This is Part 3 of a series on Understanding ISO 27001. The other parts can be found here.
Risk Management is a delicate topic as it tends to draw the perfectionists out of the woodwork.
Clause 6 of ISO 27001 wants you to implement a risk assessment process and a risk treatment process.
I don’t think there can be any argument that both risk assessment and risk treatment are two fundamental cogs in the ISO 27001 continuous improvement cycle gearbox.
A lot of ISMS managers get stuck in a never-ending loop of failure to agree on a risk methodology. Disagreement on the findings and outcomes, and general dis-engagement with a process that is either too cumbersome and time-constraining, or too inaccurate to gain senior stakeholder acceptance.
This trap is set because of poor expectation setting by the ISMS manager in the first place. If you see your role as getting to a correct answer, then you will be endlessly trapped in this organisational process loop.
The aim is not to be accurate. The aim is to gain consensus for a group of risks where everyone thinks something should be done about them. There are a number of ways to play this game.
How to win at Risk Management as an ISMS Manager
1. Don’t invent something new
Don’t try to invent something that is not already embedded in the organisation. Chances are, there is a risk assessment methodology already in place somewhere, assessing risk in a totally different area of the business. Find it and replicate it.
If you have many risk assessment methodologies to choose from, look for the one with the greatest senior management traction. Some organisations feel the need to reinvent everything as a method of showing value. You need something that will be accepted as the right way of doing risk management at your most senior governance layer.
Copying something that has already been agreed in that forum is the easiest way to achieve this.
2. Start small and skim cream
You want to agree on a top 5 risks and move those forward. Don’t try to boil the ocean.
Once you have dealt with the top 5 and mitigations are in development, look at the next 5 risks.
Risks will constantly float to the top to replace the ones you are currently addressing.
3. Don’t let lack of agreement get in your way
Set up workshops with the aim of getting to an agreement on the top 5 risks.
When you hit a roadblock, change the number. If you have agreed 4 of the risks, but you are engaged in a fierce debate about the other one, don’t restrict yourself to 5. Once everyone has built their positions, it is perfectly reasonable for you to change yours.
If you have 4 different options for the 5th risk, and everyone has established battle positions on why their risk is the right one to choose, the easiest way to solve this impasse is to move your line so that you create a top 8. (The four previously agreed and the 4 that are currently vying for the 5th spot on the list).
This may look like cheating and in a way, it is, but your role is to get consensus, not to be accurate, and if that means moving to a top 8 instead of a top 5, this is not something that you want to be dying in a ditch about.
4. Risk Treatment mode
When moving to Risk Treatment mode, there will always be risks that are financially unpalatable.
Your role here is to exhaust all other potential mitigations, like adding a 2nd line review here or increasing monitoring there.
What you need is a commitment to include this in next year’s budget. In the vast majority of cases, this will never happen. But don’t let that put you off.
You want to track the fact that the risk is being actively managed and just because there is no money for this currently, that is no reason for it to fall off the radar.
5. Risk Governance is key
The Risk Governance process is the most important element of Governance that you need to gain traction on.
You need to wean your management into this process. If your first Risk Governance meeting just asks for lots of money and headcount, you will get nowhere.
6. The first Risk Governance meeting
Your first Risk Governance meeting should propose your top 5 risks (or 8 if you have been creative), seek agreement that those are in fact the top 5 (or 8), and then seek leave to investigate possible mitigations.
The first meeting has to be a full agreement meeting where none of the senior management feel like they have committed themselves to anything.
7. Your second Risk Governance meeting
The second Risk Governance meeting should come back with the proposed mitigations for the top 5 risks.
Each one MUST come with an easy mitigation option. If these top 5 risks are correct, then their mitigation is likely to require loads of cash and lots of people.
But if you have something simple against each one of these risks, that is clearly a quick win type action, your management will accept this without question, as an easy way of doing something without committing to anything extravagant.
8. Slowly accelerate
Slowly, slowly, step it up so you get the Risk Governance meeting agreeing more and more things and gaining confidence that they are not going to be shot at dawn by someone above them, for agreeing something ridiculous.
This is at least a six month exercise and I would recommend running these meetings at least monthly. Any slip-ups, where you lose a rabbit and it scares the others, will potentially require you to go back to square one, so you have to do this slowly.
9. The Endgame
Once you have got this Risk Governance meeting actively escalating risks that require Audit and Risk Committee visibility, then you know you have cracked it.