A traditional approach to risk management sees the board or risk committee define the key risks that threaten the non-achievement of their strategic objectives. This typically results in a list of ten to twenty very high-level risks such as loss of brand reputation or non-compliance with applicable regulations.
This top-level list needs to be ‘unpacked’ or subdivided into the more tangible risks that might contribute to them. There are a number of ways that this might take place, but it typically results in the management of risks being delegated (by departments, operational units, etc) to risk owners, who will be expected to quantify and manage, through relevant responses, a subset of risks.
An organisation’s responses to a risk can take various forms. A specific risk might be managed through the implementation of controls, or there might be an option to take out insurance against it occurring for example. In some cases it may be acknowledged that a risk exists but accepted that it is unavoidable, or the likelihood of it occurring is minimal; ‘do nothing’ is always a legitimate option.
Limitations of traditional risk management
Reporting is one of the biggest challenges in the risk management function, which will typically spend a lot of time gathering relevant information to provide a view to the committee and the board. Often this will be based on self-assessments – surveys sent to risk owners in the business asking them to provide information about the measures they have taken to respond to known risks and how effective these have been. In my view this is a key point of failure for most risk management functions.
A key principle of an effective risk management framework is consistent taxonomy – a harmonised view of how to categorise and quantify risk across the organisation is critical if this information is to be rolled up to give an organisation-wide view of the issue. However, if the material collected is primarily self-assessment data, even with consistent taxonomy, risk reporting is very much at the mercy of individual risk managers and their willingness to be candid in their assessments; there is a very real likelihood that they will either gloss over or under report risk.
In addition, risk management functions will often spend a significant proportion of their time collecting data from risk owners and consolidating and massaging it into reports for the board. Put simply, risk management teams are often reporting on risk but not actively managing it.
How can information security professionals help to resolve these issues?
Collecting and reporting on risk from a spreadsheet still happens in many organisations but the tools available to facilitate the gathering of information and the automation of reporting in a consistent and repeatable format have advanced significantly in recent years. Their implementation can free up risk management functions to spend more time actively managing risk within the business.
These tools can also be used to enrich risk reporting with fact surfaced from multiple data sources throughout the organisation. Building in feeds such as controls performance or risk remediation statuses can remove the dependency on self-assessment and augment board reporting with key risk indicators that are not subject to a human filter.
Cybersecurity and information security risks are high on the agenda for most boards today. Professionals in this area are able to provide information about their activities to the risk management function, and ultimately to the board, through risk reporting.
Integrated risk management
To illustrate this with an example, in a traditional, siloed approach, a risk owner completing a self-assessment questionnaire distributed by the risk management team might confirm that threat detection activity is undertaken to identify external attacks on the organisation’s IT networks. Information provided might include a description of the activity, perhaps with an evaluation of how much this reduces the risk and some metrics, although these probably won’t be given a great deal of context. Crucially, it is unlikely that the risk owner will volunteer any more detail than is requested, unless something fundamental changed around the processes operated for threat detection.
Using the same example in an integrated risk management scenario the self-assessment element might be bypassed entirely, instead using risk management technology to generate analytics about cybersecurity risks. These analytics might be displayed in the context of data from previous months to illustrate trends and highlight when the risk of an IT security breach might be increasing because the number of identified attacks is increasing. There is also the potential to combine threat-monitoring analytics with other related data such as the completion of software patching to give additional context to the overall management of cybersecurity risk.
Information security professionals occupy a unique position in the enterprise; they have responsibility for a number of key IT-related risks combined with the IT literacy to understand how they can be managed with technology. Organisations’ increasing adoption of these tools provides the ideal opportunity for the IS team to demonstrate to the board the work they do to support the risk management function (through the effective deployment of these technologies) and therefore the critical role they play in protecting the business from information security threats.