Risk – exposure to danger or hazard
When reviewing risk we consider the following:
- Inherent risk – i.e. the possibility of the danger or hazard occurring and its likely impact.
- Residual risk – i.e. the possibility of the danger or hazard occurring after you have put sufficient controls in place to mitigate it.
As an organisation we should strive to only have residual risk that is prescribed and clearly defined in our risk appetite statement.
To use a simple analogy of driving a car – there is a very high inherent risk to both the driver and its passengers, but once we place suitable controls in and around the car – i.e. issuing of a driver’s license, seat belts, airbags, warning systems, anti-lock brakes and regular and mandatory servicing, then the residual risk is acceptable, hence our social acceptance to be on the roads every day.
Known risks need to be clearly identified, defined and appropriately managed with controls. Obviously unknown risks are harder as they are simply the unknown but there are still mitigating controls that can be put in place for risk themes and trends.
If an event has no impact or consequences, then simply put there is no risk.
When we review risk in the realm of cyber security, we delve in to classification of assets according to the importance to the business. Business value is a critical part of asset and risk mapping. These assets can be:
- Physical assets (Servers, Real Estate)
- Software assets (Software applications)
- Information assets (PII, Credit card information)
Asset classification is the first step to risk identification. It is prudent to focus resources on critical assets and risks, so that an effective control mechanism can be applied.
An organisations risk landscape is constantly evolving, therefore risk appetite statements and understanding of the landscape need to be regularly reviewed.
Implementation is imperative with a typical three lines of defence model being the most common –
- Line 1 (The business teams)
- Line 2 (Internal risk teams)
- Line 3 (External audit)
Management must always be kept up-to-date of their risk posture via robust risk reporting (Probability of an event and its business impact). This information helps management in their decision making process.
Once a risk has been identified, analysed and evaluated to check and determine whether it meets the criteria based on impact, the options for treatment must be analysed.
The choices include:
- Accept the risk
- Transfer the risk
- Stop the activity creating the risk
- Mitigate the risk
Finally, once risk does occur it becomes an event. The event is then dealt with in isolation or root cause analysis which defines the overarching issue. Both events and issues should be managed and remediated in a timely manner to ensure business continuity.
Keep reading to understand – Defining and categorising risk.