Effective Risk Management Without Boiling the Ocean

GettyImages-600992322It used to be that information security was an exercise in securing the IT perimeter. You separated defenses into perimeter-based or interior controls. Simple enough.

But in today’s world of hybrid cloud/premise environments, DevOps, containerization and virtualization, the question arises: How do you know where your own perimeter is? And perhaps more importantly, how can you protect a perimeter that changes daily?

Risk management

The short answer is with effective risk management. The slightly longer answer is that the perimeter is defined by the risks in your risk register.

A risk register is a central repository of information about the risks that matter most to your IT environment and your enterprise. It is analogous to the configuration management database (CMDB) at the heart of most IT service management (ITSM) efforts and solutions.

Risk management is an exercise in self-awareness. For example, do you know where your data is stored, who your vendors are, or what systems are used to process customer records?

In our world of increasingly complex deployments, having an understanding of (and managing) IT risk management actually defines perimeter protection.

Boiling the ocean

Unfortunately, many risk management processes might make you feel like you have to manage ALL the risks immediately—definitely a “boil the ocean” type of feeling. If you are responsible for the risk management process at your company, one of the things that executives will ask is, “How are we doing?”

What they are asking is to get some insight into how mature the risk management process is, or where your company is with respect to risk.

Think of it this way. If you could measure risk on a thermometer in the ocean, and the temperature of ice was represented as “just starting the risk management process,” and the boiling point of water was represented as, “we understand and actively manage our risks,” how close is our company to boiling the ocean?

In order to answer that question, you need to think of risk management as two separate metrics.

Two metrics for measuring risk management

  • Metric one: Onboarding new risks into your risk register. The simple fact that you are adding risks to the list is a measure of your maturity.
  • Metric two: Processing risks through the factory in order to get each of your risks from a sentence on a piece of paper to a managed activity.

For reference, I use this simplified risk management process illustrated in Figure 1 and summarized below as the initial steps toward risk processing.

risk management process

Figure 1 – Risk Management Process

Risk Process

There are six steps in the risk management process. This is a high-level overview of these steps. The process steps are as follows:

I – Risk Identification: Quite simply, this is where you write down a risk. Adding a risk to your risk list or risk register allows you to track or follow the risk throughout the remainder of the process.

II – Risk Scoring: Providing metrics in terms of likelihood and impact will help you to prioritize your risks and allow you to concentrate on those most meaningful to your enterprise.

III – Mitigation Strategy: Once identified and prioritized, each meaningful risk requires a mitigation strategy. Michael Herrera is a former regional VP at Bank of America and the CEO of MHA, leading providers of business continuity, disaster recovery, and risk assessment services. He has defined four primary types of risk mitigation.

  1. Risk Acceptance: Risk acceptance does not reduce any effects, but is still considered a mitigation strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
  2. Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options. In a sense, it is also sometimes the most risky mitigation strategy, as no enterprise can successfully avoid all risks indefinitely.
  3. Risk Limitation: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by making and managing comprehensive backups on a regular schedule.
  4. Risk Transference: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

IV – Control Identification: Assuming you select Avoidance or Limitation as a strategy, there is some set of actions that the company needs to identify and perform. These are the controls for the risk.

V – Control Implementation: This is the activity of making changes to your environment, to address the risk. The process follows a regular project or change management program.

VI – Audit: Audit measures how effective and complete your control implementation is.

Note that the process is cyclical. When an audit is complete, it’s time to start over again with the specific risk and reassess.

Risk Maturity

In order to measure how mature your risk management program is, you need to track and graph the adding of risks to the risk register, and the steps completed for the risks over time. When you do, you will end up with a graph like the one shown in Figure 2 below.


Figure 2 – Risk Awareness and Maturity Timeline

The blue line is the actual count of risks in your registry for each time period. This line represents risk awareness for the organization. In the early stage of risk management, there is a hyper-growth in risk awareness. This period is where the risk management process is focused on identifying and cataloging risks that are largely understood by people in the organization, but are not written down anywhere. This is called the “Risk Catalog” stage of the Risk Awareness Phase.

The blue line has a point of inflection when the addition of new risks slows down. It happens when the rate of change starts to slow (i.e., when the second derivative equals zero). At this point the organization begins to focus more attention on processing risks rather than simply writing them down.

The second line on the graph represents the number of steps that the risk register has gone through. This stage is known as Risk Assessment and is characterized by moving the backlog of risk through the process.

When the risk awareness line and the risk maturity line cross, that indicates that your organization has been through the risk management process one time for each risk, on average. This is the indicator that you have entered the Risk Management Phase. Your organization no longer has risk identification as their primary focus. The main focus is now managing the known risks. There are now far more known risks than unknown risks. This is the final, steady state operational phase for risk management.

The process of risk management is the moving of risks through the assessment, remediation and audit phases. As you progress farther down the line toward Risk Management, your organization has more confidence that you understand the dynamic security perimeter, and that you are taking appropriate steps to defend it.

ITSM-CTA-Blog-Banner (1)