9NOVEMBER 2020The trick to understanding risk from an enterprise perspective is to speak the same language as the businessRisk Management professional focus on the impacts of processes and process changes, the likelihood that bad things will happen, and the opportunities available to mitigate risk (which means to reduce likelihood of bad events and the impact that those bad events would have if they do happen). Operational Risk generally leverages a qualitative analysis to provide a view into risk, though will use quantitative metrics wherever possible to corroborate their conclusions. Credit Risk, Market Risk, and Liquidity Risk professionals view risk in almost purely quantitative metrics, as these disciplines are the most mature risk management processes with the most direct relationship to mathematics. Model Risk is a hybrid; involving risk relating to both data and business rules, it uses both quantitative and qualitative analysis equally. Regulatory Risk focuses on the risk of not complying with specific requirements and is more control-centric in nature; this is closest to how you probably view risk as an Information Security professional.Reputational Risk applies to all of these risk categories in some way or another. Some companies look at Reputational Risk as a separate discipline while others aggregate Reputational Risk into its own category.How To Speak Business RiskA common taxonomy for assessing and managing is in order. Here are the basics: · The product of Likelihood andImpact with no Controls is the Inherent Risk score.· The product of Likelihood and Impact, as recalculated given the effectiveness of existing Controls, is the Residual Risk score.· You can do one or more of the following actions to manage the residual risk:a. Mitigate Risk - addingmore or strengthening existing controls to be more effective against riskb. Accept Risk - live with the existing level residual risk with a business justification and proper approvals (often used to address short-term risk)c. Transfer Risk ­ purchase adequate insurance to protect against excessive business impact due to an actual negative event occurrenced. Avoid Risk ­ remove the business process, system, or resource that causes the risk (e.g., retire a business product, legacy application, or vendor relationship, etc.)You may be surprised to find that those dealing with these different risk categories are struggling as much as you are to understand each other in a common way.ConclusionYour best bet to finding common ground is to speak the language of these business risk categories. While you may be used to a more security-centric view of risk (threats and vulnerabilities counteracted by controls), try to view risk as a mathematical product between likelihood and impact, lessened by varying degrees of controls. A common taxonomy will help the business understand how you fit into their world and increase understanding of the risks you are trying to mitigate. You do not need to abandon your technical frameworks to make this happen; instead, use these to build your control sets and find a standard way to measure the effectiveness of these controls. Normalizing your risk assessments in this way will also help you to leverage your Integrated Risk Management reporting system more effectively in order to be included in the enterprise aggregated view of risk. Eric Bonnell
< Page 8 | Page 10 >