Risk Management Series – Part 1 of 4
Welcome to the first in a four-part series of articles about risk management. This article will set the foundation for those that will follow by highlighting three common challenges that organizations run into with regards to risk management. The subsequent three articles will explore each item in more detail and include specific recommendations you can take back to your organization for improvement.
Challenge #1: Security at all Costs
Like information security auditors, a common tongue-in-cheek criticism of risk practitioners is that they sometimes seem to believe that their role is to make the business so secure that it can’t adequately function. Whether or not this is warranted, it’s important for executive management to ensure that the person driving their enterprise risk framework aligns their risk management activities with the organization’s risk appetite, and not the other way around.
Challenge #2: Check the Box and See You Next Year
Many organizations conduct an annual risk assessment because they’re required to by a regulation, a standard, a client, or shareholders. This annual risk assessment might result in a spreadsheet or report that lists identified risks and management’s response to them. The risk management activities typically end there (at least until the next annual risk assessment is due). However, unless risk management activities are ingrained into everyday business operations and an effective risk awareness program is implemented enterprise-wide, organizations are at greater risk (ha!) of harm.
Challenge #3: ‘Mutton yesterday, mutton today, and blimey, if it don’t look like mutton again tomorrer’
Many cybersecurity audits focus primarily (or exclusively) on IT. It’s typically the IT Director and their staff that sit with the auditors and provide evidence of in-place controls. There may be an interview here and there with the HR Manager and some folks in operations, but the fact remains that many information security controls tend to be technical in nature. Risk assessments tend to follow the same path of focusing on IT. However, it’s important that executive management empower the risk practitioner to operate a truly enterprise-wide risk management framework and include non-IT functions and business processes under the risk management umbrella.
Stay tuned next week for the next article in the series, which will discuss what to look for in a risk practitioner, explore the concepts of risk appetite and risk tolerance, and why it’s important to establish good risk governance.