Blog | March 19, 2021 5 MINS

Risk 101 Part II: Taking Action & Mapping Your IT Risk Management Lifecycle

Digital risk has complicated the IT Risk Management Lifecycle. There are an exponential number of variables to consider with the expanded scope of operating among the Internet of Things (IoT). Having your threats, vulnerabilities, and assets correctly mapped will help to secure a reliable and consistent approach to tracking your overall risk. From here, we need to understand how we act, mitigate and monitor risk throughout the IT risk management lifecycle.

The best GRC systems operate cyclically. Instead of putting processes in place and walking away, you establish a system of checks and balances, so you’re always alerted to possible risk red flags. Deemed the gold standard in risk guidance by many professionals, the ISO 31000 standard states all organizations falling under its purview should adopt continuous improvement processes in this area. Process improvement over time rather than static check-in is a common theme among emerging and updated standards and guidance for risk management across domains.

As a result, many companies see the benefits of moving towards risk lifecycle management as a best practice. ISO 31000 breaks the risk management lifecycle into the following seven stages.

Register for the Webinar: Building a GRC Program That Fits Your Business | A First Line Friendly ISMS Suite

#1 Establish the Context

The first step in risk lifecycle management is creating a roadmap. A significant part of this will be choosing the cross-organizational stakeholders who need to be involved. The plan should specify who is responsible for specific tasks and communication rules to execute those tasks. Once your organization outlines the scope of what needs to be covered and the resources required to accomplish it, you can, in a sense, “translate” these risk objectives to the rest of your business. Establishing the context is in line with understanding your business objectives to communicate initiatives and prioritize action throughout the risk management lifecycle.

#2 Risk Identification

Now we want to compile and plan for the unexpected. Gather your stakeholders to create a risk register. Your risk register serves as a common source of truth to list any possible risks the organization could face. It should be comprehensive. The risk elements we defined earlier should help determine this risk by indicating the potential causes (threats and vulnerabilities), results (business impact), and controls (protective measures). Once we have these items identified, we can evaluate the severity based on the business impact and our established content. For instance, will this risk compromise the primary revenue stream or create a wide-scale inconvenience where we need to re-route operations?

#3 Risk Analysis

Now that we have a collective risk register to reference, we can zero-in on the high-risk possibilities. Many organizations use an enterprise matrix to score both impact and probability to assign a risk score that balances between the two measures. Other organizations use the bowtie method to plan proactive and reactive steps across various scenarios that could contribute to each risk. Part of the risk management lifecycle is consistently reviewing your low risks to make sure they haven’t escalated to the point of needing a risk analysis.

#4 Risk Evaluation

Now you’ll decide which risks need continuous monitoring and which you may leave to periodic check-ins. Evaluate a risk on its potential consequences to people, assets, environment, and reputation. When evaluating risk at any given point in the risk management lifecycle, you’ll want to consider your risk tolerance. How much risk are you willing to accept?

The risk score should be evaluated and potentially revised based on your “risk willingness”. Score each risk based on the level of attention needed. While we would love to protect the business against any form of harm, we can’t boil the ocean or effectively execute that scale of mitigation. Individual risks will be deemed acceptable based on your risk tolerance or, As Low As Reasonably Practicable (ALARP), or not acceptable. From there, we would recommend and initiate a treatment plan.

#5 Risk Treatment

The next logical step is to address the risks that don’t fall under acceptable or ALARP. During the risk management lifecycle, controls are evaluated, implemented, and revised during the risk treatment stage. You’ll improve practices in place or add new barriers then determine if the result creates a tolerable risk level. If it doesn’t, keep experimenting with new controls or compensating measures until it does.

#6 Communication and Consultation

What’s so helpful about the risk management lifecycle is that it helps you draft a narrative to risk. Understanding the broader scope of risk, helps you to communicate the business impact to stakeholders across the organization, beyond ambiguous risk score based on impact and likelihood. Because it’s context-rich, it’s easy to share with stakeholders and anyone at your organization. You can create a digestible picture of what the process looks like, distribute it to team members, and have confidence you’re all on the same page.

#7 Monitoring and Review

Outside of everything going on from identification to treatment and reporting, audits and incident analyses are essential to keeping a close eye on your risks. Each activity can help determine why the specific controls didn’t do their jobs through an objective root cause analysis. Given the reliance on digital applications and data sharing throughout processes, leveraging continuous monitoring technology is key to documenting evidence and flagging real-time issues.

Although monitoring and review is the last stage in the risk lifecycle, it’s also the first. From this stage, the process loops back to the beginning to address any changes that have taken place since the original implementation.

Organizational policies, people, and processes can change rapidly – sometimes even within 24 hours. Recognizing that risks are not static and that your mitigating tactics should not be a point in time initiative will secure your assets. As circumstances change, you have a plan to correct the situation quickly and effectively. Taking a risk-based approach to planning and preparing for your broader GRC program will help you report a clear picture of your risk management lifecycle to board and C-level executives.

Gain Visibility into Your Risk Management Lifecycle with a GRC Platform

Getting a level of clarity across your risk management lifecycle is ongoing and can be an extensively manual – and therefore painful – process. There are lists to create, data relationships to map, and scores to track. Metrics need to be monitored and reported on, audits reviewed, and distributed. Understanding and gaining insights into your risk management lifecycle can be overwhelming. can be overwhelming.

To manage risk at scale, many experts recommend relying on technology and automation instead. Triggers and organizational mapping can make tracking your risk management lifecycle a snap. A GRC automation platform will take care of reviewing review schedules, sending you notifications when it’s time to take a peek and ongoing monitoring to flag irregularities outside your defined threshold. You’ll get an evergreen view of potential business impacts without ever lifting a finger.

OneTrust’s GRC platform offers a suite of integrated risk management products to identify, measure, mitigate, monitor, and report risk across your organization. The flexible and intuitive nature of the solution can ease some common challenges with custom tooling and streamline step zero. Your team can then access and start to utilize functionality from day one. Finding a solution that can fit your unique business needs will lift the burden of manual risk lifecycle management off your team.

Start a free trial or schedule a demo today.

Further risk management lifecycle reading:

Next steps on mapping your risk management lifecycle:

Onetrust All Rights Reserved