At SimpleRisk, we frequently get asked by prospects and customers alike if there is a template or road map that can be used to establish a foundational GRC program. We’ve learned over the years that every organization is different and there is no “one size fits all” approach.
While Governance, Risk Management and Compliance are interconnected and organizations need to have a sound framework within which to manage risk, our view is that “Risk Management” is the engine that drives any successful GRC program and there are certain key components of Enterprise Risk Management that we’ve found to be universal. We want to share our insights with you in this blog that focuses on how to incorporate the “R” into GRC.
In our Risk Management 101 blog, we outlined a series of fundamental questions to address when first establishing an ERM program. In this blog, we’ll explore each of those questions in further detail and provide some additional context and guidance that will enable you to establish a solid foundation upon which to build out your GRC program.
1) How do I identify risk?
There are numerous ways to identify risk, so it can be difficult to know where to start. We recommend beginning by identifying the more obvious potential issues for your business that would result in the most significant negative impact. Below are some ways for you to identify and capture risks. Once entered into the system, you can then organize, assign and track all risks at a corporate, business unit and/or department level.
- Perform a self-assessment using the CIS Critical Security Controls to
identify and enter potential risks into the system – it’s simple and effective.
- If a pen test has been performed, manually add or automatically import any risks that were identified into the system.
- Encourage all employees to enter risks into the system. Limit the amount of information required to submit a risk – the primary goal is to capture risks, and the details can be added later.
- Perform a control gap analysis assessment and establish a security baseline using the NIST Cybersecurity Framework.
- Perform Third Party Risk Assessments to determine where compliance gaps exist and how vendor risks can adversely affect your organization.
- Import vulnerabilities, eliminate duplicates and triage them into a single risk that are linked to assets. Check out how vulnerability management can be accomplished.
2) How can employees be encouraged to document risk they may uncover?
- Establish codes of conduct and proactively train employees on the importance of risk management to help ensure all employees are aware of your organization’s expectations.
- Keep it simple by minimizing the amount of information required to submit a risk and rely on your security practitioners to fill in the details.
- Involve management in the risk process and have them convey the importance of capturing risks to their team members.
3) How can I effectively rank risk to prioritize mitigation efforts?
After creating your risk registry, the next step is to plan mitigation efforts. While it’s not essential when you are just getting started, as your program matures, we do recommend adding values to your assets to enable quantitative risk assessments, which provides you with a more accurate picture of your risk exposure. Below are short descriptions of the six scoring methodologies supported in SimpleRisk that can be used interchangeably depending on the risk type, and the system automatically normalizes all scoring on a 1-10 scale.
- Classic: This is your CISSP formula of RISK = LIKELIHOOD x IMPACT. This formula can also be modified for single-weighted likelihood or impact, or double-weighted likelihood or impact.
- CVSS: This is a relatively heavy assessment method typically used by CVE's.
- DREAD: This is a lighter assessment method originated by Microsoft.
- OWASP: This is best used for application security assessments.
- Custom: This is a basic 0-10 value designed to accommodate those who have their own scoring processes.
- Contributing Risks: This enables users to set a weighted likelihood among multiple contributing risk factors.
4) How do I set up a risk mitigation process?
To plan mitigation efforts, first associate your risks with controls and add mitigation dates. You can then perform regular reviews of your risks with management to prioritize action and determine whether to approve a risk or reject and close it. If approved, you can define the next step, which generally will fall into one of these four categories: a
- Accept the risk until next review, including any risk exceptions that you’ve identified where you’re not following your policies or controls
- Consider it for a project
- Submit the risk as a production issue and leverage an external system for the project
- Create a risk exception and track it accordingly to demonstrate to auditors the rationale behind the exception
After adding review dates, we recommend organizing your risks by next review date, followed by the inherent risk score. This will help you to prioritize your risk reviews and mitigation efforts. As a best practice, below are the three risk categories to adopt for classifying your risks.
- Unreviewed risks (risks that have been added recently and never reviewed)
- Past due risks (risks that have been reviewed at one point but are now past due)
- Future risks (risks that are due for review at some point in the future)
Another effective strategy is to focus on mitigating risks that have a high risk score and require minimal effort to address, resulting in a significant impact without a significant workload. SimpleRisk provides a “Risk Advice Report” to automatically gauge and inform you which risks fall into this category.
5) Who should be responsible for risk mitigation?
Even though management is not responsible for risk mitigation, determining how to manage risk should ultimately be their responsibility. Depending on the size of an organization, security specialists or practitioners are often responsible for mitigation efforts whereas larger or more mature organizations may have a dedicated risk manager or SME who is heavily involved in the process and can provide input and guidance on the most effective ways to mitigate risk. As a security practitioner, your primary function is to:
- Assist in identifying the issues
- Advise on how to mitigate them
- Ensure that the right stakeholders are aware and educated so that they can make the most informed decision possible for the business
The risk manager’s main goals are to:
- Drive visibility and accountability of the risks the organization is accepting
- Link risks to the stakeholders who are accepting them
6) How can the risk mitigation life cycle be tracked effectively?
Risk management is a cyclical process, and the risk mitigation life cycle requires that it be repeatable and scalable in order to effectively track and manage risks. In SimpleRisk, this can be accomplished by:
- Identifying the right stakeholders and assigning them the correct roles and
- Leveraging the SimpleRisk Email Notification Extra to remind stakeholders of upcoming due dates and deadlines
- Scheduling regular reviews where qualitative and quantitative reporting can be shared to focus on tracking and prioritizing risk mitigation efforts
- Monitoring assets with a high volume of risks that may be candidates for patching or retiring
- Reviewing risks and all associated assets to help identify which assets are
candidates for patching or retiring
7) How often should risks be reviewed?
We recommend a monthly cadence to review all risks, and these reviews should be performed in the following sequence:
- Risks that are coming due for review in the current month
- Any new risks that are unreviewed
- Any risks that have lapsed and are now past due since your previous review.
Although timeframes may vary, we recommend using the Inherent Risk Score as the key metric to determine how frequently each risk should be reviewed. For example, you may want to automatically set the review dates for risks as follows:
- High risks every 90 days
- Medium risks every 180 days
- Low/insignificant risks once a year
8) How can risk be communicated to management?
One common dilemma confronting security practitioners is how to bridge the communication gap that often exists between themselves and management. Given that management has the authority to allocate budget for risk mitigation efforts, it’s incumbent upon security practitioners to get key stakeholders and management on board with risk ownership. Below are three ways to accomplish this:
- Identify, rank and prioritize risks, and provide advice on how to mitigate them.
- Empower business owners and other management team members to make data-driven decisions, by communicating risk in business terms, not technical terms, so that risk is easily digestible.
- Obtain buy-in and accountability from all stakeholders, so everyone understands why they should be invested.
There are multiple questions and choices to consider when you are first establishing a GRC program. Once your overarching guidelines and policies have been established and you’ve identified which control framework(s) you need to be in alignment with, implementing an effective risk management process will become the underlying foundation that links governance, risk management and compliance together. If you're interested in launching your GRC program with SimpleRisk, you can download our free and open-source platform, SimpleRisk Core, and begin submitting risks in minutes!
Want to see more content like this? Sign up for the SimpleRisk mailing list to stay informed!
Normalizing Risk Scoring Across Different Methodologies