The Changing Nature of Risk Management … and the need to quantify your risk management approach

Companies today face all sorts of risks.  Supply chain and third-party risk are now becoming a top of the house risk discussion topic due to Covid, Solar Wind, FireEye, and the Suez Canal incident. And this risk is only increasing as organizations strive to operate more globally, leveraging third parties, building dependencies and operating in an eco-system of mutual interdependency. This all results in business relationships becoming more complex – and complexity introduces more vulnerabilities, more threats and increased risks. Managing the risks associated with these relationships while not hindering business speed is a critical challenge for today’s leaders.  

This challenge is only compounded as digitalization, globalization and significant improvements to supply chain management -technical capabilities such as multi-cloud platforms, blockchain, RFID tracking-.  In this interdependent world, this larger set of supply chain, third party interactions result in the increased exchange of business sensitive data, including client and employee PII, introducing increased risk to the organization. 

The challenge is to balance the business advantages and opportunities of a larger and more complex eco-system interactions with secure digital transactions, secure access and protected data.   

To be truly optimized and to address these issues, companies are moving to a more quantitative approach to identify and reduce risks. To better understand their risk exposure and expected loss in supply chain risk, companies are striving to understand their threats. By understanding threats and threat actors, organizations can better understand threat actors’ capabilities, asset targets and potential impacts, the basic elements of risk management.   

Additionally, we want to identify probable risks against the total population of possible risks.  This is clearly both cost prohibitive and not particularly effective. To adjust to this ever-increasing complex operating environment, organizations today are turning to a quantifiable methodology to identify, manage and reduce risks. They are adopting the FAIR (Factor Analysis of Information Risk) model.  Risk quantification using FAIR, allows us to decompose risk into the probability of a threat and the costs of that threat realised to an asset. By looking at risk in terms of Threats, Assets and Effect, all of which are measurable, we can quantify the impact of the risk(s).   

And by quantifying the risk, we can now make fact-based decisions, based on cost / benefit analysis on which of our third-party relationships present the highest risks to our organization.   By combining risk quantification with a mature and effective third-party risk management program, we can focus our resources on the highest of high-risk transactions and relationships.   

We direct our investments to provide the best return (reduction of risks).    

By adopting a quantitative risk-based approach, organizations are better equipped to focus their investments, address critical skill gaps, determine whether their control frameworks are effective and provide for business justification for their security spend.  This results in actual risk reduction and it focuses investments on the top priorities.    

Executives, boards, shareholders and regulators are demanding better risk management. And better risk management requires better data and a measurable framework. FAIR is based on the premise that effective risk management starts with these assumptions.    

CISOs and CIOs can now provide their Board members and executive risk committee members with data-based answers to the following concerns: 

• Yes, we know our top risks and have quantified them.  We have identified the degree of uncertainty with respect to a threat materializing. 

• We know the material impact if the risk event occurs 

• We know the expected loss, given the current residual risk 

• We have an understanding of the likelihood of an event occurring 

• We can provide a data-based business justification for managing those risks. 

Our point of view is improved risk management requires better data on vulnerabilities, threats and risks across the enterprise and across the end-to-end supply chain.  IBM Security has developed an integrated, risk-based, programmatic framework for managing third-party relationships and risks based on risk quantification.    

Our goal is to embed security at each ecosystem layer, to protect the movement of goods and data in applications and on the cloud.  The more organizations can address security risks and challenges in a quantitative manner, the more likely they will be effective in reducing risks.   Afterall, the goal of risk management is to make better decisions under conditions of uncertainty that actually reduce risk.  

Dan Patefield

Head of Cyber and National Security, techUK

×

Dan Patefield

Head of Cyber and National Security, techUK

Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.

Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.

Email:

[email protected]

Phone:

020 7331 2165

Jill Broom

Programme Manager, Cyber Security, techUK

×

Jill Broom

Programme Manager, Cyber Security, techUK

Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.

Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments. 

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:

[email protected]

Twitter:

@honeybroom

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/jill-broom-19aa824

Annie Collings

Programme Manager, Cyber Security and Central Government, techUK

×

Annie Collings

Programme Manager, Cyber Security and Central Government, techUK

Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.

Prior to joining techUK, Annie worked as an Account Manager at PLMR Healthcomms, a specialist healthcare agency providing public affairs support to a wide range of medical technology clients. Annie also spent time as an Intern in an MPs constituency office and as an Intern at the Association of Independent Professionals and the Self-Employed. 

Annie graduated from Nottingham Trent University, where she was an active member of the lacrosse society. 

Email:

[email protected]

Twitter:

anniecollings24

LinkedIn:

https://www.linkedin.com/in/annie-collings-270150158/

Raya Tsolova

Programme Manager, techUK

×

Raya Tsolova

Programme Manager, techUK

Raya Tsolova is a Programme Manager at techUK. 

Prior to joining techUK, Raya worked in Business Development for an expert network firm within the institutional investment space. Before this Raya spent a year in industry working for a tech start-up in London as part of their Growth team which included the formation and development of a 'Let's Talk Tech' podcast and involvement in London Tech Week. 

Raya has a degree in Politics and International Relations (Bsc Hons) from the University of Bath where she focused primarily on national security and counter-terrorism policies, centreing research on female-led terrorism and specific approaches to justice there. 

Outside of work, Raya's interests include baking, spin classes and true-crime Netflix shows! 

Email:

[email protected]

Phone:

07712630603

Tracy Modha

Team Assistant - Markets, techUK

×

Tracy Modha

Team Assistant - Markets, techUK

Tracy supports several areas at techUK, including Cyber Exchange, Cyber Security, Defence, Health and Social Care, Local Public Services, Nations and Regions and National Security.

Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!

Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!

Email:

[email protected]

Phone:

02073312000

Twitter:

@TracyModha

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/tracymodha83