This module is about ranking the risks that have been identified, and then deciding what to do about those risks. Please be aware that as assessors, we might make recommendations about what to do with a risk, but whether or not a business deals with a risk is their decision, not ours. Our job is to identify the risk, bring it to the business’s decision, and then document the decision properly.
The relative risk score that you calculated on Worksheet 10 and the probability of the risk occurring are used to help a business determine which risks are most important to them. Our jobs as assessors is to present these risks to the business in a manner that they can easily understand. A good visualization technique for this is to use a heat map. If you are unfamiliar with a heat map, here’s a link to a good introduction:
http://www.cgma.org/Resources/Tools/essential-tools/Pages/risk-heat-maps.aspx?TestCookiesEnabled=redirect (Links to an external site.)Links to an external site.
Octave Allegro Step 8 Activity 1 shows a Relative Risk Matrix, which is in essence a heat map though it lacks some of the visual qualities. This matrix could easily be created in Word, though I would reverse the X-axis if I were to use it. Additionally, there is a sample heat map posted in the Security Risk Assessment module on Canvas. I created this sample using Microsoft Visio, which all of you should be able to download from DreamSpark.
After you have ranked the risks for your business, you should create a heat map before you review the risks with the business. Using a visual tool such as this will help the manager to understand the risks in relation to each and make better decisions concerning the risk. Regardless of the tool you use, the visual aspect of a heat map will help you communicate your findings.
Dealing with Risks
When the assessor has the risks scored and the heat map created, it’s time to meet with the manager and see what the manager wants to do with each risk. These decisions are documented on the second page of Worksheet 10. The manager has four choices for each risk: Accept, Defer, Transfer, and Mitigate. These decisions should be made based on the risk’s impact value and probability of occurrence, the X- and Y-axes on the heat map.
A business will most likely accept the majority of risks identified during a full-blown risk assessment. If you remember the main purpose of a risk assessment, we are trying to help the business spend its limited security dollars on the risks that are most important to it. There are some risks that are too expensive to mitigate. There are other risks that the probability of their occurrence makes the mitigation effort seem unimportant. When I worked in industry, we routinely discounted the bottom 90% of risks. Of the top 10%, we might mitigate the risk by taking proactive steps to prevent the risk from being realized. In other cases, we mitigated the risk by putting a plan in place to deal with the impact of the risk if it were ever realized.
A business might also choose to defer a risk. By deferring a risk, the business plans to mitigate the risk at some point in time in the future. If the business decides to defer a risk, all we do as assessors is document the decision and record the date when the business plans to review the risk again.
It may be possible to transfer a risk to another party. That doesn’t mean a business won’t be impacted were the risk to be realized; it just means that another party will bear the brunt of the impact.
Let’s use car insurance as an example of transferring risk. Most of us that have car insurance also have a deductible amount. If we were to be in an accident, the limit of our risk is the deductible. The insurance company assumes the rest of the risk and pays for auto repairs, medical bills, etc. By having car insurance, we have transferred most of the risk to the insurance company. We may still be hurt or inconvenienced, but the majority of the financial liability has been transferred away from us.
The term ‘mitigate’ throws some students off. Here’s a good definition of mitigate from Merriam-Webster:
to make (something) less severe, harmful, or painful
Octave Allegro offers two ways to mitigate risk:
· You can avoid risk by implementing appropriate controls to prevent threats and vulnerabilities from being exploited.
· You can limit risk by implementing strategies that limit the adverse impact on the organization if a risk is realized.
So if an organization decides to mitigate a risk, one way they can do that is by taking steps to prevent the risk from occurring. For example, if an identified risk concerned the security of a building, an organization could mitigate the risk in several ways. They could hire a security guard, put a fence around the building, install a security system, improve the locks on the doors, and possibly several other things to help secure the building. Another example could be related to protecting the network used for a critical information asset. The organization could install a better firewall, encrypt network traffic, and probably a few other things. All of these activities occur before a risk is ever realized.
Another way to mitigate a risk is to have a good plan in place in case the risk were ever realized. The plan should be detailed and be very explicit about who does what when. For example, if a company were to be hacked and its data stolen, what should they do? At a minimum, there are certain laws that they need to follow. (See this link for an example https://oag.ca.gov/ecrime/databreach/reporting (Links to an external site.)Links to an external site.). Those laws should be referenced in the plan and the actions required by the company should be also be included in the plan. This should include the exact person or persons that will be taking the various actions. On the page referenced by the above link, someone in the company will need to fill out the Data Security Breach Notification form. That person should be mentioned by name in the plan. Before the form can be filled out, quite a bit of information will need to be gathered. The mitigation plan should also include the steps necessary to gather that data. The more detailed a plan is, the easier it is to follow, especially if something catastrophic is happening. It’s not cheap, easy, or fast to create these plans, which is one of the reasons why not all risks get mitigated.