Seven Habits of Highly Effective Risk Management

I’ve been giving some thought to what makes a good risk management function. What follows is a summary of the 7 key attributes or processes I settled on, in no particular order. It is worth noting that this is not specific to IT or information security, but any environment where risk needs to be managed.

1. Objectivity

Be firm but fair. Always exercise professional scepticism when evaluating the effectiveness of a control environment. Just because someone says something works doesn’t necessarily mean it works as it should. Independence in also important – those too close to a process are not always in the best position to identify risks.

2. Risk assessment and reassessment

People, processes, the environment, technology, everything and anything changes. Consider the rate of change and other factors (such as incidents) and define a formal plan for revisiting the risk assessment phase. Check that your attributes, ratings and area of assessment are still valid.

3. Refinement of controls

In conjunction with #2 revisit controls and associated processes to validate these are effective and efficient. Even if the environment (and risk) hasn’t changed, there may be a better way of managing the risk such as with a new technology. Using maturity models can help to track and measure changes in the effectiveness of controls. Although monitoring controls is a fundamental part of risk management (as in the prescribed Plan-Do-Check-Act methodology), this does not constitute independent review. Make sure your audit team has a look at the control environment to give their view.

4. Collaboration with other risk management functions

Work environments can be very complex. Many systems, processes, laws, regulations and other attributes combine to keep a business working. It is nearly impossible for a single division to have 1) the knowledge required to understand all risks, and 2) the visibility of all components of the business. Even those teams with similar skill sets (such as IT security and IT audit) have different objectives and so need to work together to help the business manage risk effectively. Rather than working in isolation there is more value in assurance providers and risk managers working together to ensure appropriate lines of defence are in place while avoiding duplication of efforts (i.e. combined assurance).   

5. Awareness and training

The possible high rates of change in an environment (systems, business processes, risks, technologies or regulation) pose a challenge to those that are responsible for identifying and managing risks. Continued learning and awareness are fundamental requirements to obtain and sustain the necessary knowledge of the environment and associated risks. At the same time we are challenged by having too much information easily available, so it is important to filter out what is relevant and to identify trustworthy sources. Engaging with other professionals within this pretext is a great way of keeping up to date with changes relevant to your environment.

6. Collaboration with business

Apart from making the work place more pleasant, there is value in building a trusted relationship between risk managers/assurance providers and business stakeholders. The more these parties engage the more opportunity there is for knowledge transfer. The more a risk manager knows about the environment in which they operate the more effective they can be and the more value they can demonstrate.

7. Fairness

Most (if not all) divisions have the business’ best interests at heart, including risk functions. A risk manager’s job is not to always err on the side of caution and drive the control environment to such an extent that all risks are fully mitigated as this hinders the business’ ability to operate or perform successfully. Many businesses need to take risks to make money, and it is the responsibility of risk functions to allow them to do so while managing risks to an acceptable level. Managing risks is not always about fully mitigating them.

Not by Design, but over Time – The Value of Independent Review

We (can hopefully) assume that most people are inherently risk averse when it comes to their work environment. We perform our duties with good intentions and expect our relevant skills and experience to keep us from exposing our business to unnecessary risk as this will have an impact on our own brand as well as the organisation in some way, shape or form. In fact, we could propose that in many cases when an employee does expose their business to risk this is because they are unaware of the potential consequences of their actions, which talks to possible breakdowns in the internal awareness training and control environment (think of a tekkie posting a question on a Forum asking for troubleshooting advice and including the specifics of hardware, software and network configuration).

If entrusting everyone to do their roles as we expect was a feasible risk management approach, then there would be little use for the assurance providers and risk managers in an organisation. Sadly this is not the case, and despite our best intentions we may not always identify risks in our own actions. The level of risk may increase over time, starting at an acceptable level, but then rise due to a range of factors such as more reliance placed on an individual, business process changes or external events. The danger is that this could happen without management being aware.

Identification of risk and monitoring of control effectiveness are key roles to work in conjunction with operations. Often those working in the operational roles may become blinded to risk identification as they are (correctly) focused on their operational activities and often not the bigger picture.

For example, a DBA managing a set of systems may prove to be exceptional in managing, optimising and controlling her databases, and thus management assigns more databases to her portfolio. As the number of databases under her management increase, so too could the amount of critical or sensitive information within her reach. Management understands that this information requires additional controls, and tasks the DBA to build in a robust monitoring solution.

An independent party (e.g. second or third line of defence) will easily pick up that the person responsible for managing the database environment is also the same person responsible for securing it. This lack of segregation of roles may be overlooked by management due to the trust element and high performance of the DBA in question. Despite this the scenario still presents a threat to the organisation by providing an opportunity and method for malicious activity to be executed without detection. All that is required is motivation (which could take many forms) and the risk becomes very real.

My point is that everyone has a role to play in identifying and managing risks while allowing the business to perform efficiently. The operations team in this instance must acknowledge that the independent risk managers have correctly identified a risk that needs to be managed.

On the other end of the scale it is also easy for risk managers to err on the side of caution and to avoid risk rather than looking to manage it. It is forgivable to be cautious in the current economic environment, but this stifling of management’s intentions could also have a negative impact on the bottom line as opportunities could be missed.

We can’t expect everyone to be experts in both operations and risk management, as each side needs to have a deep understanding of their areas within the context of the business. Rather, it is a fundamental requirement to establish a trusted environment between the disciplines through identifying the relationships and tensions that exist between the various teams. In this way the business can prevent each discipline from restricting the other’s effectiveness, as in the end both are equally important to support and sustain the organisation’s strategy.