Risk Assessment - What is the 'ideal' approach?

Risk Assessment - What is the 'ideal' approach?

The benefit of performing risk assessment far outweighs the cost or impact that an organization may have to suffer in case an incident takes place.

Thanks to implementation of international standards such as ISO 27001, ISO 31000, ISO 22301, ISO 20000, SSAE 16, COBIT, PCI-DSS, HIPAA, DPA (not exhaustive) there is more and more interest in understanding risk assessment methodologies and how it can benefit an organizations’ business.

The need for understanding the finer nuances is increasing but is far from maturity levels demanded by any of the international standards. If you are certified to any of the management system certifications, one common flaw that most auditors find in any organization, they will surely respond “I wish they had a better risk assessment..”.

What is going wrong with risk assessments today?

The absence and maturity of the formal risk assessment is contributed by some of the following key factors:

  • International standards are sometimes confusing to the layman – if you search for the word ‘risk’ you will several interpretations for the same key word risk; ISO 31000 defines risk closer to a (positive) opportunity whereas ISO 22301/ISO 27001/ISO 20000  reflects a negative interpretation of the word risk.
  • Lack of management interest and what it can do for them – Most management do not see it as a constructive activity, it is seen as related to an event such as ISO 27001 (or any other) certification. Management says “get it somehow done, and we should be compliant..”. If implemented correctly, risk assessment can be part of each business activity and it pays to be ‘risk-aware’.
  • Inability to correlate internal and external events with risk assessment methodology – Owners of risk assessment, people who perform risk assessment, in the organization are often at pain to discuss internal and external events with their risk assessment. It is generally something that someone does and only he knows how it is done. Ideally the response should be “we are all involved”.

What can be done to ensure completeness?

Consider the following key parameters for your risk assessment approach to make it successful and beneficial to the business(not exhaustive).

Agree on Terms and definitions: Risk is a function of asset, business impact, threat, vulnerability, probability. Define each one of  them, and explain how this correlates in the risk valuation of the asset.

Agree on rating methodology:  Methodology includes valuation. Valuation can be quantitative as well as qualitative. While measuring provide a range 1-4 or 1-10, 1 being lowest, and 4 being highest. The focus of rating should be based on your organization valuation not someone else. If you rate Availability as 4 for an asset it needs to reflect that the asset’s unavailability can hinder continuity of the business, in other other words make it contextually relevant.

Make it simple, provide a guidance: Provide support to suggest how something is to be rated as 4(Very High). An asset containing salary data may be rated as Very High, and it encompasses all forms of that assets and teams.

Agree on context: Context is the scope of risk that you wish to address. Is it service risk, information risk or business risk? Since most risk assessments are driven by compliance objectives define the context in terms of assets/service/function that needs to be covered. Once you see the value you can increase the context itself.

Start from the top: Starts from the CEO. We have found that those we started with the CEO were much more successful. If the CEO is not involved, it is a sure shot failure, i doubt it will the light of the day.

Involve department heads (if not everybody) and make them ‘own': Explain and involve the head of departments/business process owners, they will appreciate and help you evolve. Again this is not just IT or security teams, it involves everyone. if you explain a team such as R&D how risk assessment helps reduce the assets of R&D, they will surely participate.

Consider trigger points for reassessment/change: Once you decide the context, also decide the trigger point for change. Change can be in methodology, rating, new assets, new threats, new weakness, new events – internal and external, to name a few.

Consider a Target and period of measurement: Management is interested in numbers, we all know that. Define a risk target. Also apply this by showing how your risks improved for a given period of time. Note the true objective is to reduce risk at optimum level that supports business.

Consider the above as a guideline for your risk assessment process and I am sure your risk assessment will improve manifold.

Hope this helped, let me know your reactions!