top of page

What is Risk Management?

Updated: Apr 9

Risk management is the fundamental process of thinking about what bad things may happen; one way to look at it, is the corporate world’s way of documenting fear, something that could happen but may never happen. In the cyber security world, there is a term called FUD (Fear, Uncertainty, and Doubt), which I hate. It is used by vendors to sell products, and I guess the uncertainty and doubt come from a lack of understanding of the fears that are relevant to your business.

Blue digital screen, human hand reaching to select an icon. Title Risk Management


This is why risk management is essential; understanding your risks helps you define controls (or not) to protect and/or minimise the impact of the damage these risks may cause.


Risk Management Standards


There are several well-known risk management standards out there, including ISO 27005, ISO 31000, NIST SP 800-30, COSO, and COBIT, and modelling or risk identification processes like STRIDE, DREAD, and PASTA.


Find one that works for you and adopt it, or define your own process. As long as it is repeatable and the output is consistent, it really doesn’t matter.


So, let’s define some of the key aspects of risk management.


Understanding Risk: Definitions and Concepts


Threats and vulnerabilities are the fundamental reason you are doing risk management. A threat is a constant; they take advantage of vulnerabilities to cause harm; a simple example would be a thief. A vulnerability, on the other hand, can be lessened or removed, and the level of control you implement would be appropriate to what you are protecting; for instance, an open window is a vulnerability or weakness in your home security, you could simply close the window or improve security by applying greater controls such as bars or an alarm system.


The thief (threat) takes advantage of the open window (vulnerability) to break in and steal your assets. That is the risk. Threat and vulnerability are just a way of representing it.

How you document this will be determined by your process. You will need some kind of risk register to document your risk (we will explore this more next week in: What is a Risk Register?)

Risk is a basic calculation of impact multiplied by likelihood. Now, there are extensions that can be added to that, but you are adding complexity to an already complex system. Essentially, most of the extensions add little value, and routine review will ensure any additional factors effecting risk can be calculated.


Risk scoring. Once you have your threat and associated vulnerability defined, you need to score the risk. This will help you decide whether to do anything. There are many ways to score, but 3x3, 5x5, and HML (High, Medium, and Low) are the most common.

Visual representation of risk scoring. Using High Medium, Low or Red, Amber, Gree
Risk Scoring Example

Consistency is key when scoring, so you need a method to ensure this. A dedicated risk analyst/officer can assist with this, as a consistent person is helping drive scoring. 3x3 and 5x5 are easier mathematically and if you use HML assign scores to them, I tend to use 1,3 and 5 as values for calculating risk. But it still provides understandable terms for everyone to use without having to quantify a value.

All risks should have an owner, and that person should have enough authority to make decisions on that risk.


Importance of Risk Management in Business


Risk management is a critical aspect of business operations. It helps to understand what is needed to protect the organisation from potential threats and vulnerabilities. By identifying these risks, they can be mitigated proactively to protect the business’s assets.


I firmly believe that risk management should form the basis of all your decisions, this goes beyond cyber security, if you have no risk or opportunities (yes risk can bring opportunities) what are spending time and money on trying to fix/prevent?


Benefits of Implementing a Risk Management Strategy


A risk management strategy allows for consistent, successful, and routine identification and management of risks and opportunities. To be effective, risks need to be scored consistently. This ensures that each risk is managed appropriately, reducing bias, which can result in resource overspending.

22 views0 comments


Commenting has been turned off.
bottom of page