Security is built upon the bedrock of risk management, but this is frequently overlooked and instead things are left to chance.
Every activity carries risk and nothing can ever provide 100% security (if anyone sells something claiming this, or full / perfect / total security, run a mile). If you and your business are ever going to function, then you have to have some form of risk management process – even if this is done without thinking. Day to day decisions are almost always a balance between risk & reward, and where possible we try to reduce the risks by improving our security.
While this can work acceptably on a personal level, with simple decisions and limited risks, for anything larger or more critical it is important that you properly document your risk management process – this should be a subset of your Corporate Security Policy – as this will allow you to properly gauge what risks you are taking and for what benefits.
Your goal should always be to implement the most cost-effective security measures possible as this will allow you to reap the greatest possible benefits from your business decisions. Part of this is making sure you know exactly what your current risks are, how much risk you are prepared to accept (risk appetite) and what benefits you hope to gain.
When you document your risk management process, you need to ensure that all three of these are properly recorded.
Current risks should always be documented in a Security Risk Register. You can use this tool to track when risks were identified, what (if any) compensating controls are being put in place, who is responsible, and how frequently you will review them. The review is important because over time risks will increase or decrease in impact and as soon as you lose the business benefit of accepting the risk, you should seek to remove it.
When it comes to risk appetite, it is good practice to set this at varying levels throughout your business structure. It is important that you establish clear boundaries over how much risk an individual can accept and where it should be escalated when required. Normally, this will be tied to levels of management or business area, allowing for a natural escalation path that is aligned to your business structures.
This leads to possibly the most difficult part of risk management – measuring the risk.
For any risk management strategy to work, to add value and for it to actually control your risks, you have to have some mechanism which allows you to quantify the risks your business faces. There are many methods by which you can carry this out, so you have to find the one most appropriate for your business.
One of the more comment methods for this is to develop a mechanism which allows you to score risks from 1 (low) to 5 (high) for both probability – which is the chance the risk will happen – and impact – which is a measure of how much harm it could cause.
For example – you could develop a risk management strategy that grades risk probabilities as follows:
- Less than 20% chance of happening in any given period (day, month, year etc).
- 21 – 40% probability
- 41 – 60% probability
- 61 – 80% probability
- 80%+ probability
Impact can be graded in the same way, with the actual figures depending on your business so that an “impact 1” risk might have the potential to cost 10% of your profits, all the way up to an impact 5 which could put you out of business. When you develop your risk management strategy, it is important that you involve all aspects of the business so you can properly assess the impact.
Using the probability and impact scores you can calculate the “risk score” using the very simple formula:
risk score = probability x impact
Once you have your measurement system in place, you can assign risk appetites based on scores – so if you used the system above you could have one level of management able to approve risks with a score of less than 8, the next level can approve up to scores of 15 and anything higher has to be approved by senior management. (The exact figures depend on your business’ approach to risk management)
Using a system like this will not make you any more secure. It will not, by itself, allow you to reduce risks but it will enable you and your business to have a better understanding of what risks you face and it will help guide you, and your staff, in taking decisions around risk.
Risk management is not a dark art, it is not something to be avoided and it shouldn’t be difficult. Proper risk management is intimately linked into the rest of your business processes and provides a solid basis for your business to grow.
Use it as much as possible.