So, your security team or risk management consultants have finalized your risk assessment report, calling out risks and opportunities the organization faces.
The report could be aligned with one of a dozen frameworks, including NIST 800-30, ISO 27005, or HIPAA, yet the next steps are still the same.
Your company needs to decide how they want to treat, document, and revisit the identified risks.
Note: If you are looking for guidance on how to treat risks, and options for doing so Kendall Morris’s blog post does a great job breaking that down here. This article is focused on what you as a risk manager or member of a risk governance body should be aware of and doing.
Step 1: Management Review
This may have been done as a part of finalizing the risk assessment report, management should review these again once the process has concluded. A good candidate for this review is your company’s version of the Information Risk Council (IRC).
Here are some key things to do during this review:
- Make sure that leadership understands the risks as written and is committed to treating the risks – which may mean accepting the risks as is or taking steps to reduce the impact and/or likelihood of the risks.
- Establish clear ownership for each risk. Ultimately, independent of how your organization decides to treat risk, each risk should have a defined owner responsible for executing the treatment plan. For example, the risk of key employee turnover should more than likely be owned by the Chief People Officer or equivalent. They can delegate aspects of the risk treatment, but the owner is ultimately responsible for that risk.
- Risks should be scored in alignment with your Risk Management Policy. If you do not have one this is a good point to develop one. If you are not sure where to start, let us know and we can help you build a right-sized solution for your organization.
Step 2: Documenting Risks
Ideally (as a part of going through the exercise in Step 1), you have documented ownership, risk treatment plans, and risk scores in a central location such as the Phalanx Risk Register. This empowers your management team to evaluate risk trends, the volume of risks, and remediation efforts over time.
Here are some things to consider when developing your risk register:
- Documenting the risk itself, including details such as the finding, the associated risk, and some treatment options. It’s a good practice to also document the date the risk was identified.
- Documenting risk scores, ownership, treatment plans, and due dates/milestones.
- Tracking treatment over time. Establishing an agreed-upon method for tracking milestones and treatment completion helps with this. This may be done within your risk register, or via a linked ticket.
Step 3: Risk Treatment
If you have gone through Steps 1 & 2, a treatment plan should have been established for each risk. If you have chosen to accept a risk, documenting the reasons and governance approval should suffice.
If you decide to treat the risk in another manner, ensure that you have a documented approach with the appropriate sign-off from the risk owner and Information Risk Council.
Risk treatment plans should have a due date and milestones to ensure that the treatment plan is executed in a timely manner. If due dates slip or need to be adjusted, the reason and new dates should be documented within the risk register and any linked tickets.
Step 4: Periodic Review
Reviewing risks periodically is vital to ensuring that the organization’s risk appetite is aligned with the current risk profile.
This should be done as a part of an established cadence, such as quarterly IRC meetings, and when there are major organizational or market changes. Risk owners should ensure the risk register is updated prior to each of these meetings and be prepared to speak to each risk in its current state.
Here are some useful questions to ask during the review process:
- Is there a pattern to – or similar root cause of – risks over time?
- Are risk scores dropping over time as the security program matures?
- Do risk scores need to be adjusted based on organizational, market, or threat changes? A threat change could be as simple as organizational changes that raise your visibility and attractiveness to malicious actors.
- Are the expected high-risk areas sufficiently represented? If not, this may call for a review of risk assessment methodology, or even a more targeted risk assessment.
Kicking off the risk management process is not always an easy process, especially if the risk assessment is a result of a compliance exercise. However, it is a valuable practice to ensure your company’s risk appetite is aligned with your risk profile.
The above steps will give you a good jumping-off point to turn your risk assessment into a real benefit to your company’s overall security posture.