No matter how careful or diligent you are, risk is going to be a part of your business landscape. Those risks can range from a natural disaster to a cybersecurity threat, from a compliance violation to uncertainty in the financial market. While you can’t prevent your organization from facing risks, or even every type of risk, you can manage the effect risk will have in your business operations.
Executives shouldn’t question whether or not they should deploy risk management software; the answer there is if you have risk, the ability to address it should be a high priority. Instead, the question decision makers should ask themselves is how to go about selecting the right risk management platform for their organization.
It Begins with a Strategy
Implementing a risk management tool into your environment can be costly in both money and time, so it is important that you have a strategy in place before rolling it out, Ian McClarty,
president and CEO with PhoenixNAP Global IT Services, advised. “You do not want your strategy to change halfway through your risk tool rollout and have to start from scratch again.”
When building your risk management strategy, McClarty suggested keeping the following considerations in mind:
- What governance, regulatory, or compliance requirements do you have?
- Have you chosen an agreed upon security framework?
- What do you need the tool to do in month 1, 3, 6, 12, etc.?
- Do you want to start your risk management in a specific area of the business and then expand it?
“Risk management is going to look different for every company and you cannot mirror what other businesses do,” McClarty added. “It is important to create a risk management program that works for your needs and satisfies your requirements. Take the time to build a program that your executive management is comfortable with.”
Chris Siegle, director of threat management and incident response for Citrix, agreed, stating that you should ensure that the company’s culture can support its’ risk management strategy, including company-wide communication and collaboration through executive-level sponsorship and long-term incentive structures.
Choosing the Right Tools
Organizations have dozens of risk management platforms to choose from, covering any variety of risk. Some software packages are designed for very specific situations, such as environmental safety, while others will fit any type of industry. There are cloud-based platforms, off-the-shelf platforms, or you can do it yourself with the spreadsheet software you already use. As Andy Kim, director of Risk Solutions with Neustar, noted, the most important thing to keep in mind when investigating platforms is that the primary tool for risk management is a risk assessment.
“Risk assessments come in many forms, but the simplest and the most convenient assessment is created using a Microsoft Excel spreadsheet,” said Kim. “Each line item in the assessment can be associated with the risks you want to assess in order to lay out basic macros to calculate risk. If you’re a large complex organization, Excel isn’t exactly going to scale, so the alternative is an automated risk assessment with a web-based interface and workflow engine.”
The size of your organization, then, will play a key role in how you approach your risk management platform. The strategy you have in place will then come into play to best decide which tools are necessary for your business needs.
“When evaluating tools, we work with our clients to establish both success criteria and requirements criteria,” said Mark Dunaisky, a cyber risk management consultant.
The final evaluation should be based on a combination of price, how close a vendor’s tools match the success and requirements criteria, and how well the tool performs during side by side testing against its closest competitors, Dunaisky added. He suggested comparing a maximum of three products using exactly the same risk that needs to be reviewed across all products, for a minimum of 30 days.
While you can purchase a tool specific for risk management, many tools have expanded to cover Governance, Risk, and Compliance (GRC), McClarty pointed out.
“Companies should compare the features they find in a GRC tool vs. standalone risk assessment tool. Many will find the GRC tool is more expensive but worth time and effort savings you will gain in the long run.”
Plan for Evolution
“Risk management should evolve with and be an integral part of a company’s overall strategic direction and decision-making processes,” said Siegle. The strategy you build should be able to adapt to the changing needs of your organization. Compliance regulations will be updated. New security threats will appear. New technologies will affect business operations. Recognize that your strategies may need to shift over time, and your platform should be able to meet those new requirements.
“If you understand the risks to the company allowing for assignment, ownership, and mitigation of each risk area and know how much risk the company is willing to take to meet its strategic objectives,” said Siegle, “companies can consistently anticipate and proactively respond to risk.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba