The benefit of performing risk assessment far outweighs the cost or impact that an organization may have to suffer in case an incident takes place.
Thanks to implementation of international standards such as ISO 27001, ISO 31000, ISO 22301, ISO 20000, SSAE 16, COBIT, PCI-DSS, HIPAA, DPA (not exhaustive) there is more and more interest in understanding risk assessment methodologies and how it can benefit an organizations’ business.
The need for understanding the finer nuances is increasing but is far from maturity levels demanded by any of the international standards. If you are certified to any of the management system certifications, one common flaw that most auditors find in any organization, they will surely respond “I wish they had a better risk assessment..”.
What is going wrong with risk assessments today?
The absence and maturity of the formal risk assessment is contributed by some of the following key factors:
What can be done to ensure completeness?
Consider the following key parameters for your risk assessment approach to make it successful and beneficial to the business(not exhaustive).
Agree on Terms and definitions: Risk is a function of asset, business impact, threat, vulnerability, probability. Define each one of them, and explain how this correlates in the risk valuation of the asset.
Agree on rating methodology: Methodology includes valuation. Valuation can be quantitative as well as qualitative. While measuring provide a range 1-4 or 1-10, 1 being lowest, and 4 being highest. The focus of rating should be based on your organization valuation not someone else. If you rate Availability as 4 for an asset it needs to reflect that the asset’s unavailability can hinder continuity of the business, in other other words make it contextually relevant.
Make it simple, provide a guidance: Provide support to suggest how something is to be rated as 4(Very High). An asset containing salary data may be rated as Very High, and it encompasses all forms of that assets and teams.
Agree on context: Context is the scope of risk that you wish to address. Is it service risk, information risk or business risk? Since most risk assessments are driven by compliance objectives define the context in terms of assets/service/function that needs to be covered. Once you see the value you can increase the context itself.
Start from the top: Starts from the CEO. We have found that those we started with the CEO were much more successful. If the CEO is not involved, it is a sure shot failure, i doubt it will the light of the day.
Involve department heads (if not everybody) and make them ‘own': Explain and involve the head of departments/business process owners, they will appreciate and help you evolve. Again this is not just IT or security teams, it involves everyone. if you explain a team such as R&D how risk assessment helps reduce the assets of R&D, they will surely participate.
Consider trigger points for reassessment/change: Once you decide the context, also decide the trigger point for change. Change can be in methodology, rating, new assets, new threats, new weakness, new events – internal and external, to name a few.
Consider a Target and period of measurement: Management is interested in numbers, we all know that. Define a risk target. Also apply this by showing how your risks improved for a given period of time. Note the true objective is to reduce risk at optimum level that supports business.
Consider the above as a guideline for your risk assessment process and I am sure your risk assessment will improve manifold.
Hope this helped, let me know your reactions!