Risk Management Regime: Framework, policies & procedures

What is the risk?

Taking risk is a necessary part of doing business in order to create opportunities and help deliver business objectives. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with what risks an organisation is willing, or not, to tolerate. If an organisation does not identify and manage risk it can lead to business failure.



Principle of Risk Management

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.

  • There is no single blueprint for cyber security and therefore organisations need to take steps to determine security risks that could affect the delivery of essential services and take measures to appropriately manage those risks.
  • Threats can come from many sources, in and outside the organisation.
  • A good understanding of the threat landscape and the vulnerabilities that may be exploited is essential to effectively identify and manage risks.
  • Such information may come from sources including NCSC, information exchanges relevant to the organisation’s sector, and reputable government, commercial, and open sources, all of which can inform the organisation’s own risk assessment process.
  • Organisations may contribute to the understanding of threats and vulnerabilities in their sector by participating in relevant information exchanges and liaising with authorities as appropriate.
  • There should be a systematic process in place to ensure that identified risks are managed and the organisation has confidence mitigations are working effectively. Confidence can be gained through, for example, product assurance, monitoring, vulnerability testing, auditing and supply chain security.
  • Organisations rely on technology, systems and Information to support their business goals.
  • It is important that organisations apply a similar level of rigour to assessing the risks to its technology, systems and information assets as it would to other risks that might have a material business impact, such as regulatory, financial or operational risks.
  • This can be achieved by embedding an appropriate risk management regime across the organisation, which is actively supported by the board, senior managers and an empowered governance structure.
  • Defining and communicating the organisation’s attitude and approach to risk management is crucial.
  • Boards may wish to consider communicating their risk management approach and policies across the organisation to ensure that employees, contractors and suppliers are aware of the organisation’s risk management boundaries.



The Fundamentals of Risk

Risk management exists to help us to create plans for the future in a deliberate, responsible and ethical manner. This requires risk managers to explore what could go right or wrong in an organisation, a project or a service, and recognising that we can never fully know the future as we try to improve our prospects.

Risk can’t be abolished

The starting point of risk management is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other (classically to either avoid, reduce, transfer or retain). This can be easier said than done, particularly when confronted with a demand to ‘abolish risk’, as if that were an easy and simple option.

Uncertainty is an important part of risk

  • The purpose of risk management is to enable us to make the best possible decisions, based on our analysis of future events and outcomes. The future can be anticipated, but within limits defined by our uncertainty in our analysis.
  • Risk is a part of everything we do. You not only ‘take risks’ that you are aware of, but you also ‘run risks’ that you’re unaware of all the time. This introduces an important point about risk; because of this uncertainty, it is impossible to know and understand all of the risks that any person, organisation or network is running at any one time. You will always run risks that you are not aware of.
  • The purpose of risk management is not to chase the unattainable goal of perfectly secure systems and a risk-free business; it is to make sure that you have thought about what can go wrong, and that this thinking has influenced your organisation’s decisions.
  • Don’t be fatalistic; you can still protect yourself from many cyber attacks, but if something does go wrong, it isn’t always the case that someone is to blame, or that your risk manager missed something.

Compliance ≠ risk management

  • ‘Improving outcomes’ isn’t always the primary driver for carrying out risk management. Often, organisations conduct risk management exercises for ‘compliance’ reasons. Compliance and security are not the same thing. They may overlap, but compliance with common security standards can coexist with, and mask, very weak security practices.