Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the “effect of uncertainty on objectives”) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.
There are 5 steps to Risk Management:
Step 1: Identify the Risk. You and your team uncover, recognize and describe risks that might affect your project or its outcomes. There are a number of techniques you can use to find project risks. During this step you start to prepare your Project Risk Register.
Step 2: Analyze the risk. Once risks are identified you determine the likelihood and consequence of each risk. You develop an understanding of the nature of the risk and its potential to affect project goals and objectives. This information is also input to your Project Risk Register.
Step 3: Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk magnitude, which is the combination of likelihood and consequence. You make decisions about whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk rankings are also added to your Project Risk Register.
Step 4: Treat the Risk. This is also referred to as Risk Response Planning. During this step you assess your highest ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. How can you minimize the probability of the negative risks as well as enhancing the opportunities? You create risk mitigation strategies, preventive plans and contingency plans in this step. And you add the risk treatment measures for the highest ranking or most serious risks to your Project Risk Register.
Step 5: Monitor and Review the risk. This is the step where you take your Project Risk Register and use it to monitor, track and review risks.
When preparing to conduct a risk assessment for your organization, I will consider these nine key areas:
- Third Party Vendors: How secure are their operations? How much visibility and insight do you have? Who is the cyber security point of contact for each vendor you work with?
- Security Management: Who is in charge of implementing strategy? What strategy is being implemented? Has it been effective? What changes should be made?
- Security Architecture: What programs are currently in place? How effective are they? What measures can be added? What tools are available to teach employees about the current architecture?
- Emerging Technologies: What can be added to enhance security? How secure are new technologies that are currently in place? Where are these technologies applied – physical server, virtual server, cloud?
- Regulations and Policy: What is the current security policy? How does it impact overall security? What updates can be made?
- Incident and Crisis Management: How are you monitoring for incidents currently? How well is it working? How are incidents resolved today?
- Identity Management: What authentications are in place? What password protections are available?
- Awareness & Education: What programs are in place to educate employees about cyber security? What tools and guidelines are given to employees?
- Threat & Vulnerability Management: What systems are there to identify and remediate vulnerabilities and threats?
Click here to contact me and discuss a Threat Management or Risk Mitigation review of your environment.