Prioritizing Risk

Written By Rock Lambros

Last time, I talked about the 2nd point under the COSO guiding principle of Performance, which was Assesses the Severity of Risk. This week, we’ll move on to the 3rd point under Performance, which is Prioritizes

Performance has 5 points:

  1. Identifies Risk

  2. Assesses Severity of Risk

  3. Prioritizes Risk

  4. Implements Risk Responses

  5. Develops Portfolio View 

Now that cyber risks have been identified, assessed and documented in the risk register, your organization must go about the critical task of prioritizing risks. Again, all risks cannot be fully addressed all the time. That would not be an efficient allocation of capital and resources.

Does the exposure of the assessed cyber risk fall within your organization's risk appetite and risk tolerance? If so, chances are your organization will accept the risk.  

If it doesn’t, then a decision needs to be made to respond to, or treat, the risk.  

If the cyber risk is likely to impact the organization's ability to accomplish its strategic goals, the risk should be escalated up to the ERM team to be incorporated in the enterprise risk register in order to be evaluated and prioritized alongside other enterprise risks.

Each organization's ERM team will use different factors to prioritize risk, but these factors will include:

  • A determination of overall risk exposure based on impact and likelihood

  • A cost/benefit analysis of implementing a given risk response (don't spend a dollar to save a dime) 

It is important to note three things:

  1. Monetary values and scales for risk exposure are specific for each organization and are usually set by the board's Risk Committee or by the Executive Leadership Team at a smaller organization.

  2. The scales may shift according to the organization's risk appetite and may look like a bell curve where most of the range will fall in the "Medium" or “Middle” category.

  3. A specific metric often qualifies the impact (e.g., $5M negative impact to EBITDA, or $2.5M total cost to recover from the risk event).

Work with your ERM team to ensure they prioritize cyber risks at the business unit level and the enterprise level using the same methodology. The scales may change at the unit level, but the same methodology should always apply.

Finally, speaking the same language of risk across the organization and ensuring your cybersecurity team follows suit has four primary benefits:

  1. Creates a risk taxonomy across the organization

  2. Enables an aggregated and prioritized enterprise risk register that informs executives and the board of critical risks

  3. Facilitates the cost/benefit analysis of implementing risk responses

  4. Elevates the cybersecurity team's profile within the organization by demonstrating an understanding of cybersecurity's position within the enterprise's entire risk profile.

Next time well talk about implementing risk responses.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.

Have a great week! 

Rock Lambros
Previous

Implementing Risk Responses
Next

Assessing the Severity of Risk