In: Operations Management
Understand the business context
Taking risks is a necessary part of doing business in order to create opportunities and help deliver business objectives. Organisations should always be aware of the risks they are taking to achieve their aims.
To ensure meaningful outcomes, organisations need to provide a context in which risk management and risk assessment is conducted. This context can be set by answering the following questions:
Those responsible for making risk management decisions should contribute to, and agree with, the formulation of this context.
Decide on the risk management approach
Before taking any action, the organisation must understand and communicate what risk management approach the business is going to take to provide confidence that the technology and information used is secure enough. This is an important business decision because the security of the organisation and its assets depend on it.
Risk assessment and other risk management activities require technical, security and business skills and knowledge and resources. Choosing the wrong approach could be costly in terms of resource use and security compromise.
Organisations have a number of choices available to them to manage risks that have been identified. They can choose to avoid, accept, transfer or treat risks to their business. If an organisation has decided to manage the risks they face, through treatment using security controls, then three potential approaches are briefly outlined below:
1. Rely on the security provided by commercial products and services
In this approach, the organisation relies on the security provided by a commercial product or service, without conducting further security analysis. If the organisation adopts this approach, then there is no need to conduct customised technology and information risk assessments to help specify additional security controls. However, the organisation must accept that:
From a security perspective, this approach does not mean ‘do nothing’. Organisations that choose to take this approach still need to:
Adopting this approach is dependent on having effective and appropriate commercial contracts and agreements in place. It should not be assumed that suppliers’ own standard commercial terms of business will provide an adequate basis for relying on the security provided by any product or service.
Organisations should also note that without risk assessment, the business will have no understanding of the technical and information risks it faces. This could result in a lack of security where it is needed, or the application of security where it is not needed, resulting in security compromise or unnecessary costs.
2. Apply common solutions to solve common problems
In this approach, the organisation applies the security provided by common security solutions to solve common technology problems. It only carries out tailored risk assessments (or specifies additional security controls) for those business objectives that are not entirely covered by the common solution.
This is illustrated in the diagram below:
Some examples of common solutions to common problems include:
If the organisation decides that its business objectives are not entirely covered by the risk assessment for a common solution, the next step is to understand where the differences lie. For example, is there a unique threat or unique asset to be considered? Once these differences have been understood, then this can be used to form the basis of a more tailored risk assessment activity to specify additional security controls.
3. Carry out risk assessments to specify security controls
In this approach, the organisation chooses an appropriate risk assessment method and makes informed risk management decisions about what security controls it will implement. When making these decisions, the business may choose to:
Decisions will be informed by what the organisation is, and what it is trying to achieve. Some organisations in certain sectors may need to demonstrate that they have applied security controls to comply with standards or a sector-specific regulatory requirement. For example:
The examples above should not be viewed as an exhaustive list of recommended control sets, as there are many to choose from. Some organisations may need to use a combination of control sets. Irrespective of the method, standard or framework used to make security control choices, decisions must be informed by and traceable to realistic risks affecting something that the organisation is actually doing.
Choose a risk assessment method that is right for the business
There are many methods for conducting risk assessments, and numerous tools to support them. Most risk assessment methods can be aligned to the approaches described in the ISO 31000 and ISO 27000 series of International Standards which seek to identify, analyse and evaluate risks. The method to be adopted should be appropriate for the organisation, so this is ultimately a business decision. It should be scaled to support whatever delivery model is being used and tailored as necessary to suit the needs of the business and the target audience.
When choosing a risk assessment method, the organisation is likely to need to answer the following questions:
We have provided a summary of common risk methods and frameworks. Further information on the limitations of risk management methods and frameworks can found in our critical appraisal of risk methods and frameworks.
Understand the components that cause a risk to exist
Risk assessments have inputs and outputs. The most common inputs considered in a risk assessment are threat, vulnerability and impact. Risk is normally realised as a consequence of these inputs, although some risk assessment approaches will include other inputs (such as likelihood and asset value).
Regardless of the risk assessment method used, any inputs and outputs should be understandable and meaningful in the context of the business and what it is trying to achieve.
Threat
Threat describes the source of a risk being realised. Threats to systems and services include people who would seek to do the business harm through technology, and undesirable events such as environmental disasters and accidents. Some of the threats that an organisation may face are beyond the organisation’s control; they can only use threat-related knowledge to aid risk prioritisation.
Modelling threats can be a useful way of helping to understand what threats should be considered and how they may affect individual assets, the organisation, and what it is doing. Where threats are people, organisations should consider the motives that drive individuals to launch an attack, as well as their opportunities and capabilities to do so.
To achieve consistency between different risk assessments within the same organisation, the business should establish organisation-wide (or business area specific) 'threat assessment baselines', and use them as input to all risk assessments. These baselines will need to be amended if the threat landscape changes, or if something significant changes within the organisation.
Vulnerability
Vulnerability is a weakness which can be exploited by a threat to deliver an impact. A system or service could be compromised through the exploitation of vulnerabilities in people, places, processes or technology.
When assessing their risks, organisations should ensure that they have a clear and realistic understanding of where and how their systems and services are vulnerable. Whilst organisations can’t control the threats they face, they can reduce their vulnerabilities.
Impact
Impact describes the consequences of a risk being realised. To allow risk evaluation and prioritisation, impact should specify the negative effect that a risk’s realisation would entail.
This should include expected losses (eg financial and reputation losses) as well as business objectives which would not be achievable as a result of the impact. Organisations can exercise control over the negative impact that realisation of a risk would have, and should plan for this to happen.
Other inputs
Some risk assessment methods also consider likelihood and asset values as components of risk and inputs to assessments.
Likelihood estimates how likely it is for a threat to occur. It can be captured by examining historical records of compromises to estimate how history will be repeated. Some methods draw on likelihood to help determine vulnerability. Note that metrics of past occurrences are not necessarily a useful indicator of what will happen in the future.
Asset values are used to provide an understanding of what systems, services, information or other assets the organisation really cares about. This insight will provide organisations with a view of what it is they really want to protect.
Risk assessment output
Irrespective of the risk assessment method used, the output should be meaningful,understandable, realistic, and in context so that it informs risk management decisions and cannot be interpreted in different ways by different people.
The level and type of detail provided by the output (ie technical or not) will be dependent on who the risk assessment is for, and what risk management decision it is meant to inform.
Understand what risks exist
To understand what risks exist, the chosen risk assessment method should be applied in the context of what the organisation is trying to achieve. To do this, you should know:
Before conducting a risk assessment, the organisation needs to decide and agree how risk assessment output will be presented. There is little value in a risk analyst producing a large and detailed risk assessment document, when the decision maker will only read the first page. Ensure that the scale and rigour of analysis performed (and the amount of documentation produced) matches the business context and is justified and proportionate.
The output of any risk assessment should be recorded for traceability purposes. Traceability is important so that risk management decisions and investment choices can be traced to an identified risk.
Prioritise the output from a risk assessment to allow the organisation to make informed risk management decisions. Any prioritisation of risk should be based on a meaningful understanding of what the organisation really cares about, not meaningless risk level boundaries.
Communicate risk consistently
Irrespective of the approach taken to assessing risks, the outcome should be captured in a way that can be used to inform business decision making. Output from risk assessment and other risk management activities may also need to be communicated to interested third parties.
The results of risk assessments depend largely on the experience and biases of the individual conducting them. As a result, it is difficult to obtain consistent risk assessments from different risk practitioners even when applying the same method. Consistency in risk assessment and risk management is important to enable effective decision making and communication. Consistency does not come from the repeated application of a specific risk assessment method. Consistency is achieved by ensuring that:
Different organisations do not have to use the same risk assessment methods in order to communicate risk consistently, provided they use a common language that describes the inputs to and results of their risk assessment and risk management activities. The common language to be used is a matter for organisations to agree amongst themselves.
Agreeing how to communicate will create trust amongst a community who need to have confidence in the decisions made by others. Organisations should, as a minimum, be able to communicate:
You should also:
Make informed risk management decisions
Throughout the lifecycle of a system or service, the organisation will need to make objective decisions about what needs to be done to manage identified risks. This should be based on a clear and meaningful understanding of risk.
These decisions should be informed and supported by information, subject matter expertise and evidence. It is for the organisation to decide how much and what form of information is required, together with the level of expert advice and evidence needed to demonstrate that risks are being managed.
Examples of information and evidence that could be used to support risk management decisions include:
It is important that the organisation understands what effect its risk management actions have on the risks it has identified. The organisation must be capable of communicating this to partners or authorities as necessary.
Residual risks
It is not possible to say that a system or service is ‘risk free’, or 100% secure. After risk management action has taken place, some risks will remain. These are often referred to as residual risks.
Some risk management approaches estimate how much a specific risk management action reduces an identified risk from its original state. For example, a risk management action may reduce a risk from 'high' to 'medium'. It is not possible to quantify the level of risk reduction as a result of a single or suite of security controls, and basing risk management decisions on estimates of risk reduction can encourage a false sense of security.
Understanding the effect a security control is having on a risk can be useful in determining the value of risk management related investment decisions, and as a minimum, organisations should understand and be able to communicate: