M.ISRM, CAPPS

What is Risk Management?

 

Risk Management refers to the activities directing and controlling an organisation’s response to risk. It helps organisations make informed day-to-day security management decisions which are aligned to pre-agreed principles, framework and protocols. Risk Management impacts the entire organisation – it is the foundation for risk governance and serves as a playbook guiding every individual from bottom-up.

 

A subset of Risk Management includes the Risk Management Framework which helps to identify the underlying risk source factors.

 

“It is about asking ourselves, what and where are the risks? What are we going to do to avoid, minimise or control these risks? There is also the need to plan for contingencies if the response plan to the risk fails.

 

Risks, if not nipped in the bud, can culminate and lead to future threat occurrences or other unforeseen circumstances. Having a Risk Management Framework can avoid such situations because employees and managers are aware of the Standard Operating Procedures (SOPs) they need to follow to make speedy corrections. One does not want to be caught in a situation where discussions on how to react to risks are only happening when the risks have happened.  The ideal situation is to follow the SOP and undertake appropriate actions to address low-moderate level threats right at the onset before they morph or escalate into bigger problems.

The advantages of having SOP in place include:

  • Being better able to identify and react to risks at the initial stage
  • Have more time to devise and decide on the best mitigation methods
  • Fewer resources and lower costs involved

 

Risk Management Framework: 1. Risk Assessments

 

Risk Management Framework consists of three stages and it begins from Risk Assessments.

 

Fig 1. Risk Management Framework

 

Risk Assessment is the identification of potential risks and threats and capturing them in the Risk Register. As simple as it seems, there is unfortunately no definite way to identifying and classifying threats.

 

Nonetheless, one successful approach/guideline to do so would be to evaluate each risk and threat according to their complexity, other associated risk and time-related factors. Taking all these into account, a Comparative Risk Value can be calculated for each risk and threat. The Comparative Risk Value is a modelling method that provides an indication of the probability (or likelihood) for a threat to arise and the severity of its impact(s). After which, the Comparative Risk Values of Probability and Impact are combined into a Risk Matrix.

 

The Risk Matrix framework seeks to further analyse the consequences, magnitude of consequences and volatility of each threat. The combined Comparative Risk Values of Probability and Impact is used to position each threat in different quadrants of the Risk Matrix. Each section in the Risk Matrix has its own set of guidelines and control actions to respond to the threats and risks. It is pertinent to point out that the responses suggested by the Risk Matrix are dynamic – they should change and be modified according to differing security environments and relevant factors.

 

Risk Management Framework: 2. Risk Control

 

 

Risk control is the second stage in the Risk Management Framework, and it details exactly how the mitigation actions outlined in the Risk Matrix should be executed. It includes the parties accountable and responsible for each proposed action, the resources required, the performance measures, constraints, communication flow process and timeline.

 

Risk Management Framework: 3. Contingency Plan.

 

At the same time, risks are always shifting and changing so organisations need to adapt and respond accordingly. In this final stage of the Risk Management Framework, the organisation prepares for the unforeseen circumstances or potential risks that have yet to emerge. To do so, the Crisis Management Team must work closely with the respective stakeholders in the organisation to devise a set of dynamic plans that can quickly be deployed to respond to sudden threats and risks. The aim of any contingency plan is to find the fastest and most effective way to bring a business back to ‘Business as Usual’ in the face of any unexpected situation.

 

Summary

 

Risk assessment is the overarching process of risk identification, risk analysis and risk evaluation. The Risk Assessment Framework is a systematic, iterative and collaborative process to identify and manage threats and risks.