Due to its possible scale, for many organisations risk management will involve a number of areas of work rather than simply a project, and, while the mechanics of managing information risk are relatively straightforward, there needs to be an overall framework around the activity if there is to be any real chance of success.
This chapter discusses the goals, scope and objectives of such a programme, together with the various roles and responsibilities and governance of the programme.
The organisation should ideally establish an information risk management programme, which will have oversight of all the work. Such a programme might contain the following elements:
- The goals, scope and objectives of the programme and the organisation’s overall information risk management policy.
- The overall roles and responsibilities of the programme leaders and key players, including their areas of authority, ownership and accountability.
- The governance processes for the programme, and, if necessary, those for the individual components or projects within the programme.
- The internal standards that must be observed, including risk criteria, reporting, documentation and management processes.
- The financial arrangements, including budgetary constraints if these are known.
- Training of those involved in the programme and awareness for staff generally.
- Monitoring and review of progress and results.
Many organisations make use of the PDCA model, which was described in greater detail in the previous chapter. PDCA is a useful method in the management of any project or programme, but although it has featured in many UK and international standards, more recently published standards have omitted it.
The PDCA model takes the view that, although an information risk management programme may have defined start and finish points, it is in fact a continuous process, and that organisations should revisit all risks on a regular basis or when any facet changes. This highlights the need for the integration of information risk management into business-as-usual operations.
The organisation’s ultimate goal might be to obtain ISO/IEC 27001 accreditation, and an effective information risk management programme will be an essential component of this. Alternatively, it may just be the case that the organisation wishes to establish as risk-free an information environment as possible. If the former, the accreditor will be seeking evidence not only of the outcomes of such a programme, but also the means by which it has been executed and its ongoing monitoring. If the latter, it may still be worthwhile for the organisation to employ the services of an auditor or accreditor simply to verify that the programme has been conducted thoroughly and completely.
In developing the strategic approach to the information risk management programme, the team will be required to establish both the internal and external contexts in which the organisation operates and how the information risk management process fits in to the overall business environment.
A key aspect of this is the requirement to define, document and agree with senior management the organisation’s risk appetite and its criteria for accepting risks that cannot be treated by other means as well as for accepting residual risk.
Many of the drivers for the information risk management programme will originate from the organisation’s existing information security policies, if they exist. If not, they must be developed as an integral part of the programme. Many of the controls applied in order to treat the risks identified will involve IT and the security team.
It is crucial, therefore, that the information risk management programme is not viewed as being a stand-alone or separate programme from that of the information security community, and that constant communication and consultation takes place between the two disciplines wherever their management structure differs.
Some of the requirements identified by the information risk management programme will originate from the organisation’s legal and regulatory department, who will therefore be heavily involved; and there will likewise be the need to ensure communications and consultation between stakeholders at all levels, both within the organisation and outside it where necessary.
Setting the programme scope
While the strategy of the information risk management programme sets out the goals and objectives of the programme, it is also essential to go down a level and set the scope:
- Those elements of the organisation’s information assets that are to be within the scope of the programme.
- Equally importantly, those elements of the organisation’s information assets that are to remain outside the scope of the programme.
No programme can be successful unless it has strong leadership, and in setting the overall roles and responsibilities for the programme, the organisation’s senior management team must bear in mind that, in addition to leaders, the programme requires dedicated assignment of resources to undertake the detailed work.
Managers of these members of staff must be made aware of the programme and understand that people will need to take time from other duties in order to contribute to the programme, in which they might report to another manager, and that the staff themselves may require additional training.
GOVERNANCE OF THE RISK MANAGEMENT PROGRAMME
Within the overall framework of governance of risk management, there will be three distinct layers of involvement. At the strategic layer, there will exist the overall responsibility, accountability and authority for the programme, some if not all of which will lie at board level. The designated board member or members should ensure that the tactical and operational work is understood, and that the organisation’s business and cultural contexts are taken into account.
Legal and regulatory compliance issues can become a complex subject in their own right, especially in cases where organisations are spread across multiple legal and regulatory jurisdictions. The organisation’s legal and regulatory department must identify all necessary obligations to the programme, and ensure that these are complied with. However, it will also be necessary to maintain oversight of the legal and regulatory liabilities that exist, since the costs of achieving these may have an impact on the costs of the programme.
In parallel with the identification of any work packages, the nomination of key individuals having specific roles within the programme will have a profound effect on its outcome, and the board will need to ensure that these individuals’ performance is monitored and reviewed, and that their terms of reference are verified at intervals to ensure that the programme’s objectives are being achieved.
The board should ideally have the information risk management programme as a running agenda item, as it may well be a component part of the organisation’s annual reporting, especially if it is in a highly regulated sector.
At the tactical layer, a slightly lower-level view is required, and the adoption of risk intelligence procedures enable the organisation to discover the existence of risks that have either not yet been taken into account – these might be obtained from both business and information security sources – or those that have occurred previously within the organisation. In some contexts, and especially in terms of BC, this is known as horizon scanning.
Also within the tactical layer of governance is risk policy management, in which a strategic steer from board level is translated into the day-to-day policies that must be followed by the organisation. This includes an overall policy framework and the general format of the policies, together with their interdependencies where these exist.
Finally, at the operational layer, there will be the key activities of the information risk management programme: those of risk assessment, including the identification of threats, vulnerabilities and impacts or consequences, the formulation of the likelihood and subsequent analysis of the risks and, finally, the evaluation of risks and the proposals for risk treatment.
A final element of the overall programme governance will be the need for regular communications and reporting both upwards and downwards through the chain of command, especially in the reporting and logging of new risks and in progress in the treatment of existing risks.
INFORMATION RISK MANAGEMENT CRITERIA
In support of the information risk management programme, and to guide its internal standards, a number of business risk management requirements will be needed.
The legal and regulatory framework in which the organisation operates, both within its host country and other jurisdictions, will have a major impact on the standards and criteria adopted. These will include so-called ‘primary legislation’ – the laws of the country concerned, such as the Computer Misuse Act, and the data protection legislation and secondary regulation that is generally sector-specific.
The nature of business within the sector itself will have some influence on standards and criteria, as well as the way in which the organisation is structured, both organisationally and geographically.
High-level business risk estimation
In order to provide a starting point for the later risk assessment work, the organisation may benefit from producing a series of high-level estimates of business risk. These need not be very specific or accurate, since they are intended only as a ‘starter for 10’, but might include such areas as the possible losses that might be incurred by the business through being unable to answer customer calls or by being unable to reach a minimum regulatory threshold for some reason.
Important at this stage is the ‘what’, rather than the ‘why’, since it will lead the later stages of the work into a more detailed impact analysis and provide the analysts with a number of high-level headings with which to begin their work.
Risk appetite
In order to proceed with the process of information risk management, the organisation must commence by setting its risk appetite. Unfortunately, this is not a one-off exercise, as each type or class of information asset may have a different risk appetite associated with it.
The following factors will determine the risk appetite for each type or class of information:
- the information’s classification;
- the information’s confidentiality, integrity and availability requirements;
- the organisation’s sector type;
- the organisation’s culture;
- the organisation’s legal and regulatory obligations.
We’ll deal with impact and likelihood scales in greater detail in the next chapter, but for the meantime, it is worthwhile understanding that the terms ‘low’, ‘medium’ and ‘high’ are qualitative as they stand and are therefore not completely meaningful, and where possible should be placed in what is often referred to as a semi-quantitative context. So, for example, ‘low’ might refer to a range of values up to £100,000, ‘medium’ to a range between £100,000 and £1 million and ‘high’ to a range of values greater than £1 million.
This still does not dictate the exact risk appetite, but it does provide the assessor with reasonably objective guidelines as opposed to less meaningful subjective ones. Naturally, the level of granularity of the ranges can be increased if desired, but as the level of granularity increases this brings about a more complex assessment process that takes longer to achieve.
Risk treatment criteria
At the strategic level of risk treatment, there are four basic options:
- risk avoidance or termination;
- risk reduction or modification;
- risk transfer or sharing;
- risk acceptance or tolerance.
Below this are the tactical and operational levels of risk treatment, which we will deal with in greater detail in Chapter 7, but, for the moment, we will examine these four in a little greater depth.
There are also several key factors that influence the decision as to which course of action is most appropriate:
- Whether the choice is actually achievable. For example, it may not be possible to take out an insurance policy against the prospect of a fine for violating data protection law.
- Whether the choice brings about additional risk. For example, if the organisation decides not to enter into a new development programme, there may be consequential losses incurred by not doing so.
- Whether multiple choices are appropriate. For example, treating a particular risk might involve halting one part of a business operation, insuring against a capital loss and introducing additional procedures to reduce the likelihood.
Whatever the choice made, it should be understood that there may always be some residual risk, regardless of the effectiveness of the actions taken, and this residual risk will have to be accepted by the organisation, recorded as such and subjected to ongoing monitoring and review. Further, the process for recommending the choice or choices should be according to defined criteria, and should follow a consultative process to ensure both consistency and fairness.
Risk avoidance or termination criteria
These can be quite difficult to define, partly due to the subjective nature of some of the inputs to the decision-making process. Trying to overcome this subjectivity can be a time consuming and expensive process in its own right. For example, if an organisation wishes to undertake a particular activity, but does not feel it possesses the skills and expertise to do so, it may be possible to outsource the work to another organisation. However, without a detailed financial analysis, it might not be clear as to whether the cost of this approach would be greater or less than the losses incurred by not undertaking the activity at all.
Alternatively, the organisation may feel that the risk is so high that the possible costs of treatment would be unacceptable. Again, without further detailed financial analysis, the decision to avoid the risk becomes subjective and subject to a large degree of uncertainty.
The only objective factor driving the decision to avoid or terminate a risk is when the organisation is fully aware without further analysis that the costs of treating the risk exceed the possible impact of not treating it.
Taking the route of risk avoidance will normally remove both the impact and the likelihood of the risk, but may result in some form of consequential risk caused by not undertaking the activity.
Risk reduction or modification criteria
This option allows us to reduce either the impact or the likelihood of the risk, and possibly even both. Risk reduction, however, does not imply that the risk is reduced to an acceptable level (as determined by the organisation’s risk appetite), but merely that it has been reduced to some degree. As we mentioned earlier, it may be necessary to use several different forms of risk reduction, or use them in combination with other types of risk treatment.
The decision to reduce or modify a risk will be based on whether or not the costs of doing so are above or below the level set by the organisation’s risk appetite for the particular information asset and whether the organisation possesses the skills and expertise to do so from within.
Risk transfer or sharing criteria
In contrast to risk reduction, risk transfer can only ever reduce the impact of a risk, but never the likelihood. In transferring the risk to a third party, the organisation can only transfer the treatment of the risk – the ownership must remain with the organisation. A good example of this is the case of the BP Deepwater Horizon oil spill in 2010, in which almost 5 million barrels of crude oil were discharged into the Gulf of Mexico with disastrous results to the ecology of the region. Although the oil rig was operated by a third-party organisation, the US government held BP responsible for the incident.
Transferring a risk can usually mean insuring against it, but can also refer to outsourcing arrangements, especially of information technology hardware and software and also of information security management.
Transferring risk will have up-front costs (premiums in the case of insurance) and may also have downstream costs – for example, there may be an excess penalty to pay in the event of a claim, and also the policy payment may not fully cover the cost of replacement, repair or recovery if certain exclusions apply through circumstances in force when the risk event takes place.
Finally, transferring the risk depends both upon the availability or willingness of a third party prepared to take on the risk, since some risks are not insurable, and the usual constraint of whether the potential losses exceed the potential costs.
Risk acceptance or tolerance criteria
The final choice for risk treatment is that of accepting or tolerating the risk. This must always be done knowingly and objectively, and the residual risk must always be monitored in case either the impact or the likelihood changes with time. Ignoring a risk is never an option, since, although it may be very low at one point in time, either the possible impact or likelihood could increase dramatically or gradually, with the result that it becomes necessary to take an alternative (and frequently more costly) approach to treat the risk.
Accepting risks does not alter either the impact or the likelihood of the risk occurring, and will generally be the option when the costs of treating the risk are greater than the potential losses that might be incurred.
Costs of risk treatment
In a later stage of the information risk management programme, a list of recommendations will usually be presented to senior management for their consideration before risk treatment commences. Some of these recommendations will require significant financial investment in order to fully treat the risks identified. For example, the risk of a key system becoming unavailable might be so high that a decision is made to treat it by providing a high-availability standby system.
The magnitude of cost incurred by a project such as this would be very significant, and therefore the organisation’s senior management might well request that a full business case be provided, and that a financial threshold is set as an additional criterion for the information risk management programme.
Training In organisations that are highly developed in terms of capability, the level of training required by staff in the process of information risk management may not be great. However, in those organisations that are less experienced in this kind of work, training of staff at all levels – strategic, tactical and operational – may be a necessary preliminary to the programme.
Many skills are relatively easily learnt, and can be acquired on readily available industry training courses. Others, however, especially in the legal and regulatory domain, may not be so straightforward to acquire and will need time to develop, and will possibly require considerable mentoring before staff are fully proficient.
The main point, of course, is that the overall information risk management programme must necessarily include an element of training and development in order to ensure its success.
Communication and consultation From the very beginning, the information risk management programme will require a high degree of communication up and down the organisation, and the need for consultation, particularly in the early stages of the programme, cannot be overstated.
It is a common mistake for inexperienced information risk managers to make broad assumptions regarding the value of assets, the impacts on the organisation of the loss or damage to those assets, the threats and hazards faced by the assets and the vulnerabilities they exhibit.
The information risk manager should strive to consult at every stage of the programme, and resist the temptation to make rash assumptions, the consequences of which can be highly detrimental.
At an early stage in the programme, the information risk manager should take great care to identify all those who are directly responsible for the information assets in question – or who are able to take an objective view of impacts and consequences, threats or hazards and vulnerabilities – to make contact with them as soon as possible and to maintain that dialogue throughout the programme.
Another common error is to assume that these ‘subject matter experts’ will either be aware of the programme, its importance to the organisation or the likely involvement they may have in it. While it might be acceptable to fire off a quick ‘heads up’ email to someone whom the information risk manager knows well, this might be less appropriate for others, and it is strongly recommended that contact should be established on a personal level before making regular use of email to exchange information.
Monitoring and review The final piece in the overall information risk management programme puzzle is that of monitoring and regular review of the entire activity.
It may be useful for the organisation to define some basic metrics for the purpose of monitoring progress. However, care should be taken in being too general in this approach, since the risk management for some risks will take quite a short time, while that for others may take significantly longer. It is perhaps better to report on individual areas in terms of percentage completeness, and then to combine these individual amounts to provide an overall status.
Whichever approach is taken, it should be clearly defined and consistently applied, so that different teams report their own activities in the same way as all others, and that the senior management team do not receive a skewed view of overall progress.
Occasionally, risks will emerge that, despite the best efforts of the risk management team, appear to have reached an impasse and no clear indication can be made as to how – or whether – to treat them. Risks such as these should be flagged to the organisation’s senior management team at the earliest possible moment in order to ensure that they do not become overlooked simply because they are too difficult to deal with.
The overall owner and person responsible and accountable for the information risk management programme should monitor its progress on a frequent and regular basis, should make a point of reviewing all risks addressed by the programme whether they have been treated or not, and should establish that their treatment is on track.
SUMMARY
In this chapter, we have discussed the goals and objectives of an information risk management programme, including the scope and governance as well as the criteria for conducting the programme. We then examined the overall process and the basics of the information risk management programme, so now it is time to move on to its first stage – that of risk identification.