Risk Management Process

One of the most common definitions of Risk is an uncertain event that has the possibility of occurring at any given time; however, accessible to most beliefs, the risks can have either a positive effect or negative on a project’s goals and objectives. The potential of any identified risk to have a negative or positive outcome is a fundamental concept that organizations should highly focus on. Why? Mainly because it is natural for an organization’s security team to fall into the trap, or have the mentality that all risks have inherently adverse outcomes. If an organization makes itself open to the positive risks can result in positive opportunities, making the project more positive, streamlined, and profitable.

Therefore, for an organization to try and determine the potential outcomes of Risk, whether it be negative or positive, there is a need to adhere to the fundamental steps and phases defined for risk management. All risk management processes and frameworks are recommended to follow the same necessary steps. Although there is a time when different jargons are applied in trying to describe these steps. The steps include;

 

 

1. Identifying the Risk – this step mainly involves the identification, recognition, and describing the potential risks identified, which might affect an organization’s project life cycle and its outcomes.
2. Analyzing the Risk – once the risks are identified. It is in this step that security experts determine and analyze the consequences and likelihood of each of the identified risks.

• Risk evaluation – risk evaluation is intended to determine the risk magnitude of the risks where the risk magnitude can be identified as a combination of both the consequences and likelihood of a threat.

1. Risk treatment/ implementing a solution – this step can also go by the jargon Response Planning. It is during this step that the security experts are required to assess the highest-ranked risks while developing possible solutions, policies, and plans which can be used in treating the Risk.
2. Risk monitoring and Risk review – this is the final set of steps that eventually involves using the project risk register in performing monitoring, analysis, and tracking activities for the risks.

 

Risk Management Framework

Risk management is not only reactive, but it should also be included in both the planning process and in other security frameworks such as NIST, the National Institute of Standards and Technology framework. This is done so that an organization should be able to figure out and identify the potential risks which might cause devastating outcomes to an organization and its projects while learning how to control them.

The NIST RMF effectively applies a risk-based approach, which is specifically designed to take into consideration efficiency, policies, effectiveness, directives, restrictions resulting from regulations, executive orders, and other security-based rules.

The NIST cybersecurity framework being a voluntary framework aimed at securing critical organization infrastructure, can effectively guide an organization through the integration of an adequate RMF. Furthermore, the NIST publications also provide organizations with a catalog of controls that are used in promoting the development of a resilient and secure information system (Institute of Risk Management, 2018). These controls are designed to be technical, operational, and management safeguards that can be used by the information systems in maintaining its confidentiality, integrity, and security.

The NIST guidelines also adopt a type of multi-tiered approach to the general risk management process through control compliance. The NIST controls are broken down into three major classes, which are mainly based on impact, be it high, low, or moderate, and then they are further split into eighteen different families. The control families include; Access Control, Maintenance, Awareness, and Training, Contingency Planning, Incident Response, Audit and Accountability, Identification and Authentication, Configuration Management, Personal Security, Planning, Media Protection, Risk Assessment, Physical Protection, Program Management.

In today’s complex and sophisticated digital environment, there has been a rapid increase and growth of threat vectors. Therefore, organizations are recommended to base their internal security program decisions and strategies on the fundamental principles of the risk management framework (Calder, 2018). Risk is about uncertainty. When businesses adopt, implement, and put a risk framework around this uncertainty, then the organization can effectively secure their respective projects by de-risking it.

Meaning that the organization can move forward with a clear understanding of the possible risks, and more confident towards achieving their overall goals and objectives (Szymański, 2017). With the management and identification of all potential project risks and developing a comprehensive list of these risks, unpleasant barriers and surprises in the development life cycle can significantly be reduced while at the same time discovering a vast number of golden opportunities. The risk management framework can also help organizations resolve problems that are related to these risks immediately as they occur.

This is because these risks threats have already been envisaged, and there are already plans of treating the risks in place which have been developed and agreed upon. Finally, organizations with the help of the framework can be able to avoid imprudent reactions and heading straight into “fire-fighting” mode trying to rectify the problems resulting from the risks which could easily have been anticipated in due time. This, in the long run, makes for a less stressed and happier stakeholders and project teams. The result is that the organization can minimize or accept the outcomes of project risks, threats, and capture new opportunities along the way.

Risk Management and Enterprise Risk Management

There is not much difference between Enterprise Risk Management and Traditional Risk Management. Most of the practices and processes which are followed in both fields are quite similar. In as much as both methods are designed with the primary goal of analyzing and identifying risks potential to an organization in a bid to minimize the effects of the risks on the business. While using the traditional risk management service structure, an organization’s security team mostly departmentalizes their efforts and primarily focuses on hazardous risks.

With this approach, an organization is rarely provided with the opportunity to make relative comparisons among all the identified risks to determine how the risks interact amongst themselves, or a means of evaluating the cumulative effect of the threats to the organization (Eaton, 2015). Conversely, the use of Enterprise Risk Management involves a senior security officer who is responsible for evaluating and comparing all of the identified risks being faced by the organization. ERM is often considered as an extension of the traditional risk management framework but differs in ways such as performance metrics, strategic application, and risks considered. The figure below illustrates more differences;

 

 

 

References

Calder, A. (2018). NIST Cybersecurity Framework. NIST Cybersecurity Framework. https://doi.org/10.2307/j.ctv4cbhfx

Eaton, C. (2015). Enterprise risk management. In the Canadian Nuclear Society – 35th Annual Conference of the Canadian Nuclear Society and 38th CNS/CNA Student Conference 2015. https://doi.org/10.4018/ijrcm.2014040102

Institute of Risk Management. (2018). About Risk Management.

Szymański, P. (2017). Risk management in construction projects. In Procedia Engineering. https://doi.org/10.1016/j.proeng.2017.11.036