Understanding Organizational Risk
My friend Stewart Hayes has been working in risk management for even longer than I have (which is longer than either of us care to remember). As well as being a good friend, he is also a prolific writer and has a very calm and measured way of dealing with challenging situations or colleagues. I'm pleased to be able to share a few of his many thoughts on organizational risk management.
Understanding Organisational Risk
This paper considers risk from an organizational context; that is any adverse factor that may affect the normal operation of the business. This considers potential issues arising from cyber, physical, personal and political or investment risks and describes strategies that will mitigate these risks. The paper describes a recognized approach to enterprise risk assessment and subsequently definition and management of controls designed to mitigate those identified risks. It is intended for readers unfamiliar with Risk Management and how it may be used to better manage your organization’s security environment.
Organisations must now be more cognizant of risks that they face in the day to day delivery and operation of their services. These risks are faced in all aspects of the business from ongoing operation of the infrastructure to strategic planning and understanding of potential issues that may face them in future endeavors. It is only through an enterprise risk approach that all risks can be considered on a consistent and equitable basis enabling the executive to make decisions based on business outcomes. Only through a uniform measurement of relative threats, exposures, opportunities and the potential consequences can the organization define and implement a comprehensive strategy to manage those risks.
2 Enterprise Risk Assessment (ERA)
Risk assessment is the determination of a quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk(R): the magnitude of the potential loss (L), and the probability (P) that the loss will occur. An acceptable risk is one that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expected value of the loss. A risk assessment includes variations depending on the context such as the type of threat and severity of consequence, with or without a probabilistic context.
The risk assessment process is generally considered in 5 steps.
There are numerous approaches to calculating the risk in each work area and each area will have varying threat manifestations. On the face of it, these are all considered in isolation. As a result, the outcomes tend to be viewed on the basis of ‘the most recent incident is the highest priority’. Unfortunately, this reactive approach to identifying and therefore managing risk is not cohesive to a sound risk strategy and is essentially a fire-fighting exercise which in itself is not sustainable. Secondly, a number of controls identified to manage risks could if defined correctly, actually address a number of scenarios thereby leading to cost savings across the enterprise.
2.1 Normalising Risk Assessments
To ensure risk assessments are measured on a level playing field it is important to identify areas of commonality. As outlined above risk is typically measured as the relationship between Likelihood of a Threat or Hazard actually being realized and the Consequence or Impact if it occurs.
There are various operational areas that an organization must consider on a daily basis – the Physical infrastructure, the Cyber Infrastructure, Personnel and Financial investments. Each area faces differing risks however they can be reconciled through a common assessment framework. At an enterprise level, this framework should only consider the broad aspects of risk and not be drawn into a detailed analysis of each risk scenario; this is best done when assessing the control measures as part of the Risk Management stage.
2.2 Assessment Framework
The assessment framework is shown below:
The three components of risk must be accompanied by a qualified or, where possible, a quantified analysis. This can be done by historical analysis or well defined and managed testing.
Exposure: This should consider how exposed the organization is the identified threat. For example, an organization whose office is located in a flood plain is more likely to suffer water damage than one whose office is on a hill. This assessment should initially be undertaken without consideration for controls that have been implemented. This enables the subsequent analysis to consider how strong the control needs to be and whether any existing control is effective (see maturity level below). The exposure can also be quantified by conducting testing to address specific areas of concern. For example, cyber penetration testing will identify whether the enterprise infrastructure can be accessed and what can be achieved by the attacker.
Likelihood: Secondly the likelihood of the threat event occurring is qualified through research into similar events and where they occurred. This must consider the type of organization that was targeted by the threat or the financial/investment market the organization was operating in.
Consequence: Lastly the consequence or impact of an event occurring must be evaluated. This should be evaluated against three criteria:
Direct or indirect financial impact – loss through theft, fines by regulators or others, withdrawal of investment etc.
Political – causing the resignation of senior executives
Using this qualitative framework to determine the relevant level of risk and exposure to that risk, the executive can make strategic investment decisions on risk management. This will provide a common vision and approach across the enterprise ensuring the strategy is properly funded based on the potential consequential exposure of not managing the risk.
2.3 Opportunity Risk
The international standard on risk management, ISO 31000, defines risk as “the effect of uncertainty on objectives”. The standard does not specify that these may be negative outcomes; indeed uncertain events may have a positive or negative impact. A negative outcome will affect the operating capability of the organizations whilst a positive outcome may be defined as a favorable or advantageous opportunity to improve the organization’s status.
When thinking about risk and setting controls the overall business objectives and strategies must be considered. Controls or strategies must be considered that might enable the organization to take advantage of such opportunity risks should they arise as well as defining strategies or controls to minimise negative outcomes. Avoiding risks is not the objective of risk management; understanding the risk and taking appropriate action is. Understanding business objectives and both the potential benefit and negative impact of risks will help organizations to be better prepared should those risks eventuate.
3 Enterprise Risk Management (ERM)
Risk Management is about ensuring the correct and most appropriate strategies are in place to ensure the threat, should it occur is properly managed within the context of business impact. To support this, a control strategy should be developed that supports a consistent decision-making process and enables the organization to take advantage of common controls to manage multiple event or threat scenarios. This strategy may be based on the following high-level objectives:
These strategies form the basis of the organization’s approach to risk management. The organization must, however, agree the policy defining ownership of risk, the thresholds for risk management and the ownership of control strategies. This supports a common approach to the management of enterprise wide risks that can be applied and managed consistently.
3.1 Application of Controls
Mitigating controls can be applied at a number of points in the organization’s operational enterprise. The diagram below shows an approach known as the ‘bow-tie approach to risk management’. This is separated into ‘preventative’ controls and ‘recovery’ controls.
Within the preventative control framework, the objective is to minimise the likelihood of a particular threat penetrating the organization’s operating environment and causing an event. These controls may fall into a number of categories, each more specialist in application.
On the other side of the bow-tie, the organization must be able to manage and recover from any event that occurs. This is known as a business continuity management program and includes:
‘Crisis management’ or the ability to manage an event effectively; and
Disaster recovery or the ability to recover from an event to normal operation or an agreed level of service.
3.2 Enterprise Risk Governance
Risk assessment and risk management is not a one-off exercise. It is essential that a continuous overview of existing and emerging risks is maintained to ensure the controls remain operational. This must take account of the changing business structure or enterprise and emerging threats that could potentially affect the business. Additionally, the controls should be regularly checked or tested to ensure they are effective. Any issues identified are to be assigned and owned by responsible individuals through to resolution.
4 Maturity Modelling
The Risk and Insurance Management Society (RIMS) published the RIMS Maturity Model in 2008 and have now (2015) launched a RMM recognition program to recognize leadership and enhance the discipline of Enterprise Risk Management (ERM). The RIMS Maturity Model (RMM) is a best-practice framework for enterprise risk management. Developed as an umbrella framework of the international, cross-industry standards, the RMM allows organizations to measure how well their risk management efforts align with these best practices.
At the initial level, risk management processes are disorganized, even chaotic.
At the repeatable level, basic management techniques are established and successes could be repeated.
At the defined level, an organization has developed its own standards.
At the managed level, an organization monitors and controls its own processes.
At the optimising level, processes are constantly being improved.
Author Stewart Hayes - People Concepts Stewart@peopleconcepts.com.au
https://www.linkedin.com/in/stewarthayesaus/ Tel: +61 (0)423 654 080
Stewart has over 25 years’ experience in security and risk management covering the hazards presented to the cyber, physical and personnel operating environments. As a strategic security services consultant Stewart has defined and delivered security ecosystems that both manage the risks and enable the business.