What Is Risk Management?

Why is it important to understand your business risk?

Understanding your business risk is critical for enterprises because it allows you to have visibility into, and thus more control over, the numerous factors and variables that can potentially result in severe, costly and long-term damage. Understanding specific risk factors not only allows a business to identify potential threats, losses and disruptions ahead of time, it can also help them respond to threats appropriately and allocate correct resources and infrastructure to minimize or prevent severe losses.

What are the different types of risk?

There are numerous types of business risk that enterprises face, but some of the most common include operational, financial, compliance, reputational, strategic and security risks.

• Operational risk: Operational risk includes unexpected failures or disruptions in your company’s day-to-day operations, ranging from technical failures such as an outage, to employee errors, fraud or failed procedures and policies.
• Financial risk: Financial risk refers to anything that specifically threatens the money that flows in and out of a business.
• Compliance risk: Because compliance laws change on a regular basis, organizations constantly face the risk that they’ll unknowingly violate regulations and incur steep fines and other damaging penalties.
• Reputational risk: Reputational risk is anything that can cause widespread, long-term damage to a business’s brand or reputation, such as a major lawsuit, a product recall, scandals or other negative publicity, or high-profile criticism of products or services.
• Strategic risk: Strategic risk is something that causes a business to struggle to reach its desired metrics or goals, or causes your company’s strategy to become less effective, due to technological shifts, a new competitor, changes in consumer demand, rapidly increasing overhead or costs of raw materials, or other large-scale changes.
• Security risk: Security risk is an enterprise’s potential to incur loss, damage or destruction of its assets as a result of malware, unauthorized users or other threats infecting the system, exploiting vulnerabilities or stealing or compromising data.

What is the total cost of risk (TCoR)?

Total cost of risk is a quantifiable, controllable number representing the sum of all aspects of an organization's operations that relate to managing risk and incurring losses. This equation includes, among other things, factors such as insurance premiums, deductibles, uninsured losses and related loss adjustment expenses, regulatory fines, internal and external risk-control costs, administrative costs and taxes and fees. A significant part of understanding risk is the ability to calculate the TCoR to your organization.

What are the causes of security risk? 

Security risks can be sourced to people, such as disgruntled, careless or uninformed employees or third-party providers. Risk can also be attributed to faulty or vulnerable devices and applications, such as mobile devices that have the potential to expose company data to unauthorized users, unpatched or significantly outdated equipment and systems, as well as vulnerable public cloud applications or inadequate security policies. 

How does a breach affect risk?

Breaches have severe and often long-term consequences — including increasing kinds of risk — for affected organizations.

A breach or successful cyberattack will almost certainly increase an organization’s financial exposure. Some of the most obvious costs associated with a data breach include financial compensation to victims or replacing money stolen due to the breach. In addition, breached organizations will also have to pay stiff compliance fines from government and regulatory agencies — under GDPR, for example, penalties can reach a maximum of €20 million ($22 million) or 4% of global annual turnover, whichever is greater. What’s more, organizations suffering a breach will inevitably face plummeting share value, while also being forced to pay increased insurance premiums to protect themselves in the event of a breach ever occurring again.

And on top of numerous immediate costs, breaches also have long-term consequences for organizations. Following a breach, the affected company also has to deal with longer-term reputational damage that includes declining consumer confidence, customer attrition and loss of market share to competitors. Also, because data breach victims are susceptible to identity theft if their personal or financial information was compromised, the breached organization could likely face lawsuits and settlements for months or years to come.

What are the steps to undertake risk management?

Risk management typically consists of three steps: risk assessment, risk analysis and risk mitigation.

• Risk assessment is the process by which you identify vulnerabilities within your IT infrastructure and network that could result in data loss, revenue loss, downtime/unavailability or compliance penalties. The primary goal is to determine which of the organization’s assets is most likely to be compromised and how.
• Risk analysis is the process of determining how likely it is that your organization will be negatively impacted by an IT security event. This step typically involves threat hunting and penetration testing to uncover vulnerabilities, while also requiring an honest look at current protective measures, and an assessment of the impact these threats have on the business.
• Risk mitigation is the process of planning and taking action to reduce threats and their impact on security, which might include establishing organization-wide policies and procedures, hiring new staff or training existing staff, establishing new controls or adopting new technology. It also requires outlining your security priorities, describing how you’ll resolve the issue and putting corrective actions in place.

How do you mitigate security risk?

One of the critical steps in mitigating security risk is the ability to identify vulnerabilities and detect breaches that leave you susceptible to attack. Regular cyberthreat assessments can lead to early risk detection and mitigation by exposing application vulnerabilities, detecting malware and botnets, and identifying outdated or at-risk devices. In addition, assessments can help you analyze user productivity and determine which apps are being run on the system, while also offering insight into network utilization and performance, including bandwidth usage, to identify suspicious spikes in traffic before harmful disruptions can occur.

• Breach detection: While breach indicators depend largely on the type of attack, there are a few common red flags. Things like unusual login times, surprise restarts, prolonged network latency or otherwise inexplicable heavy traffic, use of unusual software or malfunctioning security applications, and the presence of unrecognized IPs all might indicate that a breach might be occurring or has occurred.
• Identifying vulnerabilities: Unpatched and outdated devices often contain vulnerabilities that open the door for attacks. Many forms of advanced malware can remain dormant indefinitely until triggered — for example, during a reboot or an update, when the system is most vulnerable — and then targets any unpatched security vulnerabilities to steal data, conduct cyber espionage or otherwise disrupt the system.

How can automation help reduce risk? 

One way that enterprises can comprehensively address risk is via automation, which can apply more power and structure to threat detection and incident resolution. Critical systems such as IT operations, threat and vulnerability management, configuration, compliance auditing and identity governance systems can all be automated as part of the company’s risk management process. Operations and security incidents that occur within these systems can be mapped to IT-risk repositories, allowing incident response teams to assess the level of risk they pose to the organization.

Details about a newly registered vulnerability, for example, can be automatically downloaded into the risk-management solution, which can then trigger an incident investigation and classify the level of the incident’s risk and severity based on a predetermined set of criteria. After the solution classifies the threat, the automated system can trigger the necessary action plan. And if the vulnerability becomes a threat, the solution can also trigger the risk assessment process and use the threat’s CVE number to launch proactive patch management.

How do different verticals approach risk?

With different sets of customers, compliance regulations, objectives and assets, industries such as healthcare, financial services and government all take a very different approach to risk avoidance, mitigation plans and related investment decisions. For example:

• Healthcare: While healthcare organizations were historically focused on patient safety, healthcare risk has become increasingly more complex to manage. Factors include: the expanding role of healthcare technologies and connected healthcare networks, increased cybersecurity threats and the industry’s rapidly evolving regulations, and the legal and political landscape. Some of the biggest healthcare concerns around risk include compliance regulations such as the Health Insurance Portability and Accountability Act (HIPAA), risks around medical error, rapidly evolving healthcare policy and increasingly sophisticated cybersecurity threats aimed at stealing or compromising patient data.
• Financial services: Risk management in the financial services industry revolves around managing exposure to operational risk, credit and market risk, foreign exchange risk, business risk, legal risk, reputational risk and security risk. Perhaps more than other sectors, the financial services industry faces reputational risk challenges, especially after a slew of security breaches and various scandals that have ranged from the creation of hundreds of millions false customer accounts to money laundering and bank fee scams.
• Government: Threats to government business operations range from natural or manmade disasters and technology failures to cyber-espionage and security incidents. Because so many government services are essential to public health and safety, their risk management strategies must minimize all disruptions, whether temporary inconveniences or critical infrastructure failures.

What is the risk management framework (RMF?)

One of the ways government agencies can create consistent, repeatable and reliable standards for IT infrastructure and security is through the risk management framework (RMF), a set of guidelines that mandate how U.S. government IT systems should be built, monitored and secured.

Designed to identify risks that could harm operations, these risk management standards includes guidelines from the U.S. Department of Defense, the National Institute of Standards and Technology, and others.

• DoD risk management framework: Issued by the Department of Defense in 2014, this framework outlines a six-step process — categorize, select, implement, assess, authorize and monitor — for government agencies and contractors to follow to prevent IT security risks.
• NIST risk management framework: NIST, or the National Institute of Standards and Technology, is a nonregulatory federal organization within the Department of Commerce that enables organizations to apply risk management principles and best practices toward improving the security and resilience of critical infrastructure. NIST also issued the voluntary cybersecurity framework, which provides standards, guidelines and best practices to manage cybersecurity-related risk within all organizations, not just government agencies.
• Framework for Improving Critical Infrastructure Cybersecurity: This framework is a risk-based approach that cites various industry standards and best practices to better manage cybersecurity risks. The framework can be used to strengthen an existing risk management program or as a guide to establish a new one.
• COSO framework: Created in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this widely used framework was developed to evaluate internal controls, primarily around financial compliance. It consists of five components: organization culture, risk assessment, control activities, information and communication and monitoring.
• Enterprise risk management (ERM): Defined by The Risk Management Association’s ERM Council as the “capability to manage all business risks in pursuit of acceptable returns,” ERM goes beyond security to focus on the enterprise as a whole. This framework helps organizations determine whether they should take risks to move the business in new, strategic directions.

Risk management is essential for protecting assets

With everything from increasingly stringent compliance regulations to prolific and destructive cybersecurity threats, it’s well-established that enterprises continue to face mounting risk to their data, their assets and their reputation. Consequently, effective risk management is now an essential component of enterprise operations. 

For organizations, the benefits of implementing a comprehensive risk management program are extensive, giving security leaders, administrators and policy makers the ability to: 

• Take a logical, systematic approach to continuously improving IT security.
• Decide which risks could be most damaging to the organization — and protect both data and assets.
• Proactively seek out and mitigate such risks before cyberattacks can cause extensive damage.
• Find ways to efficiently operate as well as allocate resources and talent.
• Plan ahead, ensuring that the organization or agency is equipped to manage security incidents and can recover from them faster and with more ease.

A comprehensive risk management plan helps security leaders and professionals fulfill all of these commitments. From both a security and operational standpoint, it enables CIOs, security analysts and administrators to make and maintain continuous improvements to the business — all of which can help reduce and manage costly security and compliance risk that threatens to harm the organization, and ultimately, the bottom line.