Risk Management Series – Part 2 of 4
Welcome to the second in a four-part series of articles about risk management. You can read the first article here. This article will cover:
- What to look for in a risk practitioner;
- The concepts of risk appetite and risk tolerance; and
- Set the stage for the third article by briefly explaining why it’s important to establish good risk governance.
The Effective Risk Practitioner
Every business leader has at one point experienced a (hopefully less extreme!) situation similar to the above comic… an auditor, information security professional, or risk practitioner prescribing a security control that will have a negative impact on business operations. Whether you’re looking to hire a risk practitioner for your organization or ensure that the one you have has the correct approach to risk management, it’s important to look at three things: experience, attitude, and credentials.
An effective risk practitioner isn’t created in a vacuum – it takes experience to develop the attitude and knowledge necessary to succeed. Many controls are technical in nature, so having a risk practitioner with technical experience can be of great benefit – especially if that experience is in foundational IT areas like networking or programming. An understanding of these fundamental concepts is required to grasp more complicated topics like cloud computing and service oriented architecture. Being able to understand any given control at a deep technical level is not strictly required to be effective, but it can help a risk practitioner better assess risk when dealing with today’s complex enterprise information systems. That said, it’s equally important for risk practitioners to develop a keen understanding of business processes, something often best accomplished by frontline operations experience.
An effective risk practitioner can demonstrate his or her understanding that risk management activities must align with the business (and not the other way around). The goal of risk management is not to eliminate all risk. Rather, it is to enable the organization to make risk-aware decisions. After all, a business must be able to function in order to remain in existence. Risk practitioners (and information security officers, and compliance managers) must remember that even achieving or maintaining compliance with applicable laws, standards, regulations, and/or client requirements is a risk decision where the cost of implementing compliance controls is measured against the risk of not complying.
There are several good certifications related to risk management. They all require a certain amount of professional experience, and they all test for both the proper attitude towards risk management as well as for a baseline level of knowledge. Below are two of the more popular risk management certifications:
- ISACA’s Certified in Risk and Information Systems Control (CRISC). This certification focuses on risk related to information systems. It requires at least three years of relevant experience and covers four domains: IT Risk Identification, IT Risk Assessment, Risk Response and Mitigation, and Risk and Control Monitoring and Reporting.
- RIMS’ Certified Risk Management Professional (CRMP). This certification is not focused on information systems and offers a more broad set of domains: Analyzing the Business Model, Designing Organizational Risk Strategies, Implementing the Risk Process, Developing Organizational Risk Competency, and Supporting Decision Making. It requires either a degree and 1-3 years of risk management experience, or 7 years of risk management experience without a degree.
Risk Appetite and Risk Tolerance
ISACA’s glossary defines risk appetite as “The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.” It defines risk tolerance as “The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.” In other words, risk tolerance typically applies to individual risks while risk appetite is more broad in scope and often encompasses the entire organization. These terms are not easily quantified, so an effective risk practitioner must be able to develop an understanding of what the organization’s risk appetite and risk tolerance are.
The next article will discuss the importance of a well-governed risk management program in more detail, but I want to reinforce the notion that an effective risk practitioner must be able to help an organization inject risk management principles into daily business operations. Bruce Schneier once stated that “Security is a process”; it should also be said that managing risk is a process.
Governance refers to the actions, processes, traditions and institutions by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks. - International Risk Governance Council
Among other things, organizations that maintain a mature, well-governed risk management program may be better positioned to:
- Identify emerging threats and proactively address the risks associated with them;
- Utilize key performance indicators and key risk indicators to identify issues that, left unchecked, might exceed the organization’s risk appetite; and
- Effectively use ‘lessons learned’ from past risk events to prevent reoccurrences.
Stay tuned for the next article in the series, which will discuss how to ensure that risk management activities are ingrained into everyday business operations and an effective risk awareness program is implemented enterprise-wide.