Intro
If you ask any company do they do "Risk Management" they will say yes...and if they don't then they don't realize they do. What blows my mind is the fact that there are so many that "fudge the lines" on what risk management is. I would like to take the idea of "Risk Management" and expound on the different types. "WHY?" This is for every side of the company, C Levels, Security levels, IT levels, They all have their idea of "Risk Management". What I don't get is they all believe that their way is the only way to look at risk, and that all risk can be looked at through their model.
Risk Register
A risk register is where you house your risks. What is interesting is the house must have various doors to put data into it, or it won't be used nor make sense. Let me explain this by going through the main ideas behind Risk Management.
Business Risk Management:
Business risk management is, on the far side of things, dealing with buying other companies, Venturing into different markets, taking on certain customers, and so on. What also lays into this however is finding out what threats lay on ahead. I leave it as vague as "threats" for a reason. When a C level is asked about threats he could go off on competitors...but also can go off on exploiters. The C level sees both in the same category. What the C level doesn't see is there are different ways to remeditate the risk. Now lets take a step back. I am sure C Level employees see that we have to deal with risks differently. I am not trying to say they can't figure out the difference. This is not what I am saying. I am saying if we don't collect the correct data on the competitor we lose. The same goes for an exploiter...their data is different and must be collected through different doors into our house: "The Risk Register" or we lose.
Security Risk Management:
Security Risk Management is finding vulnerabilities to our data, our people, our assets, etc. What is threatening our business from growing and succeeding. You can see where Business and Security Risk Management can get a little fuzzy for someone on the far side of either argument. a Tech would see risks being "exploits to the operating system" where the C level can see risk being "competitors moving in for the kill". Each one threatens the business from growing and succeeding. There is such a subtle difference between the two also. don't you see the difference though? One deals with security while one deals with business. Once you can find that difference between the two you will see that they require separate doors to enter into the risk register because both of different "things" to go through to determine the risk. I am not going to ask the question "what assets are affected by this exploit" to a
Now I have to take a step back and explain. There is only one risk register. I am a firm believer in ITIL and one destination for all. What I am saying is the way you input the risk into the register must be different. You are not going fill out a form for business risk that works for security risk as well. These forms must be different. I fill like I could lose someone on this again. remember that a threat to business doesn't necessarily mean a threat to security. There has to be different data collected to find out what the risk really is and then remediate it.
One Register, different data?
With different data being entered into one risk register you could think that the data can be skewed. You can't get a good view about overall risks to the company. That is where you have to realize that relational databases, a store house for your risks can be created. The relationships between risks of business and risks of security can be related and tied together via the same score card. You can make a tree structure so that risks fall under certain areas and mean certain things to the company. Each company is different and can define "things" for themselves and how to correlate it all together. I am not going to try and solve everyone issues in one blog.
Conclusion
Working different data into a single risk register is going to be tough. It will create more discussion, more meetings, more understanding of each side and who does what when. What it will give you however is a happy risk manager able to see and remediate a risk under its own side...and not have to rely on some concepts from the other that don't even make sense.
