Intellyx BrainBlog for Evolven by Jason Bloomberg
Along with making and saving money, managing risk is one of the top three priorities for any executive. As with financial motivations, dealing with risk must percolate through the entire organization. Everyone is responsible for managing the risks within their respective purviews.
IT executives in particular must manage risks in their organizations. Downtime, performance issues, and compliance gaps all threaten the health of the business and thus are risks that the entire IT organization must manage.
Managers must make investment decisions that manage and mitigate all such threats across the board, without irrationally emphasizing one type of threat over another.
They need some kind of common denominator that gives them such balanced, rational control over risk. A new generation of configuration management can provide that common denominator.
How to Quantify Different Types of Risk
Of all the risks facing the enterprise at large, many fall within the domain of IT. We’ll consider three types of risk:
- Availability risk – the risk of downtime, as well as the risk of poor performance that adversely impacts user experience. Such risks threaten the organization’s bottom line via lost business and customer churn.
- Compliance risk – the risk of fines and reputational damage due to regulatory non-compliance.
- Cybersecurity risk – the risk that vulnerabilities will lead to breaches, causing loss of data and money, as well as reputational damage.
Other risks face the IT organization like technical debt risk, but the three categories of risk above are the most prominent.
Without a common understanding of these risks, managers are likely to make irrational investment decisions based on the crisis of the day. Organizations must objectively quantify the risks they face. This quantification relies on the practice of risk scoring.
Risk scoring begins with risk profiling, which determines the importance of a system to the mission of the organization. Risk scoring provides a basis for quantitative risk-based analysis that gives stakeholders a relative understanding of the different types of risks.
The overall risk score is the sum of all the risk profiles across the type of risk in question and thus gives stakeholders a way of comparing risks in an objective, quantifiable manner.
One particularly useful (and free to use) resource for calculating risk profiles and scores is Cyber Risk Scoring (CRS) from NIST, an agency of the US Department of Commerce. CRS focuses on cybersecurity risk, but the folks at NIST have intentionally structured it to apply to other forms of risk, including availability and compliance risk.
If an organization has a quantitative approach to risk profiling and scoring, then it’s possible to benchmark risks to compare one type of risk to another – and furthermore, make decisions about mitigating risks across the board, and how much money to spend doing so.
Risk scoring is one aspect of the broader challenge of risk assessment. Organizations must assess their risks to coordinate various risk mitigation efforts that lead to an optimal balance between risk mitigation and the costs of achieving it.
There are, in fact, several different risk assessment frameworks that organizations can use to quantify and manage their IT risks, including the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) framework, the NIST Risk Management Framework, COBIT 5 for Risk, and ISO/IEC 27005:2022.
These frameworks and standards can help organizations assess and quantify their risks across different types of risk. Once they have quantified their various types of risks, they are now able to make informed decisions about how to mitigate all risks within the context of the budget for managing IT risk overall.
Read the entire BrainBlog here.