Risk management is the process of determining an acceptable level of risk, calculating the current level of risk, and then either accepting the level of risk (risk acceptance) or taking steps to reduce the acceptable level of risk (risk mitigation).

Organizations have significant flexibility in how the risk management steps are performed (e.g., sequence, degree of rigor, formality, and thoroughness of application) and in how the results of each step are captured and shared—both internally and externally. Ultimately, the objective of applying the risk management process and associated risk related concepts is to develop a better understanding of information security risk in the context of the broader actions and decisions of organizations and in particular, with respect to organizational operations and assets, individuals, other organizations, and Nation.

Risk Management Steps

The risk management process consists of four parts: risk assessment and analysis, risk evaluation risk treatment and risk monitoring. Below, we delve further into the four components of risk management and explain what you can do to simplify the process.

1. Risk Assessment & Analysis

The first step of the risk management process is called the risk assessment and analysis stage. A risk assessment evaluates an organization’s exposure to uncertain events that could impact its day-to-day operations and estimates the damage those events could have on an organization’s revenue and reputation.

Risk assessments use the results of threat and vulnerability assessments to identify and evaluate risk in terms of likelihood of occurrence and potential adverse impact (i.e., magnitude of harm) to organizations, assets, and individuals. Effectively assessing and analyzing an organization’s risks helps protect assets, improve decision making and optimize operational efficiency across the board to save money, time and resources.

2. Risk Evaluation

After the risk assessment/analysis has been completed, a risk evaluation should take place. A risk evaluation compares estimated risks against risk criteria that the organization has already established. Risk criteria can include associated costs and benefits, socio-economic factors, legal requirements and system malfunctions.

3. Risk Treatment & Response

The third step in the risk management process is risk treatment and response. Risk treatment is the implementation of policies and procedures that will help avoid or minimize risks. Risk treatment also extends to risk transfer and risk financing.

4. Risk Monitoring

The last step in the risk management process is risk monitoring. Organizations implement risk monitoring programs:

• to verify that required risk response measures are implemented and that information security requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines, are satisfied (compliance monitoring);
• to determine the ongoing effectiveness of risk response measures after the measures have been implemented (effectiveness monitoring); and
• to identify changes to organizational information systems and the environments in which the systems operate that may affect risk (change monitoring) including changes in the feasibility of the ongoing implementation of risk response measures).

Analyzing monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.

Risk Treatment Options:

1. Risk Acceptance

Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.

Organizations typically make determinations regarding the general level of acceptable risk and the types of acceptable risk with consideration of organizational priorities and trade-offs between: (a) near-term mission/business needs and potential for longer-term mission/business impacts; and (b)organizational interests and the potential impacts on individuals, other organizations, and the Nation.

2. Risk Avoidance

Risk avoidance involves taking specific actions to eliminate or significantly modify the process or activities that are the basis for the risk. Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk appetite and tolerance, and a determination has been made not to make an exception. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable.

3. Risk Mitigation

Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred.

Risk mitigation is accomplished by implementing one or more offensive or defensive controls in order to lower the residual risk. An offensive control is designed to reduce or eliminate vulnerability, such as enhanced training or applying a security patch. A defensive control is designed to respond to a threat source (for example, a sensor that sends an alert if an intruder is detected).

Prior to implementation, risk reduction recommendations should be evaluated in terms of their effectiveness, resource requirements, complexity impact on productivity and performance, potential unintended consequences, and cost. Depending on the situation, risk reduction decision may be made at the business unit level, by management, or by the Board of Directors.

4. Risk Transfer or Risk Sharing

Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies). Risk sharing shifts a portion of risk responsibility or liability to other organizations (usually organizations that are more qualified to address the risk).

To understand more about our engagement in Cybersecurity Risk Management Framework & Methodology Document development, speak with us today.