Risk management is a process or program that aims to minimize the impact of unfortunate events or to prevent those events from occurring. In other words, risk management is a system for dealing with risks and potential risks before they materialize and become threats, incidents, or events.
Before creating your risk management plan, it’s important to understand the definition of “risk.”
Risk, in the business world, is an event or condition that, if it materialized, might affect business objectives — positively or negatively. Investing money, for example, incurs the risk of a positive outcome—financial gain—and a negative one—financial loss.
“Risks” are not the same as “threats.” A risk is what might happen: When you cross the street, you might get hit by a car, so you look both ways before stepping off the curb. A threat is imminent: A vehicle speeding through the intersection is about to hit you, so you jump or run out of the way.
A risk that has been realized is an event or incident. In cybersecurity, the term “event” refers to some unusual and observable occurrence: someone tries to breach the system. If the breach attempt succeeds, that’s an “incident.” In other words, a cybersecurity incident is an event that results in damage or exposure to information security assets and operations.
Once you’ve fully grasped the meaning of risk, you can begin managing it. The risk management process involves a series of actions, like stepping stones, each leading to the next and each important to your risk management program.
The steps of risk management, in order, are as follows:
- Risk assessment
- Risk analysis
- Risk evaluation/prioritization
- Rick treatment/mitigation
- Risk monitoring/review.
Risk assessment involves two parts: risk identification and risk analysis.
Risk identification involves identifying existing and potential risks. Business risks may be project risks, function risks, or enterprise risks. For this step, you’ll need to use your imagination, and envision worst-case scenarios, from natural disasters to economic ones.
What if a fire broke out in your building? What if someone stole your proprietary secrets? What if the economy crashed? What if ransomware locked your systems? What if a competitor undercuts your prices? And so on.
Types of risk include the following:
- Financial risk
- Audit risk
- Compliance risk
- Reputational risk
- Cybersecurity risk
- Competitive risk
- Legal risk
- Economic risk
- Operational risk
- Physical and environmental risk
- Quality risk.
During the risk identification process, it’s important to keep in mind that we cannot see into the future. You might miss something. New risks could emerge for which you have no plan — yet. Therefore, it’s important to keep your options open, and your risk management process and program flexible. Plan to review this list on a regular basis, and establish contingency plans for new and unforeseen risks.
In the risk analysis phase, you’ll examine each identified risk and assign it a score based on four factors:
- Likelihood: What’s the probability of occurrence, i.e., that the risk will materialize?
- Impact: How hard would your project, function, or enterprise be hit if the event occurred?
- Velocity: How quickly would your project, function, or enterprise feel the impact?
- Materialization: What’s the potential severity of the impact? To arrive at this score, add the impact and velocity scores and divide by 2.
Scores for impact and velocity—and, therefore, materialization—can be reduced with mitigations or risk controls.
All risks are not created equal. Some are potentially more damaging, and so deserve more of your attention. Others may pose little danger and can be accepted. An effective risk management strategy requires risk prioritization according to levels of risk. What if, while you’re crossing the street, an earthquake strikes and the ground swallows you up? It’s so unlikely that you’re not going to plan for it. Prioritizing risk can help you avoid wasting time and expense.
On a chart commonly referred to as a “risk register,” you’ll want to list each risk, its materialization score and rank, and your risk response or treatment. Typically, risk treatment comes in four options:
- Risk acceptance
- Risk avoidance, perhaps by not performing the action that incurs it
- Risk transfer, usually to an insurance company
- Risk reduction, usually with risk controls.
A risk management framework such as COSO’s Enterprise Risk Management—Integrated Framework or ISO 31000: 2018, Risk management, can help guide you through decision-making in the risk management process.
Circumstances change. Regulations and industry standards get updated. Cybercriminals adopt new techniques for breaching systems. Staying on top of risk is a continuous process, and can be challenging. Fortunately, digital solutions can do much of the work for you, automating your risk management and leaving you free to focus on the business at hand: keeping your clients and customers satisfied and maximizing profits.