering a variety of types of controls, understanding the impact of implementing each of the controls on the risk, and deciding on the approach.

So remember the parsley from 15 minutes ago? It’s still there, and so is your risk – neither one ever just magically disappears (or is accepted, avoided, or transferred, you get the joke) on its own. But by taking the time to truly understand your risk posture, you can take your Compliance maturity to the next level.