Risk management programs aim to control and treat the risks of an organization at all levels. While many organizations are already forced to comply with financial controls and regulations, cybersecurity controls are often overlooked by senior management or overburdened IT managers. Also, most senior management, especially in small businesses, are not aware of the risks of neglecting cybersecurity controls as they are with financial controls. Everyone can see stolen money as a business risk and wants to stop it, but when that risk is shadowed by a couple of layers of technical complexity in cyberspace, it is easier to ignore what is not understood.

Cybersecurity risk and its risk management should be given the same business considerations as other control mechanisms, if not more so, as the world continues to undergo a digital transformation. This is not a risk management process, but rather a guide on how to create one and the key steps in that process. Running the risk management program and the functions it should contain will be covered in another article. This is the prior step. Introducing a risk management program in an environment that lacks one. There are seven main steps to creating an information risk management program.

Establish the context and reason for the program

1. The context of a risk management program is defined by the environment in which it is being implemented. That is to say, it will be subject to the objectives and limitations of the organization in which it is implemented. the context will also take into account the criteria against which risks will be assessed, such as risk tolerance and appetite (usually from a monetary perspective). Another key aspect of context is the support of senior management. It is vitally important to take a top-down approach that aligns security programs with the business objectives. The senior management must be involved in determining the level of protection needed and endorsed. Without senior management endorsement, the risk management program will never be taken seriously and will be treated more as a nuisance than anything else. Senior management support is the most important step in developing a risk management program. Without the context or senior support, a risk management program has no basis on which to function.

Understand your program's charter and scope

2. The scope of the risk management program should be determined as a second step. It will be determined within the context of the organizational objectives, which is why it is important to establish the context first. For example, an objective of the organization shipping goods may be to increase the accuracy of addresses for repeat buyers. Then a scope within that objective might be database maintenance and who is responsible for doing it. These can be broad or fairly specific but generally refer more to a process or procedure than an asset specifically. To establish scopes, boundaries of responsibility for the information security manager and key stakeholders must be well defined. Everyone must manage risk, but having proper scoping prevents gaps in performance or maintenance. Another example of scope might be as trivial as defining who is responsible for ensuring all documents at unattended desks are turned over. This would likely be in the scope of an individual employee, but maybe in another office, it makes more sense for this to be the duty of a floor manager. The important thing is that the scope is defined and common goals are known.

Create hierarchies and structure for authority and reporting

3. Again this step is reliant upon the previous. It is not possible to establish a reasonable hierarchy without having established the scopes that are within each objective. Understanding who will report to whom and how to escalate un-managed risks ensures that the risk management program can continue to grow and operate smoothly in the face of a changing landscape. If a new business process changes how risk manifests, the proper parties will be able to handle it accordingly through established channels.

Identify and classify assets, and determine asset owners

4. Now that the organizational objectives, scopes, and hierarchies have been established, we can conduct a Business Impact Analysis (BIA). Before any risk can be prioritized we must understand what is at risk. A proper BIA will produce an inventory of all assets and their criticality. Also determining the asset owners within during the BIA allows for accountability of complying with policy within the risk management program. It is also impossible to gauge what is at risk or can be impacted if you do not know what you have. Assets can be physical devices and virtual spaces.

Record the program's objectives

5. The objectives of the risk management program are not the same as the organizational objectives. The information risk management program objectives are more specific and require priorities to be put in place. That is why it is imperative to have the BIA completed before establishing objectives. Classifying risks and understanding which risks must be tackled immediately, which can be accepted, and all the area in between is the crux of establishing the program's objectives. Resources and organizational objectives might impede the reduction of some risks so recording the objectives and understanding them keeps the program streamlined.

Establish implementation methodologies

6. Once the objectives are determined, then we can establish how we would like to go about them. This will include risk assessments and the roles in conducting such assessments. A good read for this is the NIST 800-30 publication found here. It covers risk assessments exactly. While there is no perfect way one way to mitigate risk, the primary goal is to accomplish the program's objectives. Plenty of control frameworks exist and can be selected to meet the objectives. Make sure that the methods being used are implemented in a defined process and verified by a consistent method. For example, a testing and approval phase and proper change management would likely be a key component of such a methodology.

Designate the team responsible for implementing the program

7. Perhaps more in tandem than the previous steps, assigning the team to run the risk management program should take into account the scopes, objectives, asset owners, and the skills required to carry out the methodologies. Again the team should have the full support of senior management or they will struggle to ever affect any change or management of risk in the organization. It is common to see a risk management team as its own entity within a large organization, consisting of members familiar with the business processes for which they are managing the risks. However, in small to medium-sized businesses this is often not a possibility, and there will be an overlap of roles.

Creating a risk management program is not a simple task and requires the understanding and support of the whole organization. If you need help creating your risk management program before you're hit with an unmanageable business scenario, contact us through our chat widget or email form.