Canadian Security Magazine

The key to successfully managing risk: relationships

By Tim McCreight   

Features Opinion Risk Perspective annex enterprise secuity risk management esrm relationship to risk risk manager risk perspective tim mccreight

One of the tasks we must master as we enter into an Enterprise Security Risk Management (ESRM) program is the idea that we will now “manage” risks.

We don’t “own” the risks — that’s the role of executives and business leaders. Our task, in the ESRM philosophy, is to manage the activities required to reduce the risks to the organization.

This doesn’t mean we’re going to hire 10 more staff members, and work weekends to finish all the tasks!

As security professionals, we need to be practical and pragmatic in our approach to “manage” the risk reduction program. In most cases, we’re going to be collaborating with other departments to help us identify the best path to take for reducing risks, and then identifying what team is going to do what task.

Collaboration is key to success. We can’t do the work ourselves, and we don’t have the expertise that we’ll find in other business areas.


Remember the discussions from past articles where you’ve gone out to make new friends in all the other business departments? Those relationships you’ve established from coffee meetings become key to successfully managing your risk program. You’ll rely on these individuals, and others you’ll get a chance to meet, to help execute the tasks you’ve documented in your risk mitigation strategies.

It seems like we’re reducing our role in ESRM, but that’s not true. Our organizations are relying on us to bring subject matter expertise to the executive table, and to demonstrate our ability to see what activities need to be completed to reduce the risks to the level that’s acceptable to our organizations. Collaborating with different business areas also demonstrates our commitment to the organization and our role as a trusted advisor and business enabler.

Managing the risks can take different forms in different organizations. The process can be documented in spreadsheets, or updated in one of the many software applications that focus on risk. The key components for risk management will remain the same — you need to identify what the risk is, what the proposed mitigation strategy is, and what activities your organization must take to reduce the risk. I’ve used spreadsheets and software programs, and both can help you achieve your end goal. It depends on your needs and your budget.

Executives will want to know your progress and you will need to report regularly on the activities you have underway. Reporting on the progress of risk reduction activities is different than simply presenting statistics on the number of blocked emails you have every month, or how many employees have attended an online security awareness program.

You must name the risks you have identified, and what activities you’ve taken  (and plan to take) to reduce the risk from its initial state to its target state.

In past lives, I’ve been able to demonstrate the reduction of risks by creating an iterative risk assessment process.

As changes are put into the organization, or tasks are executed, a “mini” risk assessment was conducted against the targeted asset to see if the risk rating has changed from its initial state. It takes more time and work, but being able to assess a new risk posture after making changes to an asset is worthwhile.

The process of managing risks on behalf of the organization gives the security professional an opportunity to really show our value to the organization.

The skills we have in identifying risks, documenting steps to reduce the risk, and executing on these tasks can bring us closer to the role we need to attain — trusted business advisor.

Not bad.

Tim McCreight is the owner of Risk Rebels Consulting Ltd. (

This article originally appeared in the May/June 2018 issue of Canadian Security.

Print this page


Stories continue below


Leave a Reply

Your email address will not be published. Required fields are marked *