How to get risk management right How to get risk management right

How to get risk management right
05 Sep 2018

There are almost as many definitions of risk management as there are risk managers, and a concomitant wealth of methodologies, some simple and some unnecessarily complicated.

But the challenge for many organisations is that the sheer amount of effort being put into tackling the issue is not translating itself into positive business outcomes. One of the reasons for this could be in the way in which risk management is framed. The language of risk is often about identifying uncertainty, loss and damage and then minimising its likelihood or impact.

Risks are generally displayed using a red, amber and green system, which implies that red risks are bad and green ones are good. This situation tends to reinforce the belief that risks are to be avoided when there can be rewards in taking a risk that leads to a positive business outcome. In other words, a risk-averse culture can stymy business growth and hit confidence.

One manifestation of this attitude is that many organisations have become adept at creating risk registers as part of their ongoing governance activity. But they generally fail to question why some risks remain static for so long, while ‘specialist’ risks such as security, quality and health & safety languish in their silos without being discussed at senior management level. This means the leadership team is unable to obtain an holistic view of what is really going on.

But the issue is that if conversations around security risk, for example, are not understood by business leaders, it is unlikely there will be any urgency in ensuring that they are either recognised or understood, or that effective action is taken to mitigate them.

So before doing anything else and to truly get a handle on risk management, it is necessary to define what it actually comprises. One definition states that it is: “The identification, assessment and management of risk within the context of how much risk an organisation is willing to accept in pursuit of business objectives”. So let’s break this idea down a little:

Identification

A risk only exists if there is a threat as well as a vulnerability for that threat to exploit. The best risk assessments are those in which a robust threat evaluation has taken place too, identifying all of the key threat sources and prioritising them based on the best information available at that time.

It is also important to look at all the possible ways in which the organisation could be vulnerable to each threat source. People too often state ‘there is a risk of fraud’ when, in practice, it is necessary to understand how and why the business is vulnerable to the threat of fraud.

Assessment

For this exercise to be of any value, the assessment process must be consistent and repeatable. Each risk must also be evaluated side-by-side with the others in a realistic and proportionate manner.

Too often, risk assessments explore the worst possible scenarios rather than the most realistic ones, resulting in the evaluation being disproportionately skewed. But just as damaging are those cases in which, for a variety of reasons, individuals play down risks, scoring them lower than they really are, which results in them not being managed effectively.

Management

In my experience, management is often the most poorly-handled area of all. To do risk management well, it is vital to understand clearly what the organisation’s business objectives are and how much risk it is prepared to take in pursuit of them, in other words, its risk appetite.

Risk appetite varies from organisation to organisation, with some being very cautious and others being quite laissez-faire. In the former instance, it will obviously be necessary to do much more risk treatment than in the latter.

Before any risk activities can be devolved downwards though, it is vital for board members to take the lead in determining the organisation’s risk appetite. If they fail to do so, it will be unclear how little or much risk treatment is required, potentially leading to a waste of money and resources or, just as bad, an unknown exposure.

In summary:

  • While there will always be risk and uncertainty, it is not necessarily a bad thing;
  • Risk management must be driven by the board, should inform business decisions and result in positive business outcomes;
  • Risk management activities should be consistent and repeatable and be based on proportionate and cost-effective risk treatment;
  • Risk activities should be aligned to the organisation’s risk culture, take place on an enterprise-wide basis and be resourced accordingly.

 Mike Gillespie

Mike Gillespie is co-founder and managing director of information security consultancy, Advent IM Ltd, and vice president of the C3i Centre for Strategic Cyberspace and Security Science. He is a senior, experienced information security practitioner of many years’ standing and is well versed I the threats posed to organisational information assets.

OTHER ARTICLES THAT MAY INTEREST YOU

How to assess payroll risks

Combatting payroll fraud

Five considerations when going down the group risk benefits route

 

There are almost as many definitions of risk management as there are risk managers, and a concomitant wealth of methodologies, some simple and some unnecessarily complicated.

But the challenge for many organisations is that the sheer amount of effort being put into tackling the issue is not translating itself into positive business outcomes. One of the reasons for this could be in the way in which risk management is framed. The language of risk is often about identifying uncertainty, loss and damage and then minimising its likelihood or impact.

Risks are generally displayed using a red, amber and green system, which implies that red risks are bad and green ones are good. This situation tends to reinforce the belief that risks are to be avoided when there can be rewards in taking a risk that leads to a positive business outcome. In other words, a risk-averse culture can stymy business growth and hit confidence.

One manifestation of this attitude is that many organisations have become adept at creating risk registers as part of their ongoing governance activity. But they generally fail to question why some risks remain static for so long, while ‘specialist’ risks such as security, quality and health & safety languish in their silos without being discussed at senior management level. This means the leadership team is unable to obtain an holistic view of what is really going on.

But the issue is that if conversations around security risk, for example, are not understood by business leaders, it is unlikely there will be any urgency in ensuring that they are either recognised or understood, or that effective action is taken to mitigate them.

So before doing anything else and to truly get a handle on risk management, it is necessary to define what it actually comprises. One definition states that it is: “The identification, assessment and management of risk within the context of how much risk an organisation is willing to accept in pursuit of business objectives”. So let’s break this idea down a little:

Identification

A risk only exists if there is a threat as well as a vulnerability for that threat to exploit. The best risk assessments are those in which a robust threat evaluation has taken place too, identifying all of the key threat sources and prioritising them based on the best information available at that time.

It is also important to look at all the possible ways in which the organisation could be vulnerable to each threat source. People too often state ‘there is a risk of fraud’ when, in practice, it is necessary to understand how and why the business is vulnerable to the threat of fraud.

Assessment

For this exercise to be of any value, the assessment process must be consistent and repeatable. Each risk must also be evaluated side-by-side with the others in a realistic and proportionate manner.

Too often, risk assessments explore the worst possible scenarios rather than the most realistic ones, resulting in the evaluation being disproportionately skewed. But just as damaging are those cases in which, for a variety of reasons, individuals play down risks, scoring them lower than they really are, which results in them not being managed effectively.

Management

In my experience, management is often the most poorly-handled area of all. To do risk management well, it is vital to understand clearly what the organisation’s business objectives are and how much risk it is prepared to take in pursuit of them, in other words, its risk appetite.

Risk appetite varies from organisation to organisation, with some being very cautious and others being quite laissez-faire. In the former instance, it will obviously be necessary to do much more risk treatment than in the latter.

Before any risk activities can be devolved downwards though, it is vital for board members to take the lead in determining the organisation’s risk appetite. If they fail to do so, it will be unclear how little or much risk treatment is required, potentially leading to a waste of money and resources or, just as bad, an unknown exposure.

In summary:

  • While there will always be risk and uncertainty, it is not necessarily a bad thing;
  • Risk management must be driven by the board, should inform business decisions and result in positive business outcomes;
  • Risk management activities should be consistent and repeatable and be based on proportionate and cost-effective risk treatment;
  • Risk activities should be aligned to the organisation’s risk culture, take place on an enterprise-wide basis and be resourced accordingly.

 Mike Gillespie

Mike Gillespie is co-founder and managing director of information security consultancy, Advent IM Ltd, and vice president of the C3i Centre for Strategic Cyberspace and Security Science. He is a senior, experienced information security practitioner of many years’ standing and is well versed I the threats posed to organisational information assets.

OTHER ARTICLES THAT MAY INTEREST YOU

How to assess payroll risks

Combatting payroll fraud

Five considerations when going down the group risk benefits route