Risk management is a forward-looking activity used to reduce uncertainty when making decisions that may impact an enterprise’s ability to meet its strategic objectives. An analysis technique that is useful in improving risk scoring or rating is the development of organization-specific impact criteria. Impact criteria apply to the whole enterprise rather than a specific information, communications or technology asset, and reflect the areas that are most relevant to the business or mission objectives. A good starter set of impact criteria should, at minimum, include categories for financial, productivity, business interruption or system availability tolerances, tangible losses (e.g., property, machinery, equipment), physical security, life, health, safety, fines and legal penalties.
Steps taken during risk assessment and risk management involve identifying an area of concern (threat or conditions) and determining the likelihood of the organization being impacted by the concern (realized risk). Assigning a score or rating, which is a small subset of the activities in the risk management process is discussed here. For a primer on the overall risk management process, please see the ISACA® white paper, Getting Started With Risk Management.
The development of impact criteria gives meaning to risk and helps the enterprise set or modify organization-specific risk appetites or risk tolerance. Criteria may be qualitative or quantitative in nature. One reason for developing impact criteria with defined quantitative ranges (thresholds) is that the criteria can act as inputs to, or double-checks of, the risk-appetite and risk-tolerance statements.
Current practice in risk analysis is to use various scales of qualitative and quantitative criteria to decide how to rate or score a risk. The reason for assigning a qualitative or quantitative label to a risk is to better reflect the priority of a risk so that a decision can be made about whether to act on an identified risk.
Here are some tips for making risk rating or scoring more meaningful to your organization:
- Begin by reading the enterprise strategy or objectives to gain a better understanding of what is important to the specific enterprise. Depending on the industry, economic sector, public or private mission, or type of business, there are unique risk types that have the ability to impede the objectives from being met. Are there any objectives, regulatory requirements, or service level agreements that would provide inputs to the development of a risk appetite or tolerance range of values?
- Are there risk appetite statements that have been developed or published in your organization? If your organization has risk tolerance, control limits or boundaries, or risk thresholds, are other data points that can inform scoring and prioritizing risk in the risk analysis step? Many enterprises have risk appetite statements related to financial risk or compliance risk. Look for statements that indicate a value that can be used as a starting point to develop impact criteria. For example, if an organizational risk appetite statement has 0 tolerance for fraud and there were 5 fraud events in the past 12 months, then the appetite statement may need revising to match the real risk of fraud.
- When quantitative values (e.g., estimated ranges, financial, time) are used to define qualitative values, or when only quantitative values are used, it is a quantitative analysis. For example, many organizations currently using a measurement scale of high, medium and low will arbitrarily assign the risk rating scale to the numbers 1 (high), 2 (medium) or 3 (low) to rank-stack a list of risk. Using a numeric scale to plot identified risk on a chart does not equal quantitative risk analysis.
- In many organizations, the x and y axis on a typical risk heat map are often labeled “probability” and “impact.” Organizations will sometimes argue about whether the heat map scale should be a 5x5 or a 3x3, or even a 5x2. I suggest the scale does not matter much if the criteria to score a risk are not based on actual data, control limits, calibrated estimates or other business impact criteria that are more objectively meaningful. Another good place to look for thresholds or tolerances may be found in the business impact analyses (BIAs) that are developed for operational and business continuity planning purposes.
As the impact criteria become refined over time, distinguishing the types of risk that would result in immediate direct costs vs. future loss of revenue or liabilities to the organization may also be useful.
Many organizations are continually attempting to reduce their susceptibility to a threat, decrease the probability of a risk materializing or reduce the impact to the organization from the risk once it has occurred. For this reason, it is important to continue to refine the criteria used to rate or score risk in a way that is meaningful and connected to the strategic objectives of the enterprise.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.