Blog

Prioritizing Risk — RockCyber

- by Your Trusted Cybersecurity Partners - Leave a Comment

[ad_1]

Last time I spoke about the second point under the principle of Coso’s management of Performance, which is evaluated to the severity of the risk. This week we will move to the 3rd performance point that is a priority

The performance has 5 points:

  1. Identifies the risk

  2. Evaluates the weight of the risk

  3. Prioritize the risk

  4. Realizes risky answers

  5. Develops portfolio views

Now that cyber risks have been identified, evaluated and documented in the risk register, your organization must cope with the critical task of prioritizing the risks. Again, all risks cannot be completely addressed all the time. This would not be an effective allocation of capital and resources.

Is the evaluation of cyber risk falls into the risk of your organization and risk tolerance? If so, your organization is likely to accept the risk.

If this does not happen, then a decision must be made to answer or to cure the risk.

If the cyber risk is likely to affect the organization’s ability to achieve its strategic goals, the risk must be escalated to the ERM team to be included in the Risk Registry in order to be assessed with other risks of the enterprise.

Each organization’s ERM team will use different factors to give a risk priority, but these factors will include:

  • Determining the total risk exposure based on the impact and probability

  • Analysis of the costs/benefits of applying a risk response (do not spend a dollar to save a penny)

It is important to note three things:

  1. Cash values ​​and scales for risk exposure are specific to each organization and are usually determined by the Risk Committee or by the executive leadership team in a smaller organization.

  2. Libra can be shifted according to the organization’s risk appetite and may look like a bell curve, where the bigger part of the range will fall into the “medium” or “medium” category.

  3. A specific indicator often qualifies the impact (eg $ 5 million a negative impact on EBITDA or a total price of $ 2.5 million to recover from the risk event).

Work with your ERM team to make sure that they prioritize cyber risks at the business unit level and enterprise level using the same methodology. Libra can change per unit level, but the same methodology must always be applied.

Finally, speaking the same risk language throughout the organization and guaranteeing your cybersecurity team follows the suit has four main advantages:

  1. Creates a risk taxonomy throughout the organization

  2. Activates a summary and prioritized risk register of enterprises that inform the executives and the Council of Critical Risks

  3. Facilitates the cost/benefits of applying risk responses

  4. It raises the profile of the cybersecurity team within the organization, demonstrating an understanding of the Cybercurity position throughout the company’s risk profile.

Next time, it talks well about applying risky answers.

As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something.

Have a nice week!

[ad_2]

Related Posts

The Only Constant is Change. Can You Keep Up? — RockCyber

How Hungry Are You For Risk?

Strategy, Frameworks and More Frameworks — RockCyber

About Your Trusted Cybersecurity Partners

View all posts by Your Trusted Cybersecurity Partners →

Leave a Reply

Your email address will not be published. Required fields are marked *