Begin with the end in mind
You may be familiar with Stephen Covey’s 2nd habit of highly effective people, “Begin with the end in mind.” I’m going to borrow that and refine it for our purposes. Specifically, we have to be clear on what the objective of any risk management program should be: to cost-effectively position the organization to experience an acceptable frequency and magnitude of loss events. If we can agree on that (and I’ve yet to hear a logical argument against it), then we can begin to approach prioritization effectively.
So what frequency and magnitude of loss event scenarios is the organization is trying to manage? Are they like what we saw in Part 1’s “risk list?” No, clearly not. A cyber criminal is not a loss event scenario, nor are cloud computing, web application vulnerabilities or social engineering. About the closest we came in that list to a loss event scenario was “data leakage,” but even that is unlikely to be specific enough to be useful for a top ten list. My point is, what we are trying to manage is the materialization of loss event scenarios, not the existence of vulnerabilities, threats, or technologies.
From this recognition, it should be clear that any list of “top risks” (which could also be referred to as “top loss scenarios”) needs to be comprised of those loss event scenarios that represent the greatest potential for harm to the organization. In Part 4 of this series, I’ll share some ideas on how to create a taxonomy for your loss event landscape so that you can more easily identify and measure these scenarios.
What about critical control elements like user awareness, third party risk management, and web application vulnerabilities? If these or other risk management program elements are seriously deficient, shouldn’t they be in the list too? No. They should make up an entirely different “top ten” list (like "top risk management deficiencies") because they are fundamentally different and cannot be prioritized against the top loss event scenarios.
Remember what I pointed out in Part 2 of this series: in order to compare and prioritize two or more things, those things should be largely independent of one another. Major risk management deficiencies very often (if not always) affect the top loss event scenarios to some degree.
So the bottom line is that instead of one list, I strongly advocate that organizations have two:
- one for top loss event scenarios
- one for its most critical risk management deficiencies
Besides clarifying the fundamental nature of an organization’s risk landscape, distinguishing these two dimensions enables an organization to recognize if or to what degree any risk management deficiencies affect its most significant loss exposure scenarios.
As promised above, the next post in this series discusses creating a taxonomy of an organization’s loss event landscape as a first step towards identifying its “top risks”.