Risk Management

Resources

Topics Covered

This section covers the following topics:
 

  • Understanding what risk there is to manage

  • How risk management applies in a corporate context

  • Viewing risk management through ISO/IEC 27005 guidelines

  • Defining different levels of risk

  • Practicing risk treatment

Meet Murphy

 

He’s the personified troublemaker of all things progressive, the mischief-maker of innovation, the gremlin of ingenuity, the firebrand of progress. Those unaware and ignorant of his sting suffer loss and setback. Though he is as old as humanity, his power to bully has trended upward in recent years, concomitant to humanity’s upward trend to build complex, integrated, global systems.

Murphy’s adage is quoted by many: “If anything can go wrong, it will.” And as the world grows increasingly complex and interconnected, Murphy’s adage is proven true, without prejudice to frontiers or national boundaries, capturing headlines throughout the years.

  • Environmental catastrophic events such as Chernobyl, Deep Water Horizon or Fukushima.

  • Financial disasters such as Enron, WorldCom, Olympus.

  • Data breaches such as Aadhar, Equifax, NATO, Marriott Starwood, Cambridge Analytica, and so many more.

But how did these events occur? Is Murphy an unusually clever foe, or are there other factors that could be mitigated to avoid future blows to progress and security in a democratic society?

The answer rests in understanding and practicing risk management, where the lack of a risk governance framework resulted corporate governance failures. In a study by the OECD, it found that “boards did not fully appreciate the risks that the companies were taking, if they were not engaging in reckless risk-taking themselves, and/or deficient risk management systems” (OECD, 2014, p. 10).

The OECD adds that “effective risk management is not about eliminating risk taking, which is indeed a fundamental driving force in business and entrepreneurship. At the same time, the need to strengthen risk management practices has been one of the fundamental driving forces in business and entrepreneurship” (Ibid., 13).

Introducing Risk Management

 

Whether realising it or not, everyone manages risk based upon several factors, often tracking to the following workflow: identifying risk, analysis risk, evaluating risk and treating risk.​​

On a personal level, individuals perform risk management functions every day, making risk-based decisions based across personal risk acceptance levels associated with hazards, i.e. to participate or not in a white-water rafting trip, 

perhaps to mitigate risk by wearing a life jacket during the event.

Yet at a corporate level, risk management follows a formal process similar to the workflow above, but follows a “best practice” accepted in the industry, such as:

  • NIST Risk Management Framework, SP 800-37 Rev 2

  • ISO/IEC 27005:2011

There are other risk management frameworks in operation today such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the IT Infrastructure Library (ITIL), the Control Objectives for Information and related Technology (COBIT), the CCTA Risk Analysis and Management Methodology (CRAMM) the Facilitated Risk Analysis Process (FRAP), and Carnegie Mellon University’s Software Engineering Institute (OCTAVE). But at Allendevaux & Company, we normally employ one of two methodologies in information security risk management: NIST or ISO/IEC 27005.

For the remainder of this guidance article, we will focus on best practices associated with ISO/IEC 27005.

Risk Assessment-v3.png

ISO/IEC 27005: Apply Standardised Best Practices to Measure Risk

The International Organization for Standardization, jointly with the International Electrotechnical Commission, formed a joint committee called the ICO/IEC JTC 1, which prepared guidelines for information security risk management in an organisation, especially in relation to an information security management system. The guidelines of the risk management approach help organisations follow a systematic approach to identify, measure and lower risk, lowering the chances of Murphy’s Law to adversely affect a service, system or integrated complex system.

At Allendevaux & Company, we normally conduct a risk assessment at the outset of an engagement when implementing a data protection programme. Doing this enables the enterprise to understand its exposure to untreated risks; this is also called inherent risk, representing the amount of risk that exists in the absence of controls.

Measuring Inherent Risk

 

Understanding the inherent risk in a system is a fundamental starting point because it indicates the current risk level given the existing set of controls (or absence of controls). We measure risks, because (a) it is difficult to improve upon something that isn’t measured, and (b) it’s helpful to monitor improvement in risk over time as new controls are implemented that lower risk. It is also a legal requirement to conduct periodic risk assessments with many regulations around the world.

Inherent Risk-v3.png

In the inherent risk diagram, a simple color-coding schema has been applied:

​​

  • Red = unacceptable risk, requiring treatment so that risk can be lowered.

  • Yellow = moderate risk, and the organisation will need to determine if a moderate risk level is acceptable for its risk appetite, or if the risk needs lowered further; and

  • Green = risk still exists, but the chance of occurrence (or its impact) are within acceptable risk levels for the organisation.

When measuring risk, many think of technological systems, platforms and networks, i.e. things that are technology-based assets. But risk management practices with ISO/IEC 27005 go beyond this. A holistic approach to risk management is to evaluate the risk that may exist across these categories:

  • key stakeholders and personnel

  • workflow processes that empower practices

  • systems and platforms

  • key suppliers and partners

To ensure continuity of operations, the potential for risk to impact these four areas must be evaluated. Risk comes in many forms, including but not limited to these forms of risk:

Forms of Risk That May Affect People, Process, Platforms & Partners

viruses and malware

cascading errors

movement such as vibrations and jarring

intentional attacks

reorganisation

epidemic

disgruntled personnel

user errors

earthquakes

misuse of data

floods and water outages

intruders

hurricanes

social engineering

tornadoes

equipment failure

tsunamis

fire

theft

volcanoes

ransomware

physical damage such as cable severing

changes with change management process

processing errors and buffer overflows

personnel privilege abuse

temperature extremes

energy anomalies (radio frequencies, power loss or surges)

loss of data

information warfare

bankruptcy

intruders

supply chain failure

 

In risk management, these potential threats are part of the threat model as seen below, which can endanger any assets, whether related to people, processes, platforms or vendors.

It’s helpful to follow the threat model starting with the tag “Assets” and read clockwise as follows:

“Assets can be endangered by threats, exploited by vulnerabilities, resulting in exposure, creating risk. Risk is mitigated by applying safeguards (controls), resulting in the protection of assets, which lowers risk.”

The threat model forms the central fabric toward understanding how assets are endangered and can be protected. The threat model also provides an excellent way of understanding key terms, such as assets, threats, vulnerabilities, exposure, risk and safeguards (controls).

Measuring Risk

 

There are different methodologies that can be used to measure risk. While it is beyond the scope of this article to articulate the steps, it is worthwhile to understand the two approaches that can be adopted, the qualitative and quantitative risk assessment methodology.

 

First, the qualitative risk assessment methodology prioritizes risk using a predefined rating scale so that risks are scored based on their probability or likelihood of occurrence, followed by the impact that would unfold should the event happen. This is the most common approach used in risk analysis.

 

Second, the quantitative risk assessment methodology assigns an empirical rating to a risk using a formula. For example, if an organisation wants to calculate its Annual Loss Expectancy (ALE) for a platform that was purchased for 250,000 euros and invoices 2 million euros, potentially exploitable on a bi-monthly basis, the calculation is as follows:

ALE = Annual Rate of Occurrence (ARO) x Single Loss Expectancy (SLE); or ALE = ARO x SLE

 

  • the ARO can be exploited six times per year;

  • the SLE = 250,000 euro

  • the ALE = 1.5 million euro

 

The risk becomes measurable, but on an economy of scale, this methodology is often difficult to calculate across many assets, because values of assets changes as depreciation occurs, including upkeep costs that contribute to the true number. At Allendevaux & Company, we usually employ the qualitative method of assessing risk, following this process:

  • identify assets to protect

  • create an asset inventory

  • identify potential threats

  • note any vulnerability

  • measure exposure

  • calculate exposure factor (EF)

  • calculate residual risk in terms of the likelihood that a threat will be exploited (risk=threat x vulnerability)

  • assess the annualised rate of occurrence (ARO)

  • determine safeguards

  • apply risk assignment and acceptance/rejection criterion

  • select countermeasures to apply as controls

  • generate residual risk values

We track these values in a matrix as seen here, resulting in impacts to the confidentiality, availability and integrity of an asset.

Neural Output-Risk Matrix-v2.jpg

 

There are numerous software applications that can help streamline risk analysis calculations, whether employing the quantitative or qualitative methodology. But oftentimes, for smaller or mid-sized organisations, using a spreadsheet to create a matrix is an acceptable practice. We can help provide a template to get you started if you are wanting to perform this exercise internal within your organisation.

Risk treatment

 

Applying controls in relation to data protection involves applying safeguards or countermeasures that result in the protection of an asset. Normally the protections (or practices) available to safeguard an asset span these categories:

​​

  • administrative controls, such as writing, implementing and enforcing policies and procedures to be practiced by the organisation, producing repeatable, consistent outcomes that ensure continuity of operations;

  • technical controls to ensure restricted access is enforced, encryption of sensitive information in transit and storage, strong passwords are individually assigned, systems are hardened, ports are locked down, and so on;

  • physical controls, such as implementing systems and mandating procedures to secure and monitor a building, the use of alarmed doors, the employment of fire and smoke detectors, the placement of video cameras in sensitive areas, and other physical safeguards; and

  • legal controls, such as ensuring strong contracts with key vendors, confidentiality agreements with personnel, transborder mechanisms for cross-border jurisdictional flows, data processing agreements, etc.

Risk Treatment -v2.png

 

When taken together, these controls aim to safeguard assets, resulting in heightening the confidentiality, availability and integrity of services. It should be noted that not all risk can be mitigated; there will always be some risk that remains.

Determining the acceptable risk appetite of an enterprise is often driven by factors such as contractual obligations, compliance with geographic regulations such as the GDPR in the EU or the CCPA in California, compliance with sectoral regulations such as HIPAA in the US or MiFID II in the UK, plus the enterprise’s appetite for risk.

 

The remaining risk, after the application of controls results in residual risk, which takes us to the next section.

Determining Residual Risk

 

Once risk has been measured and controls applied, the risk level will be lowered. The lowered value is called the residual risk, and it should be monitored and periodically reassessed to ensure the value remains acceptable to the risk tolerance level of the organisation. As seen in the diagram below, the risk “before treatment” vs the risk “after treatment” has been meaningfully improved across each category important to the organisation. Controls should continue to be added until the risk level sits within an acceptable tolerance compatible with the organisation’s risk appetite, also ensuring it meets contractual obligations and regulatory compliance requirements.

 

When taken together, these controls aim to safeguard assets, resulting in heightening the confidentiality, availability and integrity of services. It should be noted that not all risk can be mitigated; there will always be some risk that remains.

Determining the acceptable risk appetite of an enterprise is often driven by factors such as contractual obligations, compliance with geographic regulations such as the GDPR in the EU or the CCPA in California, compliance with sectoral regulations such as HIPAA in the US or MiFID II in the UK, plus the enterprise’s appetite for risk.

 

The remaining risk, after the application of controls results in residual risk, which takes us to the next section.

Beating Murphy: It Can Be Done

The modern version of Murphy was born at Edwards Air Force Base in 1949, named after Captain Edward A. Murphy. Assigned to work on a United States initiative called Project MX981, the goal was to understand the biological limits of deceleration that could be tolerated in a crash. During the project, a catalogue of “laws” was documented referencing things that went wrong or could go wrong in order to apply mitigations to avoid those circumstances. By using an early systematic approach, the aerospace engineer was able to mitigate risk to an acceptable tolerance level.

Today, risk management methodology has improved, and there are many good books to help practitioners perform comprehensive risk management. To perform a risk management study, be prepared to dedicate time to the task. An inexperienced individual performing a risk analysis for a company of 100 to 200 can easily spend a few hundred hours coming up to speed and working through the exercises. But in many domains, performing a risk assessment is contractually required or a statutory obligation.

A Brief Recap Before You Leave

  • Risk management about minimising risks and effectively taking them when you do need to take them. 

  • You need to know your risk and measure it before you can monitor improvement.

  • Risk is an asset in danger. To move assets away from danger you need an effective threat model. 

  • Untreated risk is referred to as "inherent risk" and treated risk is referred to as "residual risk" or the risk that remains.

  • The goal isn't to completely remove all risk, as that's impossible. Your goal is to keep applying treatment until the risk is at an acceptable level according to your regulatory and contractual obligations.

Hey!

Beating Murphy isn't easy but it can be done. If you need help, contact us. We have certified IBITGQ risk assessors to streamline the process. They'll do everything discussed above and more.