At the start of 2023, few would have guessed that asset management would suddenly become a hot topic. Then, in late May of that year, a vulnerability was discovered in the widely used MOVEit file transfer software. The flaw impacted well over 2,000 organizations across every industry, including government agencies, financial giants, transportation companies, software providers, and retailers. The hack exposed the data of more than 62 million people in total. Companies realized they didn’t know if their vendors were using MOVEit and exposing them to risk. A good asset management tool would have allowed companies to quickly generate a list of all their instances of MOVEit, patch them, and verify them for their partners. Instead, for many, delays in tracking down, fixing, and communicating about the vulnerability left customer data out in the open—for months.
Risk is dynamic. While specific risks may be unpredictable, acknowledging and addressing the existence of risk will allow you to deal with it. It’s too important (and potentially costly both financially and to your reputation) not to. But for a not-yet-enterprise-level company, starting to manage risk can seem overwhelming and too complex to address.
{{rmp-feature-1="/guides-comp"}}
First, a word on WHY
Why should you focus on risk management, and building a durable and robust program, if you don’t yet have the backing of a full GRC team? The obvious answer might be that sooner or later, you’re going to adopt frameworks that require an annual risk assessment. When that time comes, you’re going to have to start thinking about how to manage risk.
But keeping on top of risk just to meet compliance obligations is a missed opportunity. When you start thinking and talking in terms of risk, you’re getting fluent in the common language of the stakeholders who are affected by risk. You, as a compliance leader, might naturally focus on controls as the key to handling risk, but the people you need to talk to—risk owners including control owners and leadership—don’t necessarily think in terms of controls. They understand risk.
Talking about risk to control owners results in better controls.
Control owners keep the mechanisms of risk reduction operating on a daily basis. They take risk seriously—risk of ransomware, of unauthorized access, of failing to safeguard data privacy. So, if you frame your control discussion as a matter of risks, they will understand your concerns. Bear in mind, control owners know their own turf better than anyone else. Once you start speaking their language, they may just surprise you and come up with better controls than you could.
Talking about risk to risk owners opens doors to working at a higher level in the business.
What keeps directors and VPs up at night? The risk of not meeting targets, of being hacked, of natural disasters. If you want a seat at the table to talk to leadership, focus on risk. Showing the high cost of not reducing risk is a powerful way to secure funding for controls. Focusing on organizational cost shows them you’re on the same side of the table as they are. You’re trying to solve the thorny problems they worry about, and trying to help the business make good investments and avoid bad ones. So when you talk about investing in controls as an outgrowth of your insight into risk, they’ll listen—because they’ll see compliance as a benefit to business, not just a cost of doing business.
Next, a word on WHEN
As the saying goes, the best time to plant a tree was 30 years ago, and the second-best time is today. If you only start building a risk management program when you’re preparing for that first audit, you’re probably way too late. Even if your company is private today—even if you’re not planning to get certification anytime soon—start today.
But maybe we’re preaching to the choir. Maybe you just want to get started on managing risk right away, and you’re thinking, “Can’t I just get a list of controls off the internet and start using those to reduce risk?” Hold your horses. The problem is that while, yes, controls respond to risk, controls aren’t one-size-fits-all. You’ll need to do a custom risk assessment before deciding what controls are appropriate to address your organization’s risk.
What risks apply specifically to your organization, in view of its environment and its internal and external stakeholders? Which controls are essential for your company’s security, and which are a lesser priority? A prefab list of controls can’t tell you that. Sure, maybe you’ve worked at startups and built up their compliance programs, so you know the controls they needed. But every business has different levels of risk. You don’t want to be wrong about the controls you need to reduce risks unique to your organization.
It takes time to plan for conversations about risk, so start now. Work with management to establish timelines for deliverables that allow for proper information gathering from stakeholders. That’s how you’ll determine where your organization should allocate resources to mitigate risks.
Now that we’ve (hopefully) convinced you of the benefits of creating your risk management program ASAP, let’s talk about how to start.
Steps to building a risk management program
1. Identify and understand business risks.
A. Beware of an “if we close our eyes, it’s not really there” mindset.
Sometimes people are so eager to avoid risk that could have negative consequences that they even avoid discussing it. The attitude might be: “Don’t write that down, because if we’re sued and subpoenaed, we don’t want that in writing.” Talk to your lawyers about this—obviously—but if leadership recognizes a risk, not talking about it is not the solution.
B. One way to start: listen and learn.
Find allies who can tell you about the risks the business is facing, and interview them. Your job here is to hold up a mirror and show you understand. It can be eye-opening to hear how an executive responds to the classic question: “What keeps you up at night?” Are they worried about a breach by an external hacker? Or about an insider stealing customer data? Explore their concerns.
Don’t just talk to executives, either. Include others who intimately understand the process, whether they own it or are close to it. For example, ask the director of Engineering about the business's risks since they will have a macro view. Also ask a dev manager what they view as the risks because they will be in a unique position to specify key processes, people, or tools that pose risk.
You may get a laundry list of risks; your job as a compliance leader is to apply structure and order to it. So, determine priorities. Ask: “Of all the risks you mentioned, which would you say is the worst?” Ask these experts to consider the potential cost of the risks they see. Repeat this interview with other experts at all levels in your organization, and see what commonalities arise. If people with different perspectives keep talking about the same risks, that’s a strong signal about what you should address. As you listen, also start considering whether your company’s current controls are effective enough to mitigate the risks that these experts are raising.
C. Another way to start: A risk register from a reliable framework.
Approaches to risk management, vary greatly depending on industry, organization size, organizational culture, etc. Depending on your organization’s needs, you might start by taking a risk register—a list of risks and their potential harm—from an existing framework. Popular options include the NIST Risk Management Framework (NIST RMF) or Secure Controls Framework (SCF). Build on that risk register with interviews to determine whether those risks all apply to your organization and what additional risks might exist.
2. Perform risk assessments.
Once you’ve talked to the people in your organization and you have a preliminary list of risks, analyze the risks to create a risk register for your organization. When we talk about risk, we distinguish inherent risk—the amount of risk that applies to your organization without taking into account controls—and residual risk—the amount of risk remaining after implementing controls. To calculate risk levels, multiply the likelihood and the impact of a potential threat event, given the details of your organization, the kinds of information it collects, and other relevant parameters. (A threat event is an event or situation that can potentially cause undesirable consequences or impact.)
Broadly speaking, there are two ways to come up with data on the likelihood and impact of a threat event: a qualitative method, and a quantitative one.
{{rmp-feature-2="/guides-comp"}}
Your risk register will change over time, as existing risks are addressed and new risks arise.
You likely already have certain controls in place, such as antivirus software. After you assess the inherent risk, think about whether and how the controls you have help reduce residual risk. For example: Does your organization deal with sensitive data? If so, a data leak could badly impact your business. Without controls, a threat may be likely. But if you already comply with ISO 27001 and SOC 2, these existing controls may already reduce the likelihood of a data leak.
3. Determine risk appetite and tolerance.
Your discussions with management should reveal the organization’s risk appetite and risk tolerance, as per its governance policies. Risk appetite is the amount of risk, broadly speaking, the organization will accept to pursue its objectives. Risk tolerance is the level of risk an organization can accept per individual risk.
Understanding these will help you determine which risks are low enough to leave unaddressed, what level of residual risk is acceptable after application of controls, and when additional investment or other action is necessary to reduce risk to an acceptable level.
4. Consider the strategies you’ll use to manage risk.
For each risk, decide which of the following responses is appropriate:
A. Acceptance
This choice can make sense for risks that are small enough not to pose a meaningful threat. Individual risks that are considered acceptable conform to the organization’s predefined risk tolerance. Know when accepting a risk requires senior management approval. A risk might be acceptable under your company’s policies, but if a cost/benefit analysis shows that mitigating it makes sense, you might choose mitigation anyway.
Note that this is not an “if we close our eyes, it’s not really there” situation. Ignoring a risk is not the same as accepting it. Think through the situation and make sure to document the reason for your decision
B. Mitigation
If an inherent risk is higher than your organization’s risk appetite, you might choose to reduce the risk level to an acceptable level. This is a decision to be made by the risk owner, who is ultimately responsible for both the risk and approving the efforts to reduce it.
One way to mitigate a risk is by using controls. For example, if you’re concerned about the risk of malware, you could install anti-malware protection on your company’s computers, to reduce the likelihood of a malware threat event to an acceptable level.
C. Transfer
Assign the risk to someone else. The most common method for risk transference is buying an insurance policy. For example, if you’re considering how to respond to the risk of a cyber attack, and acceptance is not an option, you might take out cyber insurance.
But insurance premiums have risen, and it’s gotten more difficult to get a policy. While a number of factors affect insurance premiums, insurers are more likely to offer policies—and lower premiums—to companies that demonstrate they use robust controls to minimize cyber risk to begin with. So it can make sense to first mitigate a risk and then transfer all or part of the residual risk by purchasing cyber insurance.
D. Avoidance
Eliminating risk entirely. A business can choose not to take advantage of an opportunity that poses a risk, and thus avoid the risk. This leaves you with a residual risk of zero.
But this can be a difficult option if the risk relates to a business process that is a necessary part of business. For example, as much as you want to avoid phishing risk, you’re not going to tell your employees to stop using the internet.
Avoidance is possible when you can identify a less-risky alternative. For example, if you've been using a vendor, and new information indicates they have poor information security maturity, you can stop using them and replace them with a vendor with a more mature level of information security. Of course, you’ll still need to assess whether this latter vendor poses other risks, but it will avoid the specific risk that the first vendor posed.
5. Present your findings on risk to management.
Once you’ve determined the likelihood and impact of risks, it’s time to talk to management. Let management know what it will cost to reduce risks to acceptable levels and why it makes sense for them to invest in risk reduction. Be clear about which risks need to be addressed now, and which can wait. Remember, quantitative risk management can be your ally here. Expressing risk in terms of the dollar amounts at stake may get management’s attention better than describing risks as “high, medium, or low.”
6. Establish control owners.
Your control owners will continue to be your allies in reducing threats. Communicate with control owners so that they will keep their controls operating effectively.
{{rmp-feature-3="/guides-comp"}}
7. Document your risk program.
Keep a written record of risk management policies. This documentation should include the assessment process and the risk register as a reference and a guide. Many compliance frameworks require such documentation.
8. Monitor and assess.
Congratulations! You have yourself a risk management program.
You’ve come a long way, but the journey’s just begun. Managing risk requires a continual approach. The risk landscape changes, not least because of changes going on in the world. Covid was a reminder to us all that the risks you think you know about are not the only ones out there. Your organization may have found certain risks acceptable based on an assessment a month ago—but changing events can nudge that risk to an unacceptable level.
You might not have a GRC team or a huge budget to back you up, or years of experience with your organization, but you know that you can’t just establish a risk management program and let it sit there, gathering dust. So the next part of this guide focuses on how to keep your shiny new risk management program relevant and valuable.
Getting Continuing Value from Your Risk Management Program
{{rmp-feature-4="/guides-comp"}}
We started this guide with the MOVEit vulnerability. That’s a classic example of how a set-it-and-forget-it approach to risk management doesn’t give you the up-to-date signals you need for responding to new risks. So what do you need? A 24/7 system of risk quantification?
A compliance leader of a hyper-growth organization might (wrongly) feel that any meaningful assessment of risk is just too complicated, and settle for whatever minimal risk analysis their compliance work forces them to do. When a compliance framework requires an annual risk assessment, too many companies treat that as a check-the-box exercise.
Clearly, quantifying every input to place a dollar value on every risk isn’t feasible. But doing a quick, once-a-year risk assessment isn’t enough. We suggest a reasonable compromise: tactics to keep getting value from your risk management program without investing more than you’re comfortable with, but without falling into the check-the-box trap, either.
1. More frequent risk assessments.
Don't just do your risk assessment annually. Keep up with those check-ins throughout the year. Make especially sure to check in whenever there is a significant change in the environment, such as a business acquisition, a significant new process, or a new regulation.
There are several benefits to more frequent risk assessments:
A. Understanding how risks to a business change from year to year, and even month to month.
More frequent risk assessments give you a tighter timeframe for measuring and managing those changes to the risk landscape. For example, with a continually updated asset management system, a company would have known the potential impact of a zero-day vulnerability as in the case of MOVEit with less delay. When your information is more current, you can respond now instead of when your next annual risk assessment rolls around.
B. Course-correct more quickly (especially with continuous risk monitoring).
Systems that continuously monitor risk show whether controls are effective or not and give leadership the always up-to-date information they need to make informed decisions about investments in risk reduction. Continuous monitoring is ideal—but if you’re a compliance leader without a large GRC team to back you up, risk assessments that are “as frequent as possible” might make the most sense now.
C. Prove the value of your controls.
How DO you know your controls are working? Unless you're investing in pulling real, supporting data, risk level is based on qualitative information, such as interviews—people’s feelings and impressions. But in contrast, if you can say, “Investing in technology reduced hacks from 1000 monthly real attacks on perimeter networks to 100,” that tells your leaders precisely how effective the investment in controlling risk was.
2. Find a way to measure risk that lets you measure progress over time.
You could express risk with traffic-light colors: red, yellow, and green. But that limits the information you can convey: Imagine the conversations about ranking risks. “Is this risk redder than that other red risk?” You may not be ready to make a massive investment right now in risk quantification, and that can wait. For now, at least switch to scoring risks on a scale of one to ten. For example, “one” could mean a risk of $1 million or less, “two” could mean between $1 million and $5 million, and so on—whatever makes sense for your business. This more granular scale gives you a more concrete way to measure change. While you’re assessing risks, ask the people you interview to pull the data they relied on.
3. Share.
Share the results of your risk assessments back with the people you interviewed. Don't make the flow of information just one way; make it a conversation. If the head of Engineering thought a certain risk was high, but Finance thought it was low, you can all talk about why there's a disparity. Or if one of them said a risk was “high” last quarter, but says it’s “medium” now, talk about what changed. Information sharing turns what you’re doing anyway for compliance into a valuable business activity.
4. Use risk as a way to tell leadership where their investments are working.
Risk is a powerful way to talk to leadership about where the money goes. Leaders need to understand where they're under-investing, where their investments aren't working, which new borderline cases may be acceptable, and where everything is right on target.
Use conversations about risk to get a seat at the table with leadership. This is your opportunity to tell them that all the money they spent on Project X really delivered value or that a certain area of risk has been at level 10 for a couple of quarters and needs funding. You’ll be able to quantify the benefit to the organization (in money, reputation, etc.) of avoiding undesirable consequences.
Too Small to Get Value from a Risk Management Program? Never.
Even a company that’s not yet at the enterprise level owes itself a good risk management program. While no guide can provide every detail that applies to your unique organization, this one should give you an idea of key elements and advantages.
At its core, building a risk management program is a matter of focusing on priorities: determining which risks are most relevant to your organization and making them meaningful to leadership so that you can get leadership support in responding to those risks.
Finally, creating a risk management program is a starting point for continuously monitoring risk—not just annually but throughout the year. That’s how you create value for the organization beyond meeting compliance obligations: by preparing the business to respond to threats, reducing the recovery time after threat events, and continually assessing the success of your company’s investments in risk mitigation.