Many of today’s organizations are undergoing a very high degree of change, while at the same time the overall pace of business continues to increase. The risk picture of most organizations is changing as a result. This is why security and risk management professionals need to “up their game” when it comes to risk assessment. This article presents five ways to make your assessment program more effective and at the same time easier to perform.
Fortunately, a new ANSI Risk Assessment standard has just been released, a collaborative effort by ASIS International and the Risk and Insurance Management Society. The 37 working group members who crafted this document form a list of highly experienced risk assessors, whose real-world experience is reflected in the well-organized and highly valuable material that you will find in the standard.
Download an executive summary of the standard here: http://bit.ly/summary-new-risk-assessment-standard. Purchase your copy (free for ASIS members) here: http://bit.ly/new-risk-assessment-standard. Its official title is: ANSI/ASIS/RIMS RA.1-2015, Risk Assessment.
The standard provides guidance on developing and sustaining a coherent and effective risk assessment program. It covers key assessment principles, managing an overall risk assessment program, and performing individual risk assessments. This material applies to the performance of risk assessments for the disciplines of risk, resilience, security, crisis, business continuity, and recovery management. It is consistent with ISO 31000:2009 Risk management – Principles and guidelines, as well as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management framework.
Please don’t let the paragraph above discourage you in any way! I say that because many practitioners have found earlier assessment standards and methods to be burdensome and difficult to apply given resource constraints and time pressures. This is one reason to fine-tune your assessments and develop an assessment program that is doable within whatever resource constraints you have.
The following two extracts from the assessment standard show the degree to which the standard supports realistic assessment efforts, while at the same time maintaining the integrity of the assessment process and its results. The emphasis (bold and italic text) is mine.
Stay Within Your Organization’s Capabilities
“When choosing a risk assessment methodology, care should be given to remaining within the organization’s capabilities. The methodology should follow a logical process by which the inputs into an assessment are evaluated to produce the outputs that inform the decision-making processes. When trying to determine the methodology, previous assessments or an industry accepted approach may be a good starting point, but should be reevaluated for appropriateness and tailored to the current circumstances. Choice of methodology should also consider, data availability, and resource constraints.” (From section 5.5.5 Identifying Risk Assessment Methods.)
Keep It Simple
“There is no single methodology that is appropriate for measuring the likelihood and consequences of various risks. Each methodology requires independent judgment regarding its design. In some cases, it may not even be possible, or necessary, to explicitly determine likelihood and consequence. As a general rule, simple methodologies are less prone to errors and are easier for stakeholders to understand, as well as more likely to fulfill the principles of transparency and practicality. The methodology that best meets the decision-maker’s needs is generally the best choice, whether quantitative or qualitative.” (From section 5.5.5 Identifying Risk Assessment Methods.)
Albert Einstein is attributed to have said, “Everything should be made as simple as possible, but no simpler.” Risk assessments benefit from the application of that principle.
Note that this assessment standard has taken into account the important fact that there are assessment stakeholders who need to:
- understand enough about the assessment that they can support its approval
- know enough to help facilitate the gathering of data
- review and understand the assessment results
- assist in getting the recommended improvements implemented
A risk assessment is of no value to the organization if its recommendations are not implemented.
The basic purpose for a risk assessment is to provide an understanding of risks and risk treatment options to help management make risk management decisions. Providing a list of recommended actions without providing an understandable rationale for them undermines the decision-making process, and fails to fully enable management to take appropriate action. Remember that there is competition for organizational resources. Executives usually don’t have the same understanding of the organization’s risk picture that risk practitioners do. Other aspects of the business are clearer in their minds than most risk factors.
Why Fine-Tune Your Security Risk Assessments?
Reasons for fine-tuning your security risk assessments include:
- making your assessments easier to execute
- improving management support of your effort
- enabling management to more effectively support improvements in security, business continuity, crisis management and organizational resilience
- making your assessment approach a better fit to your organization’s risk picture
Five Ways to Fine-Tune Your Risk Assessments
- Establish an assessment program context. In the “old days” practitioners would aim to perform facility security assessments, information security assessments, and other types of assessments at three-year or five-year intervals. The rate of business change today warrants much shorter intervals, plus the ability to update the risk picture as the business or the business environment change. Determine the true assessment needs of your organization; briefly outline a program to accomplish them; make a list of the program’s benefits; identify the key stakeholders; and in one-on-one discussions present the concept. Since everything can’t be assessed at once, ask for feedback from the stakeholders on what parts of the risk picture they would have the most interest in. Once their thinking is primed by the initial conversation, subsequent discussions will be even more productive.
- Assess and expand your resources. The extent of resources goes beyond the time, money and assessors available for the assessment. The support of senior management and of the heads of functional areas is a key resource. A little advance educational work, like socializing the assessment program context, can go along ways to building support from key executives and managers. An overall senior sponsor who will visibly and vocally support the assessment program is usually a missing resource that is worth taking the time to establish. Use the Stakeholder Ladder of Involvement tool (described in the book Security Education, Awareness and Training by Roper, Fisher and Grau) to rate the assessment stakeholders and set realistic objectives for their level of involvement.
- Find out how well-aligned your function is within the organization. It is common for a certain amount of separation to occur within organizations, as functional areas concentrate on getting their particular part of the work done. Silos can develop between which there is little interaction, and little understanding. Use the Relationship and Allies Worksheet from the Rate Your Security Program set of tools, to get valuable insight you’re your function’s relationships with other business functions.
- Walk before you run. Set the scope of the next assessment to be as narrow and simple as possible and still provide a worthwhile result. Keep in mind that the first assessment can have a significantly positive educational impact with stakeholders. To the greatest extent possible, use plain language in explaining and discussing the key concepts and assessment steps. Keep the business culture in mind; learn and follow collaborative approaches that work best in your organization. For example, consider using the simple assessment provided by the Insider Threat Micro Assessment Template, an easy-to-perform action that rates your organization’s insider-threat mitigation measures against 19 insider-threat mitigation best practices. It is very enlightening to the folks in HR, Legal, IT, Security, management and various other information protection stakeholders. Usually, the first assessment of any type raises awareness significantly and prompts discussions about risk that take place on their own initiative.
- Share the credit as well as the results. In your assessment report, acknowledge the stakeholder contributions. Based upon how things are done (or should be done) within your organization, perform appropriate acknowledgements not just for the assessment contributors, but for those who implement and/or maintain the resulting improvements. A personally written thank you letter, with a copy to the stakeholder’s boss and HR, should be a deserved and welcome response. Whether that comes from you or from the senior assessment sponsor, it can foster invaluable good will. Furthermore, when subsequent re-assessments show that risk mitigation measures continue to be effective, remember to acknowledge the ongoing efforts appropriately.
Strength Over Time
Fine-tuning your assessment program is not an overnight action. However, you can easily make orderly progress by taking steps at periodic intervals, much to the immediate benefit of your position and your organization’s risk posture.