In today’s ever-changing risk environment, there are always areas of consideration for the risk practitioner including the dynamic threat world, the many and continuous vulnerabilities that are ever-present, and the potential impacts on the enterprise and its activities. Risk considerations require review of the many and wide-ranging possible areas on which to focus. Here is a general approach to start the process to review and manage your organizational risk out on the risk FARM:
- Framing of the risk—Setting the parameters for how and what risk is to be considered is first. Putting the risk into context within the organization, its business processes, the scope and purpose of the risk effort are all part of this first area. Ensuring that the risk is visible at the senior manager level within the organization is vital to properly addressing risk.
- Assessing the risk—Assessing the risk in each business area and then evaluating it with respect to the overall organization are part of assessing the risk. Determining and using a standard risk model, looking at the threats, vulnerabilities, impacts on the business and likelihood of occurrence all contribute to the assessing portion of this activity.
- Risk responses—Typically, there are 4 types of risk responses that are used, often in combination, to handle risk for an organization and ensure that it is at an acceptable level for operations. Risk avoidance is the process of removing the risk item from the operational environment so there is no potential impact. Risk sharing, also called risk transference, is the process of using extra means to handle the risk outside of the organization. These means can be insurance-based or external-provider-based. These risk mitigation efforts are often the most used and extensively deployed to handle risk. Acceptance of the risk is always the last step in the response program.
- Monitoring of the risk—Watching, checking and continually reviewing risk and the responses to risk are ongoing efforts to keep the organization safe and secure. Making the inevitable changes securely is just one portion of these monitoring activities. There is a wide range of manual and automated means to accomplish this for organizations.
Taking risk to the FARM to enact a risk program helps set the organization up for success in meeting the wide and varied needs of the entire business to keep everything in operations safe and secure in today’s insecure world.
Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.