Cyber Risk Management Chronicles, Episode II
Risk management is the process of minimizing or mitigating risk. It begins with identification and evaluation of the various types of risk that an organization faces, determining the probability that these risks will occur, estimating their potential impact, and determining optimal use of resources to monitor and minimize the same. The common purpose of risk management is to safeguard the organization’s mission, finances, and reputation in the face of natural, accidental, and adversarial threats.
Cybersecurity is one category of enterprise risk management. Effective management balances achieving enterprise mission and objectives with optimizing resources (which are always limited) and risk. The below six core phases of risk management are applicable to almost all manner of risk, including cyber risk, and can be applied to any organization, regardless of size or industry:
1. Identify the context. Context is the environment in which the organization operates
as influenced by the risks identified.
2. Identify the risks. This means identifying the comprehensive set of risks and determining which events may impede objectives.
3. Analyze the risks. This involves estimating the likelihood that each identified risk event will occur, and the potential impact of the consequences described.
4. Prioritize the risks. Exposure is calculated for each risk, based on likelihood & potential impact, and the risks are then prioritized based on their exposure.
5. Plan & execute risk response strategies. An appropriate response is determined for each risk, with such decisions informed by guidance from leadership.
6. Monitor, evaluate, and adjust. Continual monitoring ensures that enterprise risk conditions remain within the defined risk appetite levels as risks change.