Assessing the Severity of Risk
Last time, I introduced the 1st point under the COSO guiding principle of Performance, which was Identifies Risk. This week, we’ll move on to the 2nd point under Performance, which is Assesses the Severity of Risk
Performance has 5 points:
Identifies Risk
Assesses Severity of Risk
Prioritizes Risk
Implements Risk Responses
Develops Portfolio View
Once risks are documented in the risk register, it is now time to assess the severity of each risk's potential to disrupt the organization's ability to meet its business objectives and strategic goals.
A risk register does not only act as an inventory of identified risks. It is used to track risk exposure (including likelihood and impact), risk owners, risk treatment decisions, action plans, and residual risk.
Residual risk is the amount of risk that is left over after the risk is treated.
Management can’t address or mitigate all risks due to budget and resource constraints; therefore, management decides on how to allocate resources to a given risk based on the assessment of the risk to ensure that the residual risk remains within the organization's risk appetite.Methods for assessing risk fall into two buckets:
Qualitative: Qualitative analysis is subjective.
You will often see risk scales described as low, medium, or high.
Information from international standards, industry best-practices, or prior risk assessments is used to inform a qualitative analysis.
Qualitative analysis is helpful when there is not much quantitative data available or intangible risks, and benefits need to be considered.
Qualitative analysis techniques include risk factor analysis, the Delphi technique, and SWOT analysis (strengths, weaknesses, opportunities, and threats).
Quantitative: Quantitative analysis is objective.
Numeric data, such as annualized loss expectancy (ALE) and probability, are used to assign impact and likelihood of a risk being realized.
The quality of the analysis is only as good as the data that goes into it.
The most well-known quantitative analysis technique applied to cybersecurity is Open FAIR™.
Do not pigeon-hole yourself into one of these two camps. There is room for both in our lives. I have witnessed CISOs fail because they only used qualitative analysis with no hard data backing their assessment or risk severity. I have also witnessed CISOs fail because they only used quantitative analysis without considering any qualitative factors, such as an organization's commitment to sustainability or rolling out a new product or service on-time. A complete and defensible risk analysis depends on both qualitative and quantitative considerations.
Assessing risk depends on evaluating the likelihood and impact of the risk.
I’ve talked in previous videos about assessing the impact of a potential impacts of risk by conducting a business impact analysis. The book “How to Measure Anything in Cybersecurity Risk” by Doug Hubbard and Richard Seiersen does a good job at outlining some techniques for estimating the likelihood that a risk occurs. They include.
Decomposition: A model that breaks large, ambiguous problems into smaller, more digestible subproblems.
Bayesian Analysis: A model that improves upon a prior probability as more evidence or information becomes available. In other words, how we update prior likelihoods with new information.
Monte-Carlo: A computer simulation model that generates many scenarios based on probabilities for inputs. The process is iterative and can go through thousands of rounds.
Tracking risks and their potential consequences in a risk register enables you to integrate these risks in an enterprise risk management program more efficiently.
Remember, when evaluating the likelihood and impact of risks, it is not only about the controls your organization is missing. You must also consider existing security controls.
Do they compensate for the risk? If so, how much?
Once a treatment plan for the risk is determined, make sure also to document the residual risk. Be sure to use the same method to calculate residual risk as you did for the original risk to make sure you are comparing apples-to-apples.
To summarize and break it down – here are some key activities for assessing the severity of risk.
Determine the right mix of qualitative and quantitative risk assessment approaches for your organization. Don’t get paralyzed by this as you can always add quantitative analysis to a qualitative analysis later. Consider your audience and culture.
What does your ERM team already do?
Are there opportunities to improve?
Do you have the political capital to challenge the status quo?
Develop the risk register to track risks and potential consequences.
Ensure you evaluate residual risk using the same method as you did for the original risk.
Next time well talk about prioritizing risk.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.
Have a great week!