What is risk management in the enterprise, and why is it essential?

What is Enterprise Risk Management?

Arguably, every risk management plan enacted for an enterprise — as opposed to, say, a small business, limited partnership, or sole proprietorship — could be called “enterprise risk management.”  The important distinction between Enterprise Risk Management (ERM, in capital letters) and risk management as originally taught in the early 1960s, is that modern ERM incorporates one fundamental principle:  Every outcome of every plan within an enterprise affects all business units and all parts of the enterprise — perhaps through repercussions, perhaps over time, but certainly.  If two business units of an organization are so distanced from one another some actions of one part cannot impact the other, it’s not an enterprise.  Therefore, every ERM strategy must account for the value of risk for the entire enterprise, whether as a whole or by way of every business unit collectively.

ERM vs. Traditional Risk Management

The “Enterprise” aspect of ERM gives risk management a proper sense of scale.  As the practice has been taught since 1963, traditional risk management (TRM) involves identifying perceived and potential risks within an organization, and assigning each one to a responsible party for management and oversight.  In this early incarnation, TRM unintentionally had the effect of scaling every risk down to a size that was digestible to the business unit assigned responsibility for it.  As a result, huge risks that could not conceptually be scaled or pared down to a “manageable” size, went unaddressed.

ERM acknowledges the existence of huge risks — of potentially catastrophic circumstances that would threaten the existence of an organization.  It then addresses the issue of the role all business units would play in mitigating a given risk event, both individually and collectively, and in responding to that event should it occur.

When implemented properly, ERM establishes an evaluative procedure that takes place for the enactment of every major business decision.  It is not a set of roadblocks or barricades that dissuade an enterprise from taking any action at all.  Rather, ERM should enable faster, more agile decision-making by giving all responsible parties a clearer picture, using a common set of metrics, of the present status of the organization and the market conditions it presently faces.  Once a comprehension of risk becomes commonplace in an organization, evaluating potential paths forward becomes simple, straightforward, and obvious.

13 Principles of Enterprise Risk Management

The successful practitioners of ERM — usually deliberately, although sometimes without realizing it — abide by a number of business principles:

1. ERM evaluates risk based on its anticipated impact, as opposed to its degree or breadth of damage after the fact.  Previous events may play into each calculation, yet in the absence of hard facts, risk assessment can resort to reasoned prediction.  Unlike a tornado whose classification is determined after the tornado event is concluded and the damage is done, the impact of an event is assessed before it happens, even if some of that assessment must be subjective or speculative.
2. The evaluative and tactical approach to every risk must be standardized and consistent with one another.  The company cannot afford to adopt a different frame of mind or perspective based upon the context in which a risk event would play out.  For example, it should not evaluate risk on account of workplace injury using a separate methodology as for a cybersecurity breach.
3. Every organization’s risk management methods should be customized to its culture, decision-making processes, and its mission.  Because every ERM methodology should be data-driven, the data utilized by the ERM platform should be limited to representing the assets critical to the functioning of the company, and the situation in which those assets come into play.  Every organization is unique, so risks affect different organizations in dissimilar ways.  However, the process of determining which risks are most prevalent should be standardized across companies.
4. Every risk management process should be integrated into the way the company works, rather than operating as a kind of supplement, independent endeavor, or side project.  Its governance structure, strategic planning, and decision making must all take evaluated risk into account.
5. Multiple stakeholders and collaborative partners should participate in risk management, maximizing the depth of comprehension and perspective applicable to the assessment of risk at all times.
6. While maintaining standards, risk response and treatment approaches must be adaptive, especially to changes in the environment and economy in which it does business, both rapid and gradual.  Change must be incorporated into the lifecycle of ERM — indeed, inability to change in sync with the company’s evolving needs, should itself be a formally assessed risk.
7. The data from which risk information is derived must have the highest quality, and should be continually refined and improved.  New discoveries, uncovered evidence, feedback from stakeholders, and facts realized from experts’ judgment, should all inform the company as to how the engineering behind the warehousing, retrieval, and delivery of data can be updated and enhanced.
8. Human behavior must always be taken into consideration in every risk evaluation, including the degree to which such behavior cannot be predicted.
9. The prioritization of risks to the entire enterprise must be clear and unambiguous.  Proper and immediate response to a severe risk event must enable decision makers to conduct a kind of triage, responding first to those points of impact that deserve immediate attention, and that can ameliorate the situation most effectively.
10. Risk management must apply itself solely to what is practical to achieve, acknowledging that while uncertainty can be minimized, it cannot be eliminated.  Malicious actors may be capable of adapting and responding to effective risk management strategies themselves, and while their responses may be speculated upon, they may not always be anticipated.
11. Treatment plans and responses to risk events should, where possible, be numerous and redundant.  Having more than one treatment option enables the enterprise to have another plan in place in case the first plan becomes unfeasible or even impossible due to the impact of the risk event.  The very existence of backup plans, and backups for backups, can reduce the potential impact of risk when it occurs.
12. Open and direct communications must be maintained, not only with all stakeholders in risk management, but with customers, the public, and everyone conceivably impacted by a risk event.  The least secretive endeavor within an enterprise should be risk management.  Transparency is a benefit which in itself reduces the repercussions of risk, especially to a company’s reputation.
13. Review, reassessment, and renovation of ERM policies and protocols must be an everyday part of the process.  A comprehensive ERM platform will help a company to identify the changes to risks and the need for their re-evaluation and adjustment.

LEARN MORE FROM SIMPLERISK

• The River Crisis that Taught Me to Always Have a Plan B by Alan Proctor, Chief Compliance Officer, SimpleRisk
• $1,000 Mistakes: Risk Lessons from Bear County by Alan Proctor, Chief Compliance Officer, SimpleRisk

How to build a risk management plan

Every risk management project starts by thoroughly researching and evaluating the variety of methods and formulas that businesses like yours (and unlike yours) are presently using, deciding the methods that are best suited to your business’ culture, market, and environment, and preparing to make adjustments and corrections should you discover better and more effective ways to handle risk.  Risk management never begins by jumping in, doing Step One, and forging ahead blindly.  Your entire team needs to have a reasonably clear idea of how the plan will work, because everyone in an enterprise is in some way involved with risk management.

1. Set clear and well-articulated objectives.  It isn’t enough to say the goal of a risk management program is to mitigate risks, like the first sentence of a thesis composed by some AI chatbot.  Once your risk management program is under way, certain aspects of conducting business should be made clearer and easier.  It’s only fair to state those expectations at the outset.  Risk management is not supposed to introduce new obstacles, even if it ends up making everyday business processes more methodical.
2. Choose a risk management approach.  This is a personal, cultural, and corporate decision that will be specific to your organization.  The approach you choose is something you should be capable of defending and supporting, should you ever find yourself on the firing line of questions from your stakeholders or board of directors.  The strategies that your organization can set forth will be determined by the risk management approach you choose.
3. Establish the context for all risks.  The full nature and complexity of risks are only perceptible, as the ISO explains things, when you take the time to ascertain the organization’s business objectives, the environment in which it pursues those objectives, the interests of its stakeholders and customers, and the diversity of criteria associated with the assets being evaluated.  You need to see all the factors, both internal and external to the company, that influence how a risk is assessed, along with how risk impacts those factors.
4. Create your risk register.  A risk register is a repository for isolating and identifying all the risks which the company plans to manage and mitigate.  In this register, each risk is named and described.  The results of qualitative or quantitative analysis (or both) are attributed to each risk, assessing its probability of occurrence and impact on the organization if it did occur.  It states the relative level of priority for each risk. It designates responsible parties for each risk, and summarizes the planned response or treatment strategy for that risk.
5. Begin monitoring assets associated with risk.  As the assets associated with each risk are tracked, their status is recorded in the risk register.  Risks should be re-assessed periodically, and adjustments to their status and the methods for treating risk associated with them, should also be recorded.

SimpleRisk provides you with a risk register that records all open risks, their current status, and the date when each risk is scheduled for review.  The register appears on SimpleRisk’s Review Regularly screen.

LEARN MORE FROM SIMPLERISK

• Luck Isn’t a Strategy: What Rock Climbing Teaches Us About Managing Risk by Alan Proctor, Chief Compliance Officer, SimpleRisk
• When Over-Preparation Becomes the Real Risk by Josh Sokol, CEO and Creator, SimpleRisk

What are the categories of risk?

Whatever method an enterprise may choose, every risk assessment process must take into account the assessed risk values in each of the following areas of potential impact.  These are values, so it’s important to think of them numerically, as the result of an assessment or calculation.

Operational risk

Operational risk equates to the losses the company may suffer on account of human error, employee misconduct, failed internal processes, systems or technology failure, safety failure or violations, supply chain disruptions, and natural disaster.  Such risk is often compounded by customer dissatisfaction that may arise through a combination of any or all of these factors.  An enterprise’s perceived business performance and level of accountability are all susceptible to operational risk.

Strategic risk

Strategic risk equates to the impact an event may have on the environment in which a company does business, including customer sentiment and preferences, market dynamics and competitive situation, demand stability and fluctuations, supply chain resilience, geopolitical situation, and regulatory environment.  All of these contexts directly affect an organization’s competitive and operational strategy.

Financial risk

Financial risk equates to the impact an event may have upon the company’s access to capital, on account of poor financial planning, inadequate debt management, or unfortunate investment decisions, as well as economic factors such as liquidity issues, market volatility, credit recission or default, or in increase in the price of money on account of interest rate hikes and rising lending rates.  The cost of legal defense, even if its likelihood for success is high, factors into financial risk.

Compliance risk

Compliance risk equates to the impact of failure of the company to follow or act in accordance with laws, regulations, environmental and safety standards, and its own internal codes of conduct and ethics policies.  Such risk can be quantified in terms of penalties incurred.  Failure to comply with technological governance frameworks and policies also incurs compliance risk.

Reputational risk

Reputational risk equates to the diminished value of the company with respect to its brand, image, and public perception.  A reputational risk event may involve an employee’s poor conduct or behavior making news, a partner company’s poor business or workplace practices becoming publicly known, or a particularly negative event such as a product recall, which leads to bad publicity, especially if the state of the product being recalled appears to violate or contradict the company’s standards, promises, or longstanding traditions.

LEARN MORE FROM SIMPLERISK

• Compliance 101: Back to Basics by Ashley Swoope, Digital Marketing Director, SimpleRisk

What is asset valuation?

A critical element in determining the relative impact of a risk upon an organization is the valuation of the assets impacted by that risk.  If everything that potentially could be impacted were just an item of inventory, it would be easy to look up its monetary value.  But reputation is also an asset of the company, whose true value often goes unrealized until something happens and it’s damaged or even lost.

The basic formula for assessing the relative value of an asset, for the purposes of scoring its impact should that asset be lost, is as follows:

Total Asset Value = Assessed Asset Value × Impact (Weight)

Scoring for digital assets

For the sake of scoring the relative risk of information assets that don’t have an obvious or assessed monetary value, ERM frameworks often employ a qualitative scale called the CIA Triad.  It’s not the intelligence agency, but rather a mnemonic for the three main virtues of any information asset:

1. Confidentiality — The availability of data within an organization should always be limited to those who are entitled to use it.
2. Information integrity — Data vital to the functioning of a business and the safety of its customers must be reliably stored and monitored, and never subject to damage or unintentional erasure.
3. Availability of data — Vital data must always be accessible to the people entitled to it without being delayed by technical, mechanical, or network issues.

For simplicity, a CIA score may be expressed on a three-point scale: 1 (low), 2 (medium), or 3 (high).  The “weight” may be expressed on the same scale, and equates to the relative sensitivity of the data utilized by, or contained by, the asset.  The product of the two factors results in a score between 3 and 9.

SimpleRisk’s approach to asset valuation balances practicality with effectiveness, reducing unnecessary complexity.  Assets may be tagged by category: for instance, a database, a server, or a software developer.  This simplified system enables organizations to prioritize risk mitigation, without perceiving asset valuation as a burden they must endure.

What are the two classes of risk assessment methodology?

To some degree, every risk whose value is properly assessed within an enterprise is analyzed in two ways: qualitatively and quantitatively.  Both methods have their respective strengths and weaknesses, particularly with balancing thoroughness and depth against practicality and breadth of usefulness.

Qualitative risk analysis

Qualitative analysis often evaluates the severity of risk based upon a symbolic assessment of the breadth of the measures the company would need to implement in response to a risk event.  How much would the company need to do — what would it need to expend in time, resources, and capital — to treat that event when it happens?  Qualitative risk value, often called impact score, is often expressed on a simple scale, such as a 5-point or 10-point spectrum (frequently accompanied by a color band from green to red) accompanied by a descriptor (“low,” “medium-low,” “medium,” etc.).  Two property scales may be combined on an x/y quadrant chart to denote comparative values, such as scope of damage versus cost of containment.  Alternately, and when feasible, a system of speculative probability may be employed, where likelihood or impact is assessed as a percentage (for example, “75%”).

OWASP risk scoring methodology

The most common, and certainly most basic, approach to subjectively scoring risk is to assess or estimate a probability percentage, multiply that figure by an impact score, and record that result.  The impact score may be an arbitrary scale, but as long as it’s consistent, then the resulting scores should be somewhat reliable.

More systematic methodologies have since been developed that build on that simple risk = probability × impact formula.  For instance, the OWASP methodology was developed by the Open Web Application Security Project and built on the foundation put forth by the National Institute of Science and Technology — specifically in NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.  The OWASP methodology applies 16 impact scores with integer scales from 0 to 9, averaging the scores for four categories before averaging the final result:

1. Threat agent factor incorporates the perceived skill level of the threat agent, the degree of motivation, the opportunity for the threat agent to exploit the vulnerability, and the relative number of people involved in the threat.
2. Vulnerability factor amalgamates the ease of the vulnerability’s discovery, the ease of its exploit, the awareness level of the vulnerability to the threat agents, and its likelihood of being detected by the tools and platforms the threat agents use.
3. Technical impact factor collects impact scores for loss of critical data confidentiality, loss of data integrity, loss of data and service availability, and degree of traceability and accountability of the threat agent’s actions to a responsible party.
4. Business impact factor groups together the relative degree of financial damage, relative degree of damage to the company’s reputation, exposure to further business risk as a result of non-compliance, and possibility of breaches of personal privacy.

 The final OWASP score is rendered on a three-tier scale, with each risk declared low, medium, or high.

LEARN MORE FROM SIMPLERISK

• The OWASP Risk Rating Methodology and SimpleRisk by Josh Sokol, CEO and Creator, SimpleRisk

Quantitative risk analysis

Quantitative analysis avoids speculation and subjective judgment, relying instead upon data and associated formulas to calculate the probability of a risk’s occurrence, or the probability of damage as a result of that occurrence.

The most common formula used in quantitative analysis is simple:

ALE = SLE × ARO

where ALE (annualized loss expectancy) represents the financial loss associated with a given risk over a 12-month period; SLE (single loss expectancy) represents the total financial loss associated with that risk in its entirety, and ARO (annual rate of occurrence) represents the number of times a loss is expected to occur during any given 12-month period.

Factored Analysis of Information Risk (FAIR)

The FAIR risk scoring methodology is technically considered a quantitative method, although its final product is often presented on a scale that resembles a qualitative analysis.  FAIR makes ample use of the basic risk = probability × impact formula.  However, its quantitative aspect lies with how it calculates loss in six categories:

• Productivity loss diminishes a company’s ability to apply itself to its primary value proposition — that is, to make the things or produce the services for which it’s mainly known.  This can happen as the result of a service outage, or the impairment or neutralization of personnel.
• Response loss is incurred when a company suffers expenses for the management of a loss event, such as overtime hours and legal expenses.
• Replacement loss is suffered when replacing a damaged asset, or in repairing a system to the point where it can conduct business and provide service as before even when the asset cannot be replaced one-to-one.
• Fines and judgment losses are incurred by way of legal penalties, including bail for any arrests of personnel, and legal expenses imposed for plaintiffs winning a suit against the company.
• Competitive advantage loss happens when the company’s situation in its marketplace against competitors is diminished by the loss event — for instance, by higher production costs, lower product or service quality, and reduced features and capabilities.
• Reputation loss takes place when external stakeholders’ and customers’ perception of the company and its brand are diminished as a result of the loss event — for example, by reduced market share or stock price, and discontinuation of joint ventures.

LEARN MORE FROM SIMPLERISK

• Normalizing Risk Scoring Across Different Methodologies by Josh Sokol, CEO and Creator, SimpleRisk

What are the key risk management frameworks?

International standards bodies and government agencies around the world have developed frameworks and guidelines for companies to follow, to enable them to more readily and effectively adopt risk management principles.  When government agencies do business with outside agencies and firms, often by law, they must ensure that those entities maintain the same standards for security, privacy, and data protection that they do.  As NIST explains [PDF], following a risk management framework ensures that an organization has exercised due diligence in managing information security and privacy risk.  Certifications for organizations adopting these frameworks assures their business partners, stakeholders, and customers that they are conducting responsible business practices, and taking reasonable steps to plan for negative outcomes and to control costs.

ISO/IEC 27001 + ISO/IEC 27002

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have jointly produced the ISO/IEC 27001:2022 framework to provide commercial and governmental organizations with basic guidelines for ensuring proper cybersecurity.  Each of the advised practices is referred to as a control, which is a measure taken to protect information access.  The CIA Triad is invoked here as a means of scoring the value of assets based on their three principal virtues to the organization: confidentiality, information integrity, and data availability.

ISO/IEC 27002 supplements this framework by advising on best practices and control objectives for access control, cryptography, human resource security, and incident response.  By “control objectives,” which refers not just to the assets the control protects, but also all the transactions and processes that protection of those assets benefits.

LEARN MORE FROM SIMPLERISK

• Using the ISO 27001 Control Framework with SimpleRisk by Josh Sokol, CEO and Creator, SimpleRisk
• Certified in 18 Months: Lessons from SimpleRisk’s ISO 27001 Journey by Alan Proctor, Chief Compliance Officer, SimpleRisk

ISO 31000

While there are quite a few principles to which successful risk managers adhere (this document managed to name 13), ISO 31000 offers a set of internationally standardized principles for which an organization may be certified.  This document aids organizations in formalizing risk management practices, reviewing and revising processes already in place, integrating risk management ideals throughout the organization, and also contextualizing risk.

Risk context is an often mis-defined concept.  It does not mean, as you may read elsewhere, limiting the scope of risk to the department to which it most directly applies.  Indeed, that is the opposite of the “Enterprise” principle in ERM.

As ISO defines it, risk context is an appreciation of risks in the environment and the situation where they exist.  Some risk managers have stated ISO could have been clearer about this definition, and certainly the many misinterpretations of this concept stand as evidence they could be right.  But ISO was being careful to take into account the environment in which ISO 31000 would be adopted, and their historical tendency to appear to reduce risk by limiting the scope of its assessment to compartmentalized units.  In so doing, perhaps ironically, ISO’s effort is self-demonstrating:  It insists that risk managers refrain from limiting themselves to a single, restrictive context for all risk, such as “the corporation” or “the company’s reputation.”  Risk events can impact everyone, just in very small and usually imperceptible ways, which is an important fact to consider throughout the risk assessment process.

NIST SP 800-53

The purpose of NIST Special Publication 800-53 is to set forth a regimen of controls that extends information security and privacy protections to the cloud and network-based systems.  This way, the US Government and others following its example can do business with cloud service providers, as well as SaaS providers who host their applications on the cloud.

NIST’s approach to implementing security controls for the cloud changed with the release of Revision 5 of SP 800-53 in September 2020, followed by SP 800-53A in January 2022.  Previously, the framework’s controls were implemented through a series of steps designed to achieve a positive outcome, although more attention may have been paid to the sequence of steps rather than the attainment of the outcome itself.  Quite deliberately, NIST acknowledged this may have actually been a problem, so Revision 5 replaces the old approach with one it calls outcome-based.  Specifically, rather than implementing controls whose intention is to thwart the behavior that leads to negative impacts the framework seeks to prevent, the entire concept was turned on its head, focusing on positive outcomes the framework seeks to achieve.

COSO ERM Framework

In June 2017 [PDF], the Committee of Sponsoring Organizations of the Treadway Commission (COSO, established in 1985 to investigate fraud in financial reporting, named for SEC then-Commissioner James C. Treadway, Jr.) updated its framework for ERM to more clearly focus on what it perceived as five categories of fundamental principles: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting.  COSO then established 20 ERM principles, and delegated them among the five categories.

Some of these principles are actually primary tasks, such as identifying risks, assessing severity of risks, prioritizing risks, and reviewing performance in the wake of implementing risk controls.  But by articulating these tasks as principles, COSO’s aim is drive a sense of achievement among organizations who adopt them, rather than simply items to be ticked off of a checklist.

CMMC

The Cybersecurity Maturity Model Certification was designed by the U.S. Defense Dept. specifically to institute safeguards for the protection of what it calls Controlled Unclassified Information (CUI).  (Other agencies around the world also call this regulated data.)  This is information that must be shared in order for agencies like the DoD to do business, but that do not contain secrets whose dissemination would endanger the lives of personnel or soldiers in the field.  Identity is a concept that enables transactions on a network to be attributed to an individual user, and thus protected.  But in order for operations to take place in public cloud environments — especially in more than one at a time — identity must be transferred between processes.  This requires the sharing of information, which although unclassified is still deserving of safeguards.

The DoD perceives good information safety practices as a matter of “hygiene.”  For the CMMC, it devised 171 such practices, which any organization can adopt in what the framework designates as five stages of maturity: basic, intermediate, good, proactive, and advanced or progressive.  Achievement of the objectives of these five stages takes place sequentially, with Level 1 requiring self-assessments every year, and subsequent levels subject to review every three years.

SimpleRisk has developed a qualitative method for scoring cybersecurity maturity levels based on the degree to which risk management processes are understood by the people who perform them.  A process may start out as Performed, but not well understood.  As a process becomes better comprehended, it graduates to successive stages: Managed, Established, Predictable, and finally Optimized.  In this final stage, a review of the process may confirm there is little about the process that needs to be improved upon.

LEARN MORE FROM SIMPLERISK

• Should Vulnerabilities and Risks Be Managed in the Same Place? by Josh Sokol and Jeff Gall
• Metrics That Matter: Proving Cybersecurity Value Beyond Risk Reduction by Josh Sokol, CEO and Creator, SimpleRisk

How can risk reporting be made more effective?

The relevant stakeholders in an organization need to be continually assured that the risk management process is proceeding smoothly and efficiently (even when it occasionally isn’t).  Anxious stakeholders may collectively constitute a risk in and of itself, especially when risk managers fail to inform them of the presently assessed state of potential risk in a timely and expedient fashion.

A risk report should give an essential stakeholder a complete picture of what could happen, and how the organization will respond in that event.  First and foremost, the reporting process should strive to convey to its reader the following:

• Accuracy, including by disclosing the validation rules used in calculating quantitative analyses, plus full explanation of the conventions used in validating the logic used in reporting, and explanations of any weaknesses in the data or errors turned up in prior reports requiring correction
• Comprehensiveness, detailing the risk positions for all business units in the enterprise, and fulfilling all risk reporting requirements required by compliance frameworks
• Clarity, distilling disclosed information by balancing minimum verbiage with maximum explanation
• Frequency, which may mean certain stakeholders are kept updated more often than just quarterly
• Propagation, ensuring fair and rapid distribution of risk information to all stakeholders, along with necessary and non-confidential information to other interested parties

There need not necessarily be a metric for this, but one emerging item of knowledge that a risk report should convey is a sense of the organization’s risk appetite balanced against its capability for risk tolerance.  A company may want to present an image to potential investors, not just current stakeholders, that it’s willing to aggressively assume new risk, if in so doing it can attain new competitive advantages.

One way to convey an overall sense of risk appetite is to imbue the risk report with the following key themes:

• Business goals and objectives, including identifying organizational goals that are strengthened through the risk management process.  For example, the goals of reducing real estate costs and enhancing employee experience may both be addressed by prioritizing more aggressive remote work policies, while reducing investments in office space.
• Quick wins, including the “low-hanging fruit” goals that may be met with a minimum of financial investment and human power from personnel
• Long-term projections, which collect groups of related risks together to underscore how the company’s commitment to bigger goals impacts multiple areas of the organization — for example, corporate sustainability initiatives
• Burning fires, which include high-priority risk items capable of culminating in serious business interruptions and financial losses.  These items should never be buried beneath mounds of less relevant data or within the small print of an appendix.

A properly assembled, timely risk report will enable stakeholders and their partners to ascertain the most effective areas and projects in which to invest the company’s limited resources.

LEARN MORE FROM SIMPLERISK

• How to Use Standards to Assess Your Organization’s Cybersecurity Maturity by Josh Sokol, CEO, SimpleRisk
• How to Model Security Maturity in Your Organization — recorded webinar featuring Josh Sokol, CEO, SimpleRisk, with Michael Rasmussen, GRC Pundit, GRC 20/20

Managing risks creates stability

The frameworks, methodologies, and principles outlined in this guide will enable you and your organization to transform your perception of risk from a field of uncertainty into a category of awareness and stability.  Risk is, by definition, a measure of uncertainty.  Measuring it better does not reduce that uncertainty — indeed, it can make you aware of a great many factors you were not aware existed before.

Measurement alone is not risk management.  But measurement, with the proper metrics, will acquaint you with the activities and processes your organization needs to mitigate risk and respond to risk events and hazards when they happen.