What is risk?
Risk is the impact of uncertainty on system, people or organizations etc. Risks can emerge from any type of uncertainty, including those related to technology, finance, health and safety, and security. Cyber security risk refers to security risks to digital services, computers, networks, connected technologies or information.
What is risk management?
Risk management is about managing the impact of uncertainty on system, people or organizations. It helps them to protect themselves, and provide confidence that the ways in which they respond to risk are good enough to meet their needs. Risk management is not a ‘one-off’ activity. It needs to happen throughout the whole life cycle of a system or service.
What is risk assessment?
Risk assessment is a key risk management activity that identifies, assesses and articulates risks to the organization. Risk assessment is needed to inform risk management decision making, and it requires technical, security and business skills and knowledge.
Managing technology and information risk
Following guidance will help organizations to understand how to approach the assessment and management of risks:
- Understand the business context – To ensure meaningful outcomes, organizations need to provide a context in which risk management and risk assessment is conducted. This identifies what organization is trying to achieve, what business assets are involved, what risks is the organization prepared/not prepared to take with those assets, any external legal and regulatory requirements that need to be considered etc.
- Decide on the risk management approach – Before taking any action, the organization must understand and communicate what risk management approach the business is going to take. This is an important business decision because the security of the organization and its assets depend on it. Organizations have a number of choices available to them to manage risks that have been identified. They can choose to avoid, accept, transfer or treat risks to their business.
- Choose a risk assessment method that is right for the business – There are many methods for conducting risk assessments, and numerous tools to support them. Most risk assessment methods can be aligned to the approaches described in the ISO series which seek to identify, analyze and evaluate risks. The method to be adopted should be appropriate for the organization. It should be scaled to support whatever delivery model is being used and tailored as necessary to suit the needs of the business and the target audience.
- Understand the components that cause a risk to exist – Risk assessment has inputs and outputs. The most common inputs considered in a risk assessment are threat, vulnerability and impact although some risk assessment approaches will include other inputs (such as likelihood and asset value). Risk is normally realized as a consequence of these inputs.
- Understand what risks exist – To understand what risks exist, the chosen risk assessment method should be applied in the context of what the organization is trying to achieve. The output of any risk assessment should be recorded for traceability purposes. Traceability is important so that risk management decisions and investment choices can be traced to an identified risk.
- Prioritize – Prioritize the output from a risk assessment to allow the organization to make informed risk management decisions. Any prioritization of risk should be based on a meaningful understanding of what the organization really cares about, not meaningless risk level boundaries.
- Communicate risk consistently – Irrespective of the approach taken to assessing risks, the outcome should be understandable and meaningful in the context of the business and what it is trying to achieve. It should be captured in a way that can be used to inform business decision making. Output from risk assessment and other risk management activities may also need to be communicated to interested third parties.
- Make informed risk management decisions – Throughout the lifecycle of a system or service, the organization will need to make objective decisions about what needs to be done to manage identified risks. This should be based on a clear and meaningful understanding of risk. These decisions should be informed and supported by information, subject matter expertise and evidence.
By:- Aman Chhikara