Previously we discussed risk assessment and how, while it is both an IT and human undertaking, most risk assessments need to start and end with business processes. After you have conducted a risk assessment, it might seem that you simply need to review the assessment and determine which risks should be reduced or eliminated. While this is true, managing risk goes beyond responding to a risk assessment process. In this article, we’ll take up the topic of risk management, which involves dealing with a continuum of risks.
Before you can begin to manage risk, it can be helpful to segment your potential risks into categories for further definition and review. Typically, risks can be placed in one of three categories:
- Known Knowns are risks are a part of our industry, business, or simply part of our lives. For example, almost every business using electronic payments the danger lies in being hacked, losing customer credit or debit card information, or having funds misdirected by a criminal – or even by human error.
- Known Unknowns are risks that cannot be foreseen, but can be understood. For example, while the risk of a computer/network system being hacked is a known risk, it is unknown who will do it, where it will come from or the purpose of the hack.
- Unknown Unknowns are risks you only see in hindsight only. Recent technology events that fit this class of risks include the “poodle’ and ‘heart bleed’ vulnerabilities. Both of these highly technical vulnerabilities actually existed in thousands of computer systems for decades but were completely innocent until someone discovered they could be exploited for malicious intent. It is quite possible that many more of these unknown unknowns exist in the computer systems we rely on every day.
Risk Management Practices
With these three categories in mind, you can establish risk management practices for your business. When considering the first two categories, your risk assessment can help you rank and rate each risk, its potential to occur and, if it occurs, the magnitude of its impact. From here, risk management policies can help you handle risks effectively and in a reasonable manner. For example, if a very low probability risk would have catastrophic results for your business, it may be a matter of policy that your company would work at reducing or eliminating that risk regardless of the risk assessment score.
Risk management is an active and ongoing process. Once policy is in place, a set of operating standards are needed to set expectations for IT and other staff who deal with risks. Standards may include existing controls or new controls to help reduce or eliminate risks. For example, one operating standard could be to have an out of band authentication (a process of secure verification of your staff member) on any online corporate funds transfer. Beyond existing controls, risk management standards could include requiring risks of a certain magnitude will be handled within a set number of days. If the risk is not resolved within that time frame, management can review and discuss why the risk is not yet reduced, and take additional action or, in some cases, decide to extend the time to cure the risk.
Once risk is reduced, it’s important to complete a review of the ‘residual’ risk, that risk which cannot be eliminated. For example, using out of band authentication reduces the risk of a bad actor transferring funds, but there is still the risk of human error in posting the funds, transferring to the wrong person or entity, and the like. These risks may then be addressed through procedures or processes.
Processes establish the methodology for meeting policy requirements at the level set by standards. In the funds transfer example above, using out of band authentication reduces the technology risk that money will be stolen. However, internal processes still need to be established to reduce the risk of human error. Moreover, and while disturbing to consider, more incidents of employee theft have been cited in recent years. Therefore, separation of duties and normal, traditional human control mechanisms are just as important as technical risk management.
The following six steps briefly summarize the risk management process:
Risk management needs be an ongoing and integral part of your business management today. Technology risks are often more than purely IT issues and involve humans who conduct every part of your daily business. Especially when processes involve money, it is important to have these processes tied to policies and standards, which creates a measurable and defined set of risk management capabilities. Finally, while all three are tied together, it is important to manage risk dynamically as the risk environment changes