Risk by nature is an abstract concept. In order to better understand your risk management lifecycle, you must first understand your contributing risk factors. Many companies realize that preventing risks and being prepared to address their consequences is not a one-and-done project. The truth is risks change all the time. Changing circumstances, including new threats, vulnerabilities, and assets, means new risks, too. If you tip the balance on what assets are most critical to your business, you need a whole new approach.

Your risk management lifecycle needs to be at the center of your strategy. It gives you a repeatable process that ensures there are no gaps in your risk management processes and activities.

Register for the Webinar: Building a GRC Program That Fits Your Business | A First Line Friendly ISMS Suite

Mapping the Elements in Your Risk Management Lifecycle

To have a risk, you need three key elements: asset, vulnerability, and threat. To map your risk management lifecycle effectively, you need to understand what these elements are and how together they can impact your business.

#1 Evaluating Your Assets

Before we can understand risk or business impact – we first need to identify your assets. What is of value to my business today, and what are we looking to achieve as an organization? Often your business assets, will be infrastructure, software, or hardware, some that may contain proprietary or sensitive data (e.g., databases). These can also be processes or vendor relationships that are essential for your operations and business objectives.

Next, let’s look at a  scenario to understand how these elements contribute to our risk management lifecycle:  Imagine you’ve invested in a large, waterproof umbrella to keep you dry on a rainy day. However, there’s a pin-sized hole at the top that widens with the force of the rain. Suddenly, what you thought was protected is now useless and ruined.

#2 Scanning for Vulnerabilities

Opportunity is everything and a vulnerability is precisely that for many risks. vulnerability is a weakness or gap in a program, process, or function. If a vulnerability is present, your assets may be subject to unauthorized access that could compromise your business objectives.  

Think of vulnerabilities using an umbrella analogy. In this analogy, a hole in a umbrella represents vulnerability in the umbrella’s function to keep items underneath it dry, and you are the asset it is meant to protect. Now imagine that umbrella is your IT security program. In a GRC scenario, the asset could be data, and a potential vulnerability could be an unpatched server or unaware employee.

#3 Identifying Threat Events

Any trigger or event that could exploit a vulnerability to cause damage or compromise an asset, either intentionally or unintentionally, is a threat. Threats are persistent and evolving in nature. They are ever-present but sometimes not as apparent as you would think.

In our umbrella analogy, the water is the threat: It’s exploiting the hole, a vulnerability in the system, to gain unwanted access to an asset you. In our GRC risk management lifecycle scenario, the threat could be a hacker, phishing exercise, or someone even accidentally obtaining sensitive information originating from your organization in our security scenario.

#4 Calculating Your Risk

Risk is the business impact, either positive or negative, that occurs when there is alignment across an asset, vulnerability, and threat. In our umbrella scenario above, the risk is you, the asset that is getting wet – conversely, the value aligned to your objective is to stay dry on a rainy day. Without any one of the three core components of risk, (asset, vulnerability, and threat) you don’t have the risk of getting wet.

Think of the scenario as:

  • You have a fully intact umbrella – there is no hole and therefore, no vulnerability
  • It’s sunny outside – there is no rain so there is no threat to you (the asset)

Then there is no risk that you will get wet on a rainy day – there are a variety of other factors and combinations that may culminate in this risk outside of the elements we’ve defined in this simple scenario. Flash flood may be another threat that could compromise your objective, if this is a likely threat you may want to map out this scenario and track it against the risk of getting wet.

#5 Implementing Controls

Rather than eliminating threats and vulnerabilities, most businesses enter compensating measures, called controls. These are the proactive plans of attack you’ve set up to address every type of risk scenario or element that could face your organization. A control is an attribute or component – real or conceptual – that takes risks out of the game. Most organizations have an extensive control management strategy help to stop risks from becoming realities.

 Register for the Webinar: Building a GRC Program That Fits Your Business | A First Line Friendly ISMS Suite

Controls to keep you dry in our ongoing umbrella scenario may include:

  • Installing a patch over the hole
  • Change its function to a sun umbrella

You may also introduce compensating controls if patching the hole doesn’t work:

  • Map an alternate route or path under a covered walkway
  • Purchase a poncho or a hooded raincoat

Leveraging Insights from Your Risk Management Lifecycle

A high-level view of these factors and how they affect each other is imperative for maintaining a healthy security process. However, your risk management lifecycle is all about identifying these elements and understanding how they may change over time. By having this understanding, you can institute the right risk mitigation strategy as your risk management lifecycle evolves with your business and minimize or reduce your risk exposure.

A big gap in solving the risk management lifecycle puzzle is having the most complete or up-to-date information. OneTrust GRC offers a platform that can connect and collect risk insights across domains. Execute the necessary functions for a complete information security management system with a GRC software that can easily adapt to your business needs and objectives. Our team will be discussing this topic to identify trends and technology to better engage your business to manage risk.

Register for the Webinar: Building a GRC Program That Fits Your Business | A First Line Friendly ISMS Suite

Start a free trial or schedule a demo today.

Further risk management lifecycle reading:

Next steps on mapping your risk management lifecycle: