The Risk Owner's Guide to Effective Risk Reviews

In today's intricate risk environment, a risk owner's role is essential for maintaining an organization's security and compliance. Risk owners act as the main custodians of designated risks.

· Juris Puce

Understanding the Critical Role of a Risk Owner

In today’s intricate risk environment, a risk owner’s role is essential for maintaining an organization’s security and compliance. Risk owners act as the main custodians of designated risks, overseeing their continuous assessment, management, and mitigation. Among their most vital duties is performing comprehensive and efficient risk reviews.

This guide is designed to equip risk owners with a clear framework for conducting risk reviews, helping them effectively meet their responsibilities and enhance the organization’s overarching risk management strategy.

General Obligations of a Risk Owner

Before exploring the details of risk reviews, it’s vital to grasp the overall duties of a risk owner:

1. Risk Accountability

As a risk owner, you are accountable for the following:

  • Accurate Risk Assessment: This involves thoroughly evaluating and understanding the nature, potential impact, and likelihood of your assigned risks. It may include identifying risk factors, analyzing vulnerabilities, and estimating potential losses.
  • Implementation of Appropriate Controls: Based on the risk assessment, you need to ensure that suitable controls are put in place to mitigate or manage the identified risks. These controls could be preventive, detective, or corrective measures, and they should be aligned with the organization’s risk appetite and tolerance.
  • Monitoring Control Effectiveness: It’s crucial to continuously monitor the effectiveness of the implemented risk treatments (controls). This involves regularly reviewing and assessing whether the controls are operating as intended and effectively mitigating the risks.
  • Timely Reporting to Stakeholders: You are responsible for providing regular and timely reports on the status of your assigned risks to relevant stakeholders. This includes communicating any changes in risk levels, emerging risks, and the effectiveness of risk management efforts.
  • Reviewing and Updating Risk Management Strategies: Based on the results of risk monitoring and changes in the internal or external environment, you should be prepared to review and update your risk management strategies and controls accordingly.
  • Collaborating with Other Risk Owners: Depending on the nature of the risks, you may need to collaborate and coordinate with other risk owners to ensure a holistic and integrated approach to risk management.
  • Escalating Significant Risks: In case of significant risks or control failures, you may need to escalate the issue to higher management or relevant committees for further action.
  • Maintaining Risk Records: You should maintain proper records and documentation of your risk assessments, controls, monitoring activities, and reporting.
  • Promoting Risk Awareness: You can also play a role in promoting risk awareness within your team or department and encouraging a proactive approach to risk management.

2. Continuous Monitoring

Risk ownership is an ongoing commitment rather than a one-time task:

  • Remain vigilant about changes that could impact your risks
  • Actively seek out new threats
  • Assess the effectiveness of existing controls
  • Keep track of the progress in implementing risk treatment measures (including enhancements to current controls or the introduction of new ones)

3. Collaboration Across Functions

Successful risk management relies on teamwork throughout the organization:

  • Partnering with control owners to guarantee effective implementation of controls
  • Collaborating with infrastructure operations, desktop engineering, security, compliance, and business teams
  • Involving executive leadership on critical risk issues
  • Discussing interrelated risks with other risk owners

4. Reporting and Documentation

Keeping risk documentation accurate and current is crucial:

  • Providing clear and thorough risk descriptions
  • Recording risk assessments along with their justifications (this can be simple - often a brief comment suffices)
  • Monitoring the progress of risk treatment plans
  • Documenting decisions and the reasoning behind them

Getting Ready for a Risk Review: Key Points to Consider

Upon receiving notice of an upcoming risk review, your initial essential task is to collect relevant information. This preparatory stage lays the groundwork for a successful review.

The Risk Data Model: A Centralized View of Risk

The risk data model visually illustrates the elements of risk and how they are interconnected. This offers a consolidated perspective on risk, facilitating better understanding and management.

Risk Data Model

The risk data model encompasses the risk description, parameters (like probability, impact, and overall rating), owner, associated assets, controls, requirements, and treatment actions. Additionally, it features pertinent information, including the risk’s history, which tracks changes in its assessment, treatment plans, and progress.

1. Events and Associated Incidents

Gather details about events and incidents since the previous review:

  • Security incidents linked to your risk area
  • Near-misses that might have led to risk realization
  • System outages or performance challenges
  • User complaints or feedback concerning the risk area

2. Reports on Vulnerabilities

Let’s take a look at the recent vulnerability findings together:

  • We’ve identified new vulnerabilities in systems that might affect your risk.
  • Here are the results from our recent vulnerability scans and their severity ratings.
  • We also have insights from our penetration testing findings.
  • Lastly, we’ve gathered important information from third-party security assessments.

3. Intelligence on Threats

Keep yourself in the loop about the changing threats around us! Here are some key things to watch for:

  • Industry threat reports that relate directly to your area of concern
  • Tactics, techniques, and procedures (TTPs) used by threat actors
  • Updates on how the threat landscape is shifting and what it means for you
  • New and emerging threats that might influence your risk evaluation

4. Organizational Changes

Think about how changes within your organization could influence your overall risk:

  • Shifts in business processes or operations
  • Exciting new systems or technologies being put in place
  • Updates to existing systems for improvement
  • Changes in organizational structure
  • New relationships or tweaks with third-party suppliers
  • Fresh regulatory requirements or compliance responsibilities to consider

5. Manage Effectiveness

Let’s take a moment to reflect on how our current controls are doing:

  • Review the outcomes from control testing or audits
  • Consider any instances of control failures or deficiencies
  • Note any changes made to the control implementation
  • Highlight any new controls introduced since our last review

Performing the Risk Review: A Systematic Method

The risk review process itself should be methodical and comprehensive. Here’s a structured approach to ensure you cover all necessary aspects:

Flow of Risk Management

The risk management process is a friendly and ongoing journey where we identify, assess, prioritize, and manage risks together. Below, you’ll find a helpful risk management flow diagram that beautifully illustrates each stage of this process and how they connect to the risk review journey.

Risk Management Flow

1. Assess and Revise Risk Details

Begin by examining the essential details regarding the risk:

Risk Description

  • Are we still feeling good about how accurately and thoroughly the risk description captures everything?
  • Does it do a great job of explaining what might go wrong?
  • Should we consider updating it to reflect any new information or changes that have come our way?

Linked Assets

  • Are all relevant assets connected to the risk in the right way?
  • Have any new assets come up that need to be linked?
  • Should we consider removing any assets from the risk association?

Requirements and Controls

  • Have we connected all the necessary requirements?
  • Are the risk controls still relevant and effective?
  • Do we need to add any new controls based on updated requirements?

Below is a sample screenshot from Peak Defence WINGMAN GRC on risk basic data:

WINGMAN GRC Risk View

2. Evaluate Risk Criteria

Next, let’s take a moment to see if we might want to make any adjustments to the risk parameters.

Assessment of Probability

  • How has the likelihood of the risk changing?
  • Are there any new threats that might affect this probability?
  • Have we put any controls in place to help reduce the likelihood?
  • Have we seen any incidents that might indicate a higher chance of occurrence?

Evaluation of Impact

  • Has the potential impact of the risk shifted?
  • Have any business changes influenced how severe the impact might be?
  • Are there new dimensions to the impact we should think about (like financial, reputational, or operational factors)?
  • Have there been any changes in regulations that could affect penalties or consequences?

Overall Risk Value

  • Considering the new probability and impact, has the overall risk value shifted?
  • Should we prioritize this risk for escalation or de-escalation?
  • Does this risk align with what our organization considers acceptable thresholds?

3. Record Your Evaluation

It’s really important to take a moment to document your review, even if everything is just as it was:

  • Make a note of the review date
  • Be sure to mention that you checked all aspects
  • Confirm that the risk value is still the same
  • Share your reasons for keeping the current assessment

Evaluating Risk Treatment Actions

One important part of the risk review is taking a look at how well the risk treatment actions are working and where they currently stand.

A sample screen from items linked to risk in Peak Defence WINGMAN GRC is below:

WINGMAN GRC Risk Related Items

1. Review Planned Actions

When it comes to planned actions, let’s take a moment to reflect:

  • Have we been able to follow the schedule as intended?
  • If not, what hurdles or challenges are we facing?
  • Do we need to revisit our timelines?
  • Are there any extra resources that could help us along the way?

2. Assess Action Effectiveness

When we look at the actions that have been implemented, let’s consider a few important questions:

  • Have we successfully reduced the risks we aimed to address?
  • Is there clear evidence that our control measures are working even better now?
  • Have we seen a reduction in the leftover risks just as we hoped?
  • Have any unexpected consequences come up, or have we introduced any new risks along the way?

3. Consider New Actions

Considering your updated risk assessment, let’s think about these points together:

  • Does the current risk value suggest we might need to take some new actions?
  • Are there any more budget-friendly treatment options we could explore?
  • Should we consider tweaking or enhancing the actions we’ve already taken?
  • Are there any exciting new technologies or approaches that could help us tackle the risk even better?

Let’s explore the ongoing organizational activities that could influence our risk approach, such as:

  • IT projects or system upgrades
  • Exciting business transformation initiatives
  • Important compliance programs
  • Upgrades for security enhancements
  • Efforts focused on process improvements

For the activities that are relevant:

  • Make sure to connect them to the risk in your documentation
  • Take a moment to assess how they might impact the risk (both positively and negatively)
  • Consider if the risk needs a fresh reevaluation based on these activities
  • Collaborate with project teams to ensure that we’re addressing risk considerations effectively!

Optimal Strategies for Successful Risk Assessments

To get the most out of your risk reviews, why not keep these helpful practices in mind?

1. Keep a Future-Oriented Outlook

While understanding historical data is definitely valuable, it’s important to remember that risk management is all about looking to the future. Here’s how to approach it:

  • Think about emerging trends and how they might shape our next steps.
  • Anticipate how any planned changes within the organization could influence risk levels.
  • Try to see beyond just immediate issues to uncover longer-term risk implications.
  • Explore different scenarios and their possible outcomes.

2. Get Involved with Stakeholders

Risk reviews work best when they’re a team effort:

  • Reach out to subject matter experts to gain valuable insights.
  • Connect with business process owners to get a feel for how operations are affected.
  • Team up with control owners to evaluate how effective current controls really are.
  • Don’t forget to gather input from our security, compliance, and IT teams as well!

3. Question Your Assumptions

To make effective risk reviews, we need to think critically:

  • Ask yourself if past assumptions are still relevant today.
  • Consider new perspectives on the likelihood and impact of risks.
  • Challenge the reasoning behind the risk ratings we have in place.
  • Check if our controls are genuinely effective or if they just seem that way.

4. Keep Detailed Records

Documenting everything thoroughly helps ensure accountability and continuity:

  • Make sure to note all important findings and decisions.
  • Keep track of the reasoning behind each risk assessment.
  • Create an audit trail for any changes made along the way.
  • Aim for clarity in your documentation so that others can easily follow along.

5. Follow Up on Actions

A risk review isn’t truly finished until actions are assigned and monitored:

  • Confirm that every agreed-upon action has a clear owner.
  • Set practical timelines for when these actions should be implemented.
  • Schedule regular check-ins to track progress on these actions.
  • Don’t hesitate to highlight any delays or challenges as they come up!

Conclusion

As a valued risk owner, your role in carrying out detailed risk reviews is essential to your organization’s overall risk management strategy. By thoughtfully examining every aspect of your assigned risks—from the fundamental details to the treatment actions—you play a vital part in enhancing your organization’s resilience and security.

Keep in mind, risk management isn’t just a one-time task; it’s a continuous journey. Regular and structured risk reviews help your organization maintain a clear understanding of its risk landscape, enabling it to adapt smoothly to any changes or challenges that come its way.

By embracing the guidance shared in this article, you’ll feel well-prepared to fulfill your important responsibilities as a risk owner, all while fostering a safe and resilient environment for your organization.

Related Topics:

AI Security Integration Knowledge Silos

Related Articles

Connecting the Dots: Why Security Knowledge Integration Matters

Learn how connecting fragmented knowledge silos can transform security in ways that traditional approaches cannot....

Read More →

What AI Means for Your Security Team

Explore how AI is transforming security management and empowering security teams...

Read More →

Stay Updated

Subscribe to receive the latest security insights, industry trends, and expert advice directly to your inbox.