This is a generic (i.e. not security risk-specific article) written by Julian Talbot. Julian is member of the SECTARA Expert Advisory Board and writes widely on issues of security risk, but also on ISO 31000 best practices…it is included for its close links to security risk governance.
Section 4 of ISO31000 opens with the simple statement that “The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels.”
We’ll go even further, and say that the risk management framework is the heart of organizational risk management. It might be tempting to overlook this portion of ISO31000 or to downplay its significance and jump straight to Section 5: Process but that would be a mistake. No matter how much you and your organization know about risk, no matter how excellent your latest risk assessment is and despite an outstanding risk treatment plan, unless an organization has a well structured and appropriate risk management framework it will not have a sustainable risk management system.
Of all the elements of ISO31000, building the risk management framework deserves primacy for this is where policy, mandate, organizational commitment and structure set the scene for ongoing successful application of risk management. And it isn’t a one-time event. Like most of risk management, it is an iterative, adaptive process and as you can see from Figure 1, the authors of ISO31000 clearly intended it to be a cyclical process.
At the very least a framework should provide you with guidance regarding how your organization manages risk and in particular provides:
• A centralized and comprehensive source of risk policy, procedures and information.
• A consistent taxonomy for classification and prioritization of risk.
• Automated (or at least consistent) workflow for risk management.
• Auditable paper trail of records, decisions made and changes.
Putting this into action however isn’t a simple task but if you consider what actually needs to go into it, the following graphic and our next blog entry will offer a couple of suggestions.
The three most important elements in actually turning risk management theory into risk management practice will inevitably be training, training and more training. How you put together the underlying framework for your organization however, will depend on your context and existing management systems. Whatever result you end up with, It’s likely to include three common elements: Direction, Systems and Execution. I built this framework for a large Commonwealth government department a few years ago, and part of the brief was that it had to be easy to grasp the underlying principle.
DIRECTION is set by the Executive management team and in order of priority is based on:
- Organizational objectives vision and mission (ie. The reason for existence of the organization).
- A risk assessment based on those objectives
- A risk treatment plan to support achievement of the objectives (which might also be known as a Strategic Plan, Operational Plan, etc)
SYSTEMS are the management infrastructure that provides technical and policy guidance for implementation of the organizations plans and uses four core elements:
- Policies and Management Standards – set the high level expectations and guide decision making
- Procedures and Guidelines – provide the step by step process flows to implement the policies as well as some general guidance about how to interpret high level policy or standards.
- Work Instructions – provide task specific detailed instructions for each step in the process flow.
- Forms, Templates & Tools – are the specific tools and documentation that people will use to identify, assess and document risks.
EXECUTION is the phase where the plans, policies, objectives that have been so carefully developed, are finally implemented using three phases of this process:
- Training Needs Analysis – involves identifying what people need to know in order to implement the ‘Systems’ previously developed.
- Training & Implementation – involves delivering the training that your people will need so that they can begin to correctly implement the various elements that support organizational objectives.
- Reporting, Monitoring & Review – are the final elements to close the feedback look, assess how effective the framework is and provide appropriate feedback for continuous improvement.
You’ll find this concept illustrated in Figure 2 below. It’s a relatively simple example of a framework but is easy enough to explain to people and equally importantly is highly scalable.
|Figure 1: Illustrative Example of a Risk Management Framework|
Figure 1 is a relatively simple risk management framework. There are of course, many ways to view risk and the interactions of the various elements involved. It’s not the intention to provide a single ‘perfect’ risk management framework – you need to work that out for yourself!
All the best, Julian Talbot
SECTARA Advisory Board Member