Let’s consider what we really know about risk and how to manage it. Yes, books are written solely about risk management. Since this is just a blog post, please don’t consider this the last word on risk—just some (hopefully) helpful insight.
What is risk?
A basic definition of risk: the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.
While we’re at it, here are some other key terms:
- Risk management – A process of proactively identifying issues and assessing their potential likelihood and impact on a business.
- Threat (or threat agent) – Anything (for example, an object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
- Vulnerability – A weakness in the design, implementation, operation, or internal controls in a process that could expose the system to adverse threats from threat events.
- Risk source – The source of the risk, which is usually the source of the threat (for example, insider threat, hacker, human error, natural disaster).
- Risk owner – The owner of the business unit facing the risk who will invest in handling the risk. Evaluating a risk requires the cooperation of the risk owner.
- Risk appetite and risk tolerance – According to Deloitte, risk appetite is “the amount of risk, on a broad level, an entity is willing to accept in pursuit of its strategic objectives.” That’s not quite the same as risk tolerance, which is more granular than risk appetite and represents the level of risk that an organization can accept per individual risk.
OK. First, why manage risk?
If you want to keep a high level of security without managing risks and prioritizing resources, you’ll have to invest everything you have on all assets regardless of their importance to the business. That can be a very expensive proposition and a waste of resources. Some Compliance frameworks define risk management as a mandatory process simply because investing everything everywhere is cleary impossible.
Assessing the level of risk: impact and likelihood
Do the math. Since the definition of risk depends on the likelihood of a bad event and how bad the impact will be, evaluating risk requires quantifying both of those factors and then multiplying the potential impact by the probability of its materializing. So, for a simple example, if a company doesn’t use antivirus protection and, as a result, there is unauthorized access and all systems are suddenly infected by the virus, what impact will that have on the organization? And how likely is this scenario to happen?
Qualitative vs. quantitative analysis. Deciding which method of assessment to use in analyzing risk can make a difference in how accurate the assessment turns out to be. Two of the most-often used methods are qualitative and quantitative analysis. They both have advantages and drawbacks:
- Qualitative analysis. This method is more likely to rely on rough estimations. It’s usually quicker because it doesn’t rely on statistical and numerical data, but if those doing the assessment lack experience or are biased, that can make this method less reliable and more subjective.
- Quantitative analysis. This method uses realistic, measurable data to assess risk. It therefore provides more objective and accurate measurement of the impact and probability of a risk event. One hurdle that can arise, however, is when there is just not enough historical data to assess in the business or, where relevant, in similar companies, the industry, etc. Quantitative analysis generally takes longer and is more complex than qualitative analysis.
Inherent versus residual risk
Since the goal of risk management is to eventually reduce the risk level, we need to consider what effect the controls will have on the risk level. The level of risk before implementing corrective measures is “inherent risk.” The risk level after eliminating risk, mitigating risk, and/or implementing controls is known as “residual risk.” Not all controls are equal: some will dramatically reduce the risk and some will only slightly reduce risk.
Responses to risk
After we’ve calculated risk, how do we respond? There are generally four ways:
- Transfer, and
Let’s discuss these in more detail:
- Acceptance: Risks that can be accepted conform to pre-defined conditions outlined in governance policies, the organization’s ‘risk appetite.’ Accepted, known risks usually require senior management approval. Still, a risk might be at an acceptable level under your company’s policies, but if it turns out that mitigating it makes sense under a cost/benefit analysis, you might choose that route.
- Mitigation: Some risks are “too scary” for our business, and as such, we might prefer to reduce the risk level to an acceptable level (a decision to be made by the risk owner, who is ultimately responsible for both the risk and approving the efforts to reduce it). That “acceptable level” needs to be based on the organization’s risk appetite. This is a common approach. For example, if you’re concerned about the risk of malware, you’ll install anti-malware protection on your company’s computers, if you’ve determined that that’s how to reduce the likelyhood that the event will occur to an acceptable level.
- Transfer: The most common way of transferring risk is buying an insurance policy. If we’re contemplating how to respond to the risk of a cyber attack, and acceptance is not an option, we might take out cyber insurance. While this seems a straightforward approach, it’s become more complicated. Cyber insurance pricing in the U.S. increased an average of 96% in the third quarter of 2021, as compared to the previous year. Deductibles have also risen. In addition, steeper losses have made cyber insurers increasingly selective. While insurance premiums are based on a number of factors, companies that demonstrate they use robust controls to minimize cyber risk are more likely to be offered a policy and to pay lower premiums. So it can make sense to first mitigate a risk and then transfer all or part of the residual risk by purchasing cyber insurance.
- Avoidance: A business can choose not to take advantage of an opportunity that poses a risk, and thus avoid the risk, leaving it with a residual risk of zero. But that’s a response that’s not so easily used in business, if the risk relates to a business process that is a necessary part of business. So, for example, we’re not going to simply tell all our employees to stop using the internet, because while that will eliminate the risk of virus attack, it will eliminate our chance to do business…not a desired outcome. Avoidance is possible if a less-risky alternative is identified. For example, if you’ve been using a vendor, and new information indicates they have poor information security maturity, you can stop using them and replace them with a vendor that has a highly mature information security level. Of course, doing that doesn’t excuse you from assessing whether this latter vendor poses risk, but you’ve avoided the entire risk that the first vendor posed.
A possibly obvious point: Ignoring the risk is not the same as accepting it. The risk owner who wants to keep their job and try to avoid legal action must consciously decide what to do about risk—even if that’s to accept the inherent risk—and be able to explain the reason for the decision.