Organisations essentially exist to produce a product or deliver a service along with a strategy or a set of goals to support that product or service.
Risk management is an organisational discipline that, when combined with strategic planning, ensures risks negatively impacting the organisation’s ability to achieve goals are identified, analysed and responded to in an appropriate way.
- Do senior leaders in your organisation seek out risk management insights to improve performance (not just manage the risk of non-compliance)?
- Is robust and realistic scenario analysis a primary technique in risk identification approach? Tip: If you are not using the COBIT 5 risk scenarios, consider looking at them and try to incorporate them into your risk identification process.
- Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation, and operations, along with steps to proactively manage them?
- When conducting an RCSA (Risk and Control Self Assessment), is the interviewee or survey participant asked about their concerns (that might not be part of the RCSA)?
- Does the organisation align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Tip: Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk!
- Does the organisation actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?
Risk management is an ongoing organisational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realised risk (incident) or near miss event. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.
About the Author
Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI
Yvonne has over 22 years’ experience in information security and Privacy in the UK and Australia. She is uniquely qualified having both a Master’s in Information Security and Computer Crime, and a Master’s in Information Law (covering: Data Protection, Freedom of Information and Copyright Law).
She has worked on several trail blazer projects leading the way on data sharing and privacy issues in sensitive and complex areas and has worked for a wide variety of public and private sector organisations worldwide.
She has contributed at industry events as a speaker and has contributed to several publications including ISACA’s Privacy book: “Implementing a Privacy Protection Program” (2017) and “Women in the Security Profession” (2016).