The Changing Nature of Risk Management … and the need to quantify your risk management approach
Companies today face all sorts of risks. Supply chain and third-party risk are now becoming a top of the house risk discussion topic due to Covid, Solar Wind, FireEye, and the Suez Canal incident. And this risk is only increasing as organizations strive to operate more globally, leveraging third parties, building dependencies and operating in an eco-system of mutual interdependency. This all results in business relationships becoming more complex – and complexity introduces more vulnerabilities, more threats and increased risks. Managing the risks associated with these relationships while not hindering business speed is a critical challenge for today’s leaders.
This challenge is only compounded as digitalization, globalization and significant improvements to supply chain management -technical capabilities such as multi-cloud platforms, blockchain, RFID tracking-. In this interdependent world, this larger set of supply chain, third party interactions result in the increased exchange of business sensitive data, including client and employee PII, introducing increased risk to the organization.
The challenge is to balance the business advantages and opportunities of a larger and more complex eco-system interactions with secure digital transactions, secure access and protected data.
To be truly optimized and to address these issues, companies are moving to a more quantitative approach to identify and reduce risks. To better understand their risk exposure and expected loss in supply chain risk, companies are striving to understand their threats. By understanding threats and threat actors, organizations can better understand threat actors’ capabilities, asset targets and potential impacts, the basic elements of risk management.
Additionally, we want to identify probable risks against the total population of possible risks. This is clearly both cost prohibitive and not particularly effective. To adjust to this ever-increasing complex operating environment, organizations today are turning to a quantifiable methodology to identify, manage and reduce risks. They are adopting the FAIR (Factor Analysis of Information Risk) model. Risk quantification using FAIR, allows us to decompose risk into the probability of a threat and the costs of that threat realised to an asset. By looking at risk in terms of Threats, Assets and Effect, all of which are measurable, we can quantify the impact of the risk(s).
And by quantifying the risk, we can now make fact-based decisions, based on cost / benefit analysis on which of our third-party relationships present the highest risks to our organization. By combining risk quantification with a mature and effective third-party risk management program, we can focus our resources on the highest of high-risk transactions and relationships.
We direct our investments to provide the best return (reduction of risks).
By adopting a quantitative risk-based approach, organizations are better equipped to focus their investments, address critical skill gaps, determine whether their control frameworks are effective and provide for business justification for their security spend. This results in actual risk reduction and it focuses investments on the top priorities.
Executives, boards, shareholders and regulators are demanding better risk management. And better risk management requires better data and a measurable framework. FAIR is based on the premise that effective risk management starts with these assumptions.
CISOs and CIOs can now provide their Board members and executive risk committee members with data-based answers to the following concerns:
-
Yes, we know our top risks and have quantified them. We have identified the degree of uncertainty with respect to a threat materializing.
-
We know the material impact if the risk event occurs
-
We know the expected loss, given the current residual risk
-
We have an understanding of the likelihood of an event occurring
-
We can provide a data-based business justification for managing those risks.
Our point of view is improved risk management requires better data on vulnerabilities, threats and risks across the enterprise and across the end-to-end supply chain. IBM Security has developed an integrated, risk-based, programmatic framework for managing third-party relationships and risks based on risk quantification.
Our goal is to embed security at each ecosystem layer, to protect the movement of goods and data in applications and on the cloud. The more organizations can address security risks and challenges in a quantitative manner, the more likely they will be effective in reducing risks. Afterall, the goal of risk management is to make better decisions under conditions of uncertainty that actually reduce risk.
Jill Broom
Jill Broom
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Website:
- www.techuk.org/
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Annie Collings
Annie Collings
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/
Tracy Modha
Tracy Modha
Tracy supports the marketing of several areas at techUK, including Cyber Exchange, Central Government, Cyber Resilience, Defence, Education, Health and Social Care, Justice and Emergency Services, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
- Email:
- [email protected]
- Phone:
- 02073312000
- Website:
- www.techuk.org
- LinkedIn:
- https://www.linkedin.com/in/tracymodha83