Before I continue, let me get a few definitions out of the way:
- a risk is any internal or external influence (most commonly, a threat) on an organisation, or as ISO 31000 puts it, the effect of uncertainty on objectives. Risks come in all shapes and forms. While they are not limited to defined categories, some common risk types (both internal and external) include: cultural and social risks, political, legal, regulatory, financial, technological, and environmental risks;
- risk management is the organisation’s approach to managing risks, or as per ISO 31000, coordinated activities to direct and control an organisation with regard to risk;
- a risk mitigation plan is a plan for dealing with the negative consequences of a risk, comprising various mitigation tasks which are usually aimed at avoiding the risk, accepting a risk in order to pursue an opportunity, removing the risk source, changing the likelihood or consequence of the risk, sharing the risk with third parties, or retaining the risk (described as “risk treatments” in ISO 31000).
1 Identifying risks
The first step in any risk management process is obviously the identification of what risks exist. Alyne helps you to do this through conducting self assessments using Alyne’s control sets or customised controls which can then be used to produce reports identifying specific risks to your organisation, which can then be tracked in a risk register.
2 Setting up mitigation plans
Once risks have been identified, an organisation will need to set up and execute individual and tailored mitigation plans in respect of identified risks - this is arguably the most crucial aspect of risk management and appropriate time and thought should be allocated to getting this step right. We would suggest the following best practices:
a) Obtain key stakeholder input
When developing mitigation plans, it’s extremely important to obtain input from key stakeholders in the organisation - i.e., those individuals or teams which may be impacted by the risk eventuating or who may be able to influence the likelihood or impact of the risk. Those individuals are likely to be able to provide the best suggestions for which mitigation tasks should be included in the plan.
We recommend the use of an open and easily accessible platform which facilitates interaction and discussion of the risk between key stakeholders. For auditing purposes, it’s also a good idea to maintain written records of all conversations about the risk.
b) Identify mitigation tasks which address the root cause of the risk
A useful starting point for creating mitigation tasks is identifying the source or sources of the risk and then generating mitigation tasks which directly target that source.
The approach to this step will depend on the nature of the risk, however, a useful starting point might be to take a look at the organisation's risk and compliance control system and reviewing deficiencies in the organisation’s maturity in respect of any relevant controls.
For example, where a risk has been identified in respect of user accounts being hacked due to weak passwords, it might be a good idea to review the organisation’s controls and any relevant policies in respect of password management. Such a review might reveal that while the organisation has created a password policy, stating that passwords must be longer than 8 characters and may not contain strings such as “password” or “asdf”, the policy has not been implemented in all of the organisation's applications and hardware.
Alyne assists organisations to identify suitable mitigation tasks in the manner described above by allowing users to implement specific controls as mitigation tasks (“Mitigation via Controls”). Users are also able to create customised mitigation tasks where required.
c) Track how your mitigation tasks might reduce the impact or likelihood of the risk
You can use Alyne’s drop-downs to document to what degree the mitigation task reduces the impact and likelihood of a risk.
d) Make sure you’ve got the right person on the job
Once your mitigation tasks have been identified, it’s important to make sure the right personnel within the organisation are executing the tasks. Each task should be delegated to an owner who will be responsible for ensuring the completion of the task within a defined time frame (e.g. by a specified calendar date). The owner of the mitigation task should have the resources and capabilities to execute the mitigation task. Importantly, however, the risk owner must oversee whether the mitigation task is satisfactorily completed by the mitigation task owner and provide directions where required.