In honor of ISACA’s 50th anniversary, this column seeks to provide tips on an area of risk management that has been very slow to change—quantitative risk and decision analysis. Risk, by definition, is a forward-looking activity designed to help an enterprise plan for and react to unforeseen impacts. The objective of risk identification is to identify all risk, not to eliminate risk scenarios from consideration or to develop solutions for mitigating specific types of risk—those steps are carried out during the risk analysis and risk response processes. Emerging risk and unique risk such as cyberrisk may not be sufficiently represented by conventional qualitative methods of risk assessment and management. These new types of risk also illustrate the interconnected nature of threat, risk, crisis and disaster, and how discrete events can be triggers for additional risk or cascading risk within the tightly interconnected and technology-dependent systems in which most enterprises operate.
Here are some tips to improve each step of the risk management process with some suggestions for quantitative analysis methods and better decision-making techniques:
- Set the context for risk management—This means the areas, functions, business units or other scope are chosen for the proactive identification of risk. Scenario analysis is helpful in this step of the process because it allows brainstorming, discussion and assumptions about risk scenarios to be transparent. The other analysis technique that is useful in this phase is the development of organization-specific impact criteria. Impact criteria give risk meaning and help the enterprise set organization-specific risk appetites or risk tolerances. Impact criteria apply to the enterprise and reflect the areas that are most relevant to the business or mission objectives. A good general starter set of impact criteria should, at a minimum, include financial, productivity, business interruption tolerances, tangible losses, physical security, life, health and safety, fines, and legal penalties.
- Identify threats, conditions, areas of concern or known risk to business or mission objectives—Often there is not a proactive risk identification process in an organization, which means there is no way to raise an area of concern to the proper level in the organization for decision-making. In my work with boards or governance committees, risk is often raised up through the audit process rather than a proactive risk identification process. In every single realized risk, crisis or incident that I have analyzed in my career, someone knew there was a condition or circumstance that could lead to something bad happening, but there was no way for them to articulate it or raise a concern that could then be subject to the analyses processes and requisite decision-making techniques.
- Perform some assessment (usually qualitative) or analysis (usually quantitative) on the threat, condition or concern to decide on a course of action—Threats, conditions or concerns that are assessed or analyzed to potentially have a significant enough impact on the business if realized may also be evaluated for probability of occurrence. My preference for analysis in this phase of the process is to use the maximum foreseeable loss (MFL) or the maximum probable loss (MPL) analysis methods as these methods are able to help management understand the total financial impact on the enterprise should the risk be realized. MFL and MPL are best coupled with a thorough set of relevant risk scenarios with well-stated assumptions.
- Develop a risk register based on risk tolerance—If a risk is out of tolerance with the impact criterion (developed previously), the risk is entered into a list of risk, sometimes called a risk register, and a plan of action for a next step or response can be determined. This step in the risk management process often requires further analysis of the risk factors to determine an effective course of action or cost-justification for a plan of remediation. My preference for decision analysis in this phase of the process is to use a Monte Carlo modeling and simulation analysis to rank-stack, or prioritize, the list of risk in a risk register for appropriate responses. Monte Carlo simulations view risk as a function of likelihood (frequency of something happening) and impact. Although these may be important measures, likelihood and impact are not the whole picture. Unlikely events occur all too often, and many likely events never materialize. Using this method can be particularly unhelpful for making risk transfer decisions if coupled with annual loss expectancy (ALE). ALE spreads the MPL over a time horizon that may distort or minimize the actual financial losses that would be realized if the risk was realized. For example, using a Monte Carlo simulation for a given scenario determines the impact of a specific cyberrisk to be US$350 million should it occur. Combining the result of the Monte Carlo model analysis of US$350 million with ALE of the probability of this risk materializing once every 10 years spreads the US$350 million impact over a period of 10 years. This specific cyberrisk then gets put on the risk register as a potential US$35 million loss, which could be in tolerance for the organization. However, when the specific cyberrisk that was modeled actually materializes in a given year, the enterprise has a loss event of US$350 million, not US$35 million. The organization might have responded with different mitigation or risk transfer options had it known of the full potential magnitude (MFL) of the loss before it materialized.
- Monitor “risk under management”—"Risk under management” is then monitored, reported upon or closed when the risk is deemed to be in an acceptable range for the enterprise. In this stage of risk management, one analysis technique that is helpful is the development of risk indicators. My preference for developing risk indicators, some of which might result in key risk indicators, is to use 2 methods: root cause analysis (RCA) and Goal-Question-Indicator-Metric (GQIM). Both methods help with the feedback loop that is needed to improve the risk management process.
I hope these methods will spark a fresh look at your risk management processes. Stay tuned for more details on risk management and practitioner analysis techniques in the future as ISACA refreshes The Risk IT Framework and The Risk IT Practitioners Guide.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.