Understanding & Balancing Information Risk
The first step in managing information risk is understanding the elements, drivers and impacts of information risk. In a recent poll Evantix asked “What are biggest impacts to your IT Risk program?”
a. Justifying value of comprehensive program
b. Cost of program to execute, maintain
c. Integration with business objectives
d. Managing partners and service providers
e. All of the above
Overwhelming, the response came back ALL OF THE ABOVE! Most enterprises are faced with the task of justifying a comprehensive IT Risk Management program that is both expensive to operate and maintain. The risk management program must and align with the current business objectives and fulfill the risk management needs of the corporation. These are difficult tasks; managing the risks of multiple company divisions while simultaneously managing the risks of every vendor, supplier and service partner.
This discussion focuses on the drivers of information risk to develop a core understanding of information risk and the requirements to manage information risk within an organization. Part II of this series will look closer at the trends in information technology risk and business, including a focus on IT risk management capabilities. Part III of this series will build on Parts I and II to develop a methodology to measure IT risk in a meaningful way that can be used within the across the enterprise and supplier network.
How Experts View Risk
Traditionally, risk management experts look at risk from two perspectives: The likelihood of the event; and the consequences if the event does occur. If you review the information security breach events since 2003 from these two perspectives it becomes very evident what threats have major and what threats have minor consequences.
Figure 1 below illustrates this by charting “probability” of a security event having impact on the organization on a scale from “Rare” to “Almost Certain” on the Y axis. For example, the probability of your organization having lost or stolen media is very probable and the potential for a complete loss of a data center is very improbable.
The impact to the company is measured across the X axis on a scale from “Insignificant” to “Catastrophic”. A lost backup tape can have devastating consequences and are often catastrophic.
Managing risk across an organization can be difficult especially in large enterprises with multiple business units across vast geographic areas. Managing risk is not eliminating risk and therefore the best process is to find a balance in impact of the specific risk and the cost of mitigating the risk.
Using this information the chart clearly indicates the most common and damaging breach over the past has been lost or stolen media. This scale of information can be used to design a risk management program that focuses on preventing/managing the risks of the highest impact and most likely events.
Figure 1
Balancing Risk
Traditionally risk management decisions are pushed down the organization level to match the level of threat. Department level managers are expected to respond to minor risks, business unit or middle management to manage the moderate risks, and executive management to handle the more significant risks.
Finding the right balance between the levels of IT risk management capabilities and level of risk driven by the business is difficult. To addresses this, many companies have turned to IT risk management optimization. This is the art of balancing the organization’s investment in controls, policies, processes, and people with the level of risk produced by the business through daily internal operations and those increasingly complex external facing activities such as outsourcing, merger and acquisitions, and partnerships.
Trends in IT Risk Management
There are a number of significant trends in the area of IT risk management that enable optimization while adding significant value to both the IT organization as well as core business processes such as outsourcing, merger and acquisitions, compliance management, and the management of 3rd party relationships. Figure 2 illustrates the elements of the balance of managing risk.
Figure 2
Businesses are going through constant change and organizations are finding it difficult to keep up with the business outsourcing partners, trading partners, business partners, vendors, and suppliers. The use of regulated and sensitive data throughout the organization is unknown. These unknown relationships make keeping up with new and changing government regulations (e.g. SOX) and industry regulations (e.g., PCI) a constant challenge.
Risk Management
To understand the risk of any relationship, regardless if it is an internal business unit or an outside supplier, you must first understand the inherent risk. Inherent risk is a measurement of the value or exposure from the relationship. Mitigating controls counteract the inherent risk to provide a lower level of risk. Residual risk is the risk that remains from the original inherent risk after the mitigating controls are applied. This can be loosely thought of as:
Residual Risk = Inherent Risk – Mitigating Controls
To manage the risk of an entity (e.g. business unit, supplier, vendor) there are three primary risk measurements you need: Relationship Risk, Business Profile Risk and the IT Control Risk.
Residual Risk = f((Relationship Risk + Business Profile Risk) – Mitigating Controls))
Figure 3
Understanding and mitigating the different types of relationship risk, business profile risk, and applying mitigation controls such as IT Controls allows the organization to determine the amount of residual risk.
Each type of risk has different elements and impact to the overall risk. Taking a deeper look at each of these will help develop a strategy for managing the residual risk and making sound management decisions on the right level of risk and investment for the organization.
Relationship Risk
The first step to evaluating the inherent risk of the relationship is looking at such things as the relationship scope (e.g. type of services, data/business processes exposed), nature of the service (e.g. strategic value), geographic location of services, contract protections, and other relationship risk factors. The amount of relationship risk provides intelligence for key stakeholders such as vendor management, corporate sourcing, relationship owners, and information security as to the inherent risk of the relationship. Once the inherent risk is understood it can be used in the decision process. If the relationship risk is beyond the risk tolerance of the corporation the risk factors can be used to determine the best steps to reduce the risk (e.g. change contract terms, change location of services, etc.).
Everyday example: If you own a home the amount of relationship risk (or inherent risk) is the value of your home and the contents within the home. If you have taken the additional step of calculating the market value of the home and contents you have measured the inherent risk. Now that you understand the total value of the home and contents and justifies spending additional money for insurance to protect your assets makes sense.
Business Profile Risk
To further understand the inherent risk it is important to look closer at the provider of the product or services. The business profile risks are risk factors such as the financial profile, and geographical risk characteristics, geopolitical risk, type of business, etc. For instance, if a business fails because of financial stress, it can have a serious impact on the delivery of their product or services.
Another prime example of business profile risk is when you are developing core intellectual property in a country that does not respect copyright law (geopolitical risk). This adds significantly to the risk of the project. Dependent on the amount of relationship risk, a disruption in the service of this vendor could have a material impact on overall revenues and profits of the organization. The Business Profile risk is combined with the Relationship Risk to give the business an overview of the total inherent risk.
Everyday example: Continuing the homeowner example, the location of your home may add more risk. One of the biggest risks to your home and the contents is fire. Fire can destroy the home, contents and valuables without any prior warning. When considering the risk to your home, living in a forest will add to the potential of having a risk of fire than a home in a barren area. While the threat of fire does not add to the value of the home, it does add to the overall risk.
Control Risk
To reduce the amount of defined risk (inherent risk and business risk) mitigating controls are applied. These controls can take many shapes and forms. Smoke alarms and sprinkler systems are traditional controls to lower the inherent risk of a home fire. In the information technology world, there are a number of generally accepted best practices and standards that are used to mitigate the risks of an IT system. There are three central themes to mitigating controls: prevention, detection and recovery. Preventive controls are those that prevent an information loss or security breach (e.g. Encryption is used to prevent unauthorized access to sensitive information). Detective controls are those that focus on detecting attempts to access sensitive information or information systems (e.g. Intrusion detection and data loss leakage technologies are used to detect intrusions or unauthorized access). Recovery controls are used to recover from a security event such as a breach in security resulting in access to sensitive information or information systems, or the failure of a critical system resulting in loss of services potentially impacting revenue for the corporation. All of these controls are intended to lower the probability of a loss from an information technology event.
Everyday example: Continuing the homeowner example removing the brush and other flammable materials adjacent to the home and installing sprinkler systems are used to prevent a fire from causing significant damage. Smoke alarms and burglar alarms are installed to detect a fire or unauthorized access to the home. Storing copies of important documents in a bank safety deposit box is an example of a recovery control. If a fire does destroy the original documents in the home they can be recovered from the home.
Residual Risk
Once the level of inherent risk and business profile risk is quantified, and the effectiveness of the mitigating controls is estimated then the residual risk can be understood. Even after the best preventive, detective and recovery controls are implemented to fullest extent, not all losses can be prevented. In most businesses, some control weakness exists due to budget or technology constraints (e.g. not all sensitive data is encrypted). Depending on the amount of residual risk, an enterprise may determine the best course of action is to find a different or additional supplier to counter a high level of residual risk.
Everyday example: Continuing with the homeowner example even after installing locks, smoke detectors, burglar alarms, etc most home owners purchase home insurance to mitigate the impacts of the potential losses due to a fire or robbery. Similar to the homeowner, the executive for managing information risk may choose to buy cyber insurance to mitigate the risk of a loss due to a security breach or failure in key information technology services.
Summary
There are three key aspects of managing the risk of vendors: relationship risk, business profile risk and control risk. The relationship risk is the inherent value of the relationship as measured by revenue, regulatory, critical business process, etc. Business profile risks are those additional risks of the relationship due to outsourcing the activity to a specific business best illustrated by credit or financial risk of the provider, geopolitical risk factors and even fraud activities. Control risks are mitigating factors that are used to reduce the amount of inherent risk and/or business profile risks. Because perfect implementation of controls is not realistic there are residual risks associated with the effectiveness of the mitigating controls that have been implemented.
The key to effective risk management is not to attempt to eliminate all risk. The cost of total risk elimination would be too great for any organization. Finding the appropriate balance of risk for the organization depends upon the understanding the relationship of the three aspects of risk (relationship, business profile, and control risk). By measuring each type of risk, organizations are able to make informed business decisions to manage the residual risk.
In Part II of this series will look closer at defining risk to get a common understand of the term and how it impacts the organization. Elements of risk; loss magnitude including asset loss, external loss, and the variables that impact the loss magnitude, loss frequency including proximity, control strength, threat agent capability, and the action the threat agent is willing to take. A closer look at the trends in risk management processes maturity from Level I through Level IV maturity. The higher level of maturity an organization is able to achieve the more cost effective the risk management process.
See how risk authorities measure the risk before managing the risk
Download our Solution Brief | Enterprise Supplier Exposure - Measure the Risk Before you Manage It. Evantix quantifies the inherent business risk across your supplier population for detailed risk analysis and measurable focused risk management actions. This “Exposure Assessment leverages Evantix’s state-of-the-art risk and compliance scoring analytics technology that takes your existing supplier related information (e.g. vendor/contract database, ERP system) and quantifies its relative risk based on industry standards and categories like brand, customer, data, financial, regulatory and operations impact. Call us at (949) 614-7075 or a visit www.evantix.com.
About the Author: James Christiansen is a global risk authority in information security and in addition to his current role as CEO at Evantix, James has held senior executive positions for some the world’s largest companies. As the first Information Security Officer at Visa, he created and implemented Visa’s global information security program. At General Motors, he held the position of Chief Information Security Officer (CISO) where he was responsible for global information security operations across all business unites. In his role as CISO at Experian Americas, he led vendor reviews and several high profile merger & acquisition assessments.