Risk Management - Keep it simple

Articles
1

Disclaimer

GRC is a management practice (“Governance”); it is like Sales or Marketing. There is no one book that works for everyone. This is why eramba respects all opinions, because it knows they all might work just fine in different companies depending on their needs, resources, capabilities, culture, etc. Here we provide you with what we think is one method (out of thousands) that works decently well for most.

Theory

Risk Classification

Classifying things into buckets falls broadly into two categories, subjective and deterministic. The first is an opinion the second is a fact.

  • How many car accidents happen in London on a Thursday morning when it is rainy? That is deterministic; insurance companies have tons of factual data on that and can give you a very precise figure.

    What is the likelihood of the eramba website being hacked sometime this year? Statistically (ask an LLM to do the math for you), in our case, it is with 95% confidence less than 20% (this means it could be %0 or %6 or %19.99). The answer you see is not deterministic; it is probabilistic tied to a bound.

In Cybersecurity, due lack of statistical information, likelihood and impact will no be deterministic will be almost always probabilistically “disperse” (could be %0 or %19.9) - remember this word.

Risk Calculation

Everyone wants to put a magic number to a Risk that allows us to compare which one is worse or better. A fair wish, in our view. The problem is that since we are working with disperse numbers, any calculation will be… dispersed.

  • Likelihood: from 0–20

  • Impact: from 5–10

If we apply the simplest possible math to “blend” these two numbers (multiplication) and get one final number, the answer is anywhere between 0 and 200. You see, the original dispersion of a few tens is now… hundreds! The more math and complication you add (divide by asset classification, multiplied by my perceived ambient temperature, etc.), the larger the dispersion will be—typically exponentially.

Bummer!

Risk Approval

So imagine you need to ask your CFO for money to deal with Risks. And you tell him/her that you need to purchase CCTV cameras to “avoid laptops and documents from being lost or stolen in the office”. Your risk score for this is 0-300 points. How in earth is the CFO supposed to know how much money to give you for this?

Imagine the risk “Website could be hacked and display Schwarzenegger nudes”—what is the financial cost of that? No one has a clue how to calculate that because of something called cause-effect. The more “distant” the cause is from the effect, the more disperse the answer becomes.

  • Close Cause-Effect: If I crash my car, I know exactly how much it costs; it is quantifiable, and the cause and effect are close to each other.

  • Distant Cause-Effect: If my website is hacked, the effect can be many things that might lead to issues now or much later.

Conclusion

  1. Classify risks in a way the dispersion is the least possible
  2. Apply the least mathematical complication

Our recommendation, for likely is to narrow the criteria to things you know:

  • Low: it has never happened before
  • Medium: it has never happened before, but we feel it could happen
  • High: it has happened before, we feel it could happen again

As for impact, we suggest working with narrow cause-effect clauses; every C-level knows contracts and laws are very good examples, as they both have direct cause-effect situations:

  • Low: no legal or contractual or reputational issues
  • Medium: visibly legal or/and contractual or/and reputational issues likely involved
  • High: very visible legal or/and contractual or/and reputational issues involved

With this in mind, we recommend a simple 3x3 matrix where the cells inside simply help you decide how high in the organization you need to go to decide the money and effort involved in dealing with this risk.

image
image1632×974 132 KB

The “Math” is a simply multiplication of these two variables, keeping this as simply as possible. Do you agree that this model will work in your current organisation? well the magic of “Governance” kicks in again, you may say yes you may say no - and guess what? IS OK!

2 Likes