Most everyone is aware of the alleged unauthorised data harvesting of millions of people’s Facebook data by Cambridge Analytica. There are important lessons for us all to learn from this mess, most obviously around information privacy and security, but also going right back to basics and thinking about your company’s overall approach to risk management. Is your business adequately protected? Do you consider the protection and stewardship of information you collect, keep, and hopefully use.
So where might be a good place to start - in this discussion we will explore the concept of a risk management framework (from a very high level as risk management in itself is a rather extensive topic) and how this could be used to get you thinking about risk or to help you assess and review your current methods in risk management for your company.
What is Risk?
There are many definitions of risk! The Standards Australia and Standards New Zealand (AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management – Principles and guidelines) defines risk as ‘the effect of uncertainty on objectives’ (the likelihood and consequence of an event occurring that will impact the objectives of the organisation). As such, risks can be both positive (e.g. assessing whether to maximise an opportunity) and negative (e.g. failing to comply with requirements) in their nature and may arise from both external and internal factors.
Why is Risk Management Important?
All businesses can face the risk of unexpected events such as natural disasters, loss of funds through theft, unauthorised harvesting of data, and so on which could impact significantly on the company’s operations. These events can cause your business to lose money, reputation and at worst close.
A solid approach to risk management helps you to prepare for the unexpected, minimising risks and costs before they happen. Sound risk management preparation will enable you to not only reduce the impact of the consequences of the risk, but helps with identifying improvements to operational efficiency.
This means that risks are identified, understood and managed appropriately; this understanding will help ensure that your company can make informed decisions regarding operating a successful business in terms of strategic achievement, customer satisfaction, and financial viability.
What is a Risk Management Framework?
A risk management framework is a structure that provides the tools and guidance to enable risk management to be performed in a consistent, proportional and prioritised way. It outlines the different processes related to risk management and needs to be accessible and understood by all staff and contributes to inspiring a risk conscious culture.
Creating a practical risk management framework provides a number of benefits:
A consistent, structured approach to identifying and managing risk
Promotes an understanding of the risk environment within which the company operates
Enables key stakeholders to understand and respond to the risks that may affect business objectives’ effectiveness and efficiency.
Supports the achievement of the company's strategic and operational goals by managing risks that may otherwise hinder success
Better decision making practices that support risk informed choices, prioritises actions and differentiates between alternative courses of action
What should it include?
A good place to start would be to reference the AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management – Principles and guidelines; and the Open Group provide a Risk Taxonomy Standard which can be applied to any risk scenario across various risk domains.
ISO 31000 illustrates a suitable structure in terms of the risk architecture, strategy and protocols, and describes the key features of each element. This structure is designed to provide context to risk management activities and support the risk management process.
The base components for a risk management framework include:
Mandate and commitment (from senior leadership)
Framework Design - organisational context and policies
Risk Management Implementation - framework and processes
Monitor and Review
Risk Management is something which should be undertaken by all businesses, irrespective of how big or small. Companies of all types and sizes are faced with a variety of risks which can ultimately impact on their ability to achieve key objectives. The purpose of implementing a risk management framework is to enable the effective identification and analysis of risks which could have consequences in terms of financial performance, reputation and everything else.
To help with your Risk Management journey check out the references below for more information!
AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management – Principles and guidelines
ISACA – Performing a Security Risk Assessment:
ISACA – Developing and Information Security and Risk Management Strategy:
Security Intelligence – Key Components of a high performing information risk management program: