There is no dearth of complexity when it concerns Risk management. Enterprise, Operational, Security, Strategic, Project, Financial, Credit, Market, Human, Nature are just a few flavors of Risk management domain. Threats, vulnerabilities, exploit, events, probability, impact, severity are another imperative components.

With so many types and terminologies in risk management domain, the operational definitions of risk and the process to manage risk is interpreted differently from Organization to Organization and Individual to Individual. There is no lack of risk management frameworks either OCTAVE, NIST SP 800-37, COSO, ISACA Risk IT framework, DoDI 8510.01, ISO 31000 and many others.

Add to this complexity various types of risk computing methodologies especially probability and dollar value calculations. Set aside skills required to calculate the complex probability, the impact especially complex risks such as Credit, Market, and Financial, Manufacturing risks.

However, different manifestations of risk share common characteristics:

1. Inherently they are risks,

2. Risks are interlinked,

3. Risks are interdependent.

4. Every risk is based on universal principle of probability, severity, and impact

Risk management domain faces another challenge of disoriented Organization structure and lack of appropriately skilled resources. Often, CISO is tasked with risk management responsibilities and many times Risk managers targets mostly “Security risks”. Owner’s responsible for identifying the risk is another loved debate some argue it is the Process owner and many points towards Risk managers or security manager. Seriously, it doesn’t matter as far as all risks are captured and there is a risk treatment plan available.

Often it is the practice to treat risks distinctly with multiple risk registers and multiple approaches to identify risks. What we lack is a standard approach or a framework to identify risk and finally a mutual understanding of risk identification throughout the Organization. Pick any framework and you will realize that core component and architecture of any framework is common.

Let's Begin with basic categories of risks generally used in Organizations.

1. Enterprise Risk Management,

2. Operational Risk Management and

3. Security Risk management.

Now, there are two types of approach an Organization may take:

1. Asset based risk assessment,

2. Process based risk assessment

Personally, my approach towards risk assessment is, to begin with, Process based risk assessment. In this approach, we first understand the Value stream, process, service, application and the asset associated with the process.

However, it is imperative to understand that the process risks are different than asset based risk. If the asset is assessed for its security threats the same is called as Security risk assessment. Further, if the same is an operational process the definition changes to Operational risk.

While performing the process based risk assessment it is a good practice to identify the underlying product/service the process supports. Subsequently, identify underlying application and asset that supports the process. The output of this activity will result in a list of processes, services, applications, and assets.

The risk associated with any “process” is highly dynamic and evolving in nature but conversely, the risk associated with the asset and application is less dynamic. For instance risks to any IT asset like virus attack, denial of service attack, data theft will largely remain same over a longer period, new risks evolve slowly over time. Predominantly, the risk to the asset is mostly seen through a security lens. But one modification in the process step may welcome a new risk instantly.

Both process and security risks contribute to the Enterprise risk along with external risks that affect the Organization such as a change in regulation, natural disaster, competition, Cyber attack and so on. As a CISO or a CRO, it is important to establish clear definitions of risks and its various types.

A step by step approach can be performed to establish an enterprise wide risk assessment.

1. Identify process and associated product/services

2. Sort the process with criticality

3. Identify risks in each process (I would recommend FMEA any given point in time)

4. Consolidate all the process/operational risks and record in Risk register

5. Identify applications and assets

6. Sort the application and asset as per their criticality

7. Identify security risks applicable to application and assets and record in risk register

8. Identify enterprise risks and record in risk register

The next iteration to this approach may be to identify linkages between various risks and evaluate how mitigating one risk may affect other risks. Concluding, risk management is a continual process and carries a major impact on the business operations and most importantly supports and compliment Organization’s business objectives.