Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today’s discussion is going to center around risk management. Wait…didn’t we just release a TomCast about this same topic two weeks ago? No, that was about vulnerability management which is a PART of risk management.

Risk management is defined by Oxford as the forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact. So, vulnerability management helps evaluate a portion of the organizational risk and provides (hopefully) a procedure that will minimize the impact of that risk.

Risk management overall, however, deals with many different aspects of business outside of simple vulnerability management. Business objectives must be known in order to conduct a proper risk assessment of the organization. A business impact analysis can also be performed to better understand risks to specific parts of the business.

Typically risk management focuses on the identification of risks that will adversely impact the business objectives. If the main business objective is revenue from sales of a specific product, then what risks exist within the organization that could or would adversely impact either the product itself, the sales team or sales functions, or the revenue stream?

All to often risk management is confused or muddied with compliance. Compliance, while very important to many organizations and a requirement in many different areas of business, focuses on checking the check box to ensure this rule or that process is in place. Compliance can and usually will be obtained in a comprehensive risk management-focused organization, but not the other way around. Compliance does not address total organizational risk.

So, diving back into the Oxford definition, what is forecasting and evaluation of risk? As an example, we’ll use the following scenario: Company Bravo builds high-end gaming computer systems for home consumers. Company Bravo purchases motherboards from a third party and has them delivered to their warehouse every two weeks. They purchase memory from a different provider that delivers every two weeks. Company Bravo assembles the systems in their own warehouses, then they ship them when they receive purchase agreements from consumers.

The vendor relationships they have in place have been established for years. Each vendor has gone through extensive assessments to ensure they are compliant with each requirement of Company Bravo. Knowing these things, let’s forecast some risks.

  • Supply chain risks
    • If either vendor experiences a problem in the manufacturing of their products, that could adversely impact shipping times and delivery, which delays the assembly of the systems, resulting in the inability to deliver the finished product. Does this adversely impact the business objective? You bet it does.
  • Physical security risks
    • The warehouses Company Bravo owns to assemble and ship the finished products could possibly experience a break-in, which could result in the theft of products or sensitive data. Could this adversely impact the business objective? Absolutely.

Those are two simple risks that are forecasted as possibilities that should be addressed sooner than later. What about the evaluation of current risk?

  • Company Bravo employs a diverse workforce, the bulk of which are hourly employees. They have a mandatory overtime clause in the contracts of the hourly employees that mandates that the employees must work overtime during peak season sale periods to ensure the delivery of finished systems on time. Workdays can extend into the 12-16 hour-a-day timeframe during these periods. Is this a risk? Yes, it is. Why?

Understanding the workforce and the business objectives would show that having employees working mandatory long days/shifts could possibly result in fatigue and/or burnout, which would have an adverse impact on productivity from those employees. This is a risk to the main business objective since the productivity could decrease.

See? Risk management isn’t just focused on specific areas within an organization like information technology. Risk management deals with overall risk to everything that could possibly impact the core business objectives.

Ok, so risks have been forecasted and evaluated, now what?

Now the risks must be identified for either avoidance, reduction, transference, sharing, or acceptance.

  • Avoiding the risk is the best way to manage the risk, as it no longer becomes a risk.
  • Reduction is second, as reducing the risk reduces the impact to the business objectives.
  • Transferring risk is similar to avoidance, but the risk still exists to the organization. It is just now “someone elses problem”. For example, you have an on-premises data center, and you elect to migrate to the cloud. Risks surrounding the power management of the systems is still there, but now the risk has been transferred to the cloud provider.
  • Sharing of the risk means the risk is balanced between one organization and another (possibly a vendor). The risk could adversely impact both, so it needs to be addressed by both.
  • Acceptance is just that. The risk identified cannot be avoided, reduced, transferred, or shared, so it must be accepted.

Risk management is a comprehensive way to ensure that the business knows what possible pitfalls are present and coming down the road, which ensures that the business is as prepared as possible in case of adverse impact.

We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!