There are a lot of buzzwords and hot topics in the cyber security industry but there’s one thing we GRC professionals can not agree upon … risk assessments. Some people start with a pre-built risk register while others start by conducting internal surveys. Some re-assess risk annually, some use mathematical equations and some still use spreadsheets! But no matter how you conduct your risk assessments it is critical to ensure the data being presented is repeatable, accurate and put in the context of your business.
And while we may never get a universal method for conducting risk assessments, we should all constantly evaluate our current process and look for areas for incremental improvement. The way I see it, there are five places that could be giving you trouble.
5) Risk assessments timing
Let’s start by talking about when and how often you should conduct risk assessments. The answer to this is very simple and yet utterly complicated. The reality is, risk assessments can not be scheduled or predicted. Risk assessments should be conducted continuously over time as circumstances change and evolve.
In a recent study by EY global, “More than three in four (77%) respondents to this year’s GISS warn that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months.” And yet, in the EY Global Board Risk Study 2021, “just 9% of boards declared themselves extremely confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major cyber-attacks – down from 20% last year.” This is due largely to the fact that risk is not being assessed continuously resulting in inaccurate board reporting.
Take, for example, an organization that conducts an annual risk assessment and creates a baseline risk register. At the time of the report, the average residual risk was within their tolerance and necessary risk treatment plans were created. What happens if a month later the underlying threat increases? The risk is now much more likely to occur and the impact will be worse. Or what if a risk was well controlled at the time of the assessment, but three months later that control fails as part of an internal audit? Simply put, conducting risk assessments on a set cadence creates blind spots and a false sense of security.
When you continuously monitor risk and provide real-time data to your board, you are able to communicate in a language they understand which will ultimately drive process improvement, critical decision making, budgeting and resource allocation.
So when should you conduct a risk assessment? All the time!
4) Overly complicated risk calculations
When it comes to risk calculation methods, less is more! Utilizing quantitative risk assessments can ensure uniformity and aid in metrics and trending. However, the more factors and vectors you have, the more subjectivity you are adding to the process, especially if they aren’t well defined. When determining what method is right for your organization, begin with the basic calculation of impact and likelihood. Before adding additional factors and vectors, ask yourself “why”? “Why is this important or relevant to the risk?” If you don’t have a good answer, keep it out!
Once you have your calculation method set, consider running some calibration tests. Have multiple members of your team assess the same risk and see if all team members get the same score. If they didn’t, it’s time to reassess the method and/or definitions.
3) Ambiguous risk scoring
Now that you have your risk calculation method, it’s time to jump in to assessments, right? Wrong! You also need to consider the various types of risks across your organization and ensure clearly documented score factors are defined. Consider the following:
Your organization wants to implement eCommerce capabilities in a new region.
| Company Wide Objective | Your Objective |
|---|---|
| Deploy eCommerce site to enable customers around the world access to our products | Secure the application and infrastructure to protect the customer’s data |
As you begin to look at the risks, you may consider things like vulnerability exploitation, phishing attacks that lead to ransomware or unauthorized data access by a new vendor. Your counterpart on the finance team may be concerned about interest rate changes and the risk that imposes on profits. And your marketing team may be worried about reputational risk.
Now ask yourself, on a scale of 1-5, how will the three of you determine the impact of each of those risks? What does it truly mean to be a 1 or a 4? And what if the risk impacts different areas of the organization, like finance and marketing, differently?
This is why it is critical to have documented quantitative definitions of risk scoring that you are able to communicate in the context of your business objectives.
Impact Matrix Example:
| Level | Data Risk | Financial | Reputation |
|---|---|---|---|
| 5 | Breach of more than 10% of customer data records | Revenue loss over $1,000,000 | Reported globally |
| 4 | Breach of less than 10% of customer data | Revenue loss $100,000-1,000,000 | Reported nationally |
| 3 | Breach of less than 1% of customer data | Revenue loss $10,000-100,000 | Reported regionally |
| 2 | Breach of confidential information | Revenue loss $1,000-10,000 | Reported to less than 50% of customers |
| 1 | Breach of public data | Revenue loss less than $1000 | Reported to less than 10% of customers |
Remember, the company’s goal is to deploy an eCommerce site to enable customers around the world access to your products. When everyone keeps that goal in mind when assessing risk against a common set of criteria, your data becomes more accurate and your board becomes more confident.
2) Risk aggregation and reporting
So far you’ve created your calculation method, conducted assessments in the context of your goals and you have your results. Now it’s time to aggregate and present the data to leadership. Many of us rely on a risk heat map or matrix to demonstrate the number and severity of risks. However, a heatmap alone lacks actionable data and provides little detail for the board to base decisions on.
In order to empower your board to make data-driven decisions, you need to frame your reporting in the context of your business goals. It isn’t enough to know how many risks we have, boards need to understand how well we are reducing the risk to your assets-which in this case is your customer’s data. When you change the conversation in this way, you are able to view side-by-side what areas of your business need attention and put measures in place to proactively address them.
An additional layer of reporting should also be utilized for tracking the activities throughout the risks’ lifecycle. This ensures proper oversight and visibility throughout the organization.
1) You’re not doing it using the Reciprocity ROAR Platform
The newly released Reciprocity® ROAR Platform was built to help you reach Risk Management utopia. Unlike any other risk management platform out there, you start with your business objectives. Our cyber assurance programs center on your business and allow you to use our pre-installed, expert-built content to build a program that—with the end goal in mind from the beginning—gets you to your desired outcome with less effort.
We believe so much in our risk and compliance solution that we’re giving it away for free. Seriously. Try it free now!
Or if you prefer to schedule a live demo, we’d love to walk you through the ROAR Platform. Sign up for free demo.