This website uses cookies. By navigating around this site you consent to cookies being stored on your machine

Information Risk Management - Making Sense of the Puzzle

Cyber Security Consultant
The risk management framework looks more and more like a jigsaw puzzle with organisations trying to make sure individual pieces are up to date, but often forgetting to make sure all pieces fit neatly together.
While information risk management practices have been around for quite some time, establishing and maintaining an appropriate risk management framework cutting across the organisation (and its supply chain) continues to be a challenge for organisations, large and small.
 
The risk management framework looks more and more like a jigsaw puzzle with organisations trying to make sure individual pieces are up to date, but often forgetting to make sure all pieces fit neatly together.
 
Information Risk Management PuzzleCentral to the puzzle is an organisation’s Risk Appetite. This helps set the tone, establishing the boundaries of what level and type of risk an organisation is willing and able to accept and informs strategic business decisions considering set risk tolerance levels (upper and lower limits). To be able to clearly and correctly define an organisation’s risk appetite it is essential to frame the Risk Context, including identification of critical information assets and specific threat scenarios that are likely to impact the business.
 
 
Another set of closely interconnected framework components make up for the end-to-end risk lifecycle management activities, including:
  • Risk Assessment – identification, analysis and evaluation of risk
  • Risk Mitigation – considering the appropriate mitigation strategies that may apply i.e. risk acceptance, avoidance, mitigation, sharing or transfer of risk 
  • Risk Monitoring & Reporting – which enables the business to keep track of existing and emerging risks and make informed risk-based business decisions.
 
Adopting a corresponding Risk Governance model is essential to adequately establish risk ownership across the organisation, identifying key responsibilities and accountabilities at the right levels and ensuring senior ownership and oversight of the risks even at a Board level.
 
To establish a successful risk management approach, understanding existing Risk Management Resources – cutting across people, process and technology – is key to defining robust risk management practices supported by an appropriate process and technology platform.
 
Embedding the right Risk Culture & Behaviours within the organisation will help promote and drive a risk management culture across the business, starting from the top down.
 
Bringing it all together, and underpinning the risk management framework is a clearly defined Risk Management Policy which sets out key risk management principles, identifies internal control objectives linked back to the organisation’s risk appetite, defines corresponding risk management procedures and mitigation requirements and establishes an appropriate oversight process.
 
Ultimately, when it comes to an organisation’s Information Risk Management framework the whole is greater than the sum of its parts, and while every puzzle piece must be clearly defined and robust, it is also essential that the components fit seamlessly together to be able to bring the right risk management practices to life across the business. 
top
Alex Anisie Cyber Security Consultant 2 December 2016