Let’s talk about herbs for a moment.
To be more specific, let's talk about that flat bright green leaf, parsley. (No, you’re not in the wrong place, stick with it for like, four lines.) Parsley is ubiquitous. Throw it in a salad for perked-up flavor; Mince it up for a vibrant Chimichuri dip. Use it as a super-effective breath freshener. This culinary classic goes with just about any dish and can be found just about everywhwere.
Now let’s talk about risk (perhaps for more than just a moment). Risk is a lot like parsley. It shows up everywhere.
And not just in Compliance, or business, but in life. Think about crossing the street when the light’s been green for a while. Our minds have assessed the risk in milliseconds: i.e., what is the likelihood it’ll turn red before you reach the curb and what are the chances a driver will refuse to stop? And business is nothing but risks: big and small, smart and dangerous, necessary and foolish, expected and not.
Let’s consider what we really know about risk and how to manage it. Yes, books are written solely about risk management. Since this is just a blog post, please don’t consider this the last word on risk—just some (hopefully) helpful insight.
While we’re at it, here are some other key terms:
If you want to keep a high level of security without managing risks and prioritizing resources, you’ll have to invest everything you have on all assets regardless of their importance to the business. That can be a very expensive proposition and a waste of resources. Some Compliance frameworks define risk management as a mandatory process simply because investing everything everywhere is cleary impossible.
Do the math. Since the definition of risk depends on the likelihood of a bad event and how bad the impact will be, evaluating risk requires quantifying both of those factors and then multiplying the potential impact by the probability of its materializing. So, for a simple example, if a company doesn’t use antivirus protection and, as a result, there is unauthorized access and all systems are suddenly infected by the virus, what impact will that have on the organization? And how likely is this scenario to happen?
Qualitative vs. quantitative analysis. Deciding which method of assessment to use in analyzing risk can make a difference in how accurate the assessment turns out to be. Two of the most-often used methods are qualitative and quantitative analysis. They both have advantages and drawbacks:
Since the goal of risk management is to eventually reduce the risk level, we need to consider what effect the controls will have on the risk level. The level of risk before implementing corrective measures is “inherent risk.” The risk level after eliminating risk, mitigating risk, and/or implementing controls is known as “residual risk.” Not all controls are equal: some will dramatically reduce the risk and some will only slightly reduce risk.
After we’ve calculated risk, how do we respond? There are generally four ways:
Let’s discuss these in more detail:
A possibly obvious point: Ignoring the risk is not the same as accepting it. The risk owner who wants to keep their job and try to avoid legal action must consciously decide what to do about risk—even if that’s to accept the inherent risk—and be able to explain the reason for the decision.
The controls assigned to reduce the risk level from inherent to residual are assumed to effectively reduce the risk. But as noted earlier, some controls are automated and others may be manual. How can we always be sure the risk level remains in the green zone identified as acceptable? By linking risks to controls. When you link risks to controls you already automate, you can achieve a smart view of how controls affect the risk level, and quickly respond to cases where the effectiveness of those controls is impacted. The goal: keeping the residual risk level as close as possible to your target level, which, in turn, means avoiding the rise of risks and damage to your business.
Of course, linking risks to controls doesn’t replace the entire array of information security activities you do. Instead, it gives you another benefit from the Compliance program you already maintain.
Though it seems like risk management is a process that requires a lot of effort (and it does, to some extent), the outcome is improved security. Doing it only for the audit, though, will help with just the audit without providing any further benefit. So if you’re doing risk management anyway, you might find it makes sense to spend an additional, incremental amount of resources to channel the work into enhancing your company’s security posture and improving the maturity level of your business. This means determining your organization’s risk appetite, discussing the risks with relevant stakeholders, considering a variety of types of controls, understanding the impact of implementing each of the controls on the risk, and deciding on the approach.
So remember the parsley from 15 minutes ago? It’s still there, and so is your risk – neither one ever just magically disappears (or is accepted, avoided, or transferred, you get the joke) on its own. But by taking the time to truly understand your risk posture, you can take your Compliance maturity to the next level.