A framework for risk

You can avoid some of these pitfalls (at least the frustration) if you take some time to plan your journey first. Begin by developing a framework for managing risks within your enterprise.

The first step to any successful program is endorsement by senior management. You must have heard this hundreds of times in your career. If you’re planning on moving to a risk-based, business-focused approach for your security department, you’re going to need it. There’s no sense starting a program and realizing you’re assessing risks against your three key assets (people, property and information) but no one cares. Or worse, they don’t want to know.

Once you’ve secured this level of support, I strongly suggest you set up a cross-functional working group that can become your group of subject matter experts. You’ll want to create a small enough team that you can be agile and not dragged into “meeting hell” or “paralysis by analysis.” The people you want on this team should be subject matter experts in their department, and fully grasp the concept of understanding risks to help the business make more informed decisions.

If we accept the premise that businesses inherently take risks, sometimes on a daily basis, it only makes sense to include members from business units as well as security professionals in your working group.

You’ll start creating the roadmap for moving to risk by gaining common ground on the taxonomy of risk. Developing a risk-based, business focused approach to your security program requires new criteria, and a new set of terms and definitions.

As a working group, you need to garner consensus on key concepts like probability, likelihood and impact. These three terms become the pillars of your new taxonomy, and help define how you and your working group are going to classify the different types of risks facing your organization.

This grid, chart or spreadsheet of terms and definitions is key to a successful start to your risk program. As a team, you need to define what you mean by the impact of something against your organization. As a starting point, begin looking at impacts that affect the following areas: financial, operational, stakeholders and employees

These are broad categories, but your working group can drill down and expand on each main area to create more meaningful descriptions for your organization. As an example, you may want to consider impacts to the reputation or confidence of your organization in the stakeholders category.

If something were to happen to your organization, would there be a corresponding loss in market or public confidence, and a parallel consequence to stakeholders? Could the share price drop, or charges be filed against the company? How would your company stakeholders be impacted? Would they lose money? There will be many more discussions and decisions just like this one during your meetings. And expect to go through a number of iterations — this isn’t an easy task, but it is valuable to go through the process.

This is going to be a lot of hard work, negotiation and consultation. The pace of the process, the depth of your discussions and the obstacles you’ll face will frustrate you. You may even ask yourself if it’s worth the effort. I know I did. But take it from me — it is.  

Tim McCreight is the chief information security officer for the Government of Alberta (www.alberta.ca).