In this installment of the Risk Management Guide, Shon Harris describes the contents of a risk management policy and provides a sample policy template.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management (IRM) policy and a delegated IRM team. Once you've identified your company's acceptable level of risk, you need to develop an information risk management policy.
The IRM policy should be a subset of the organization's overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items:
- Objectives of IRM team
- Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article)
- Formal processes of risk identification
- Connection between the IRM policy and the organization's strategic planning processes
- Responsibilities that fall under IRM and the roles that are to fulfill them
- Mapping of risk to internal controls
- Approach for changing staff behaviors and resource allocation in response to risk analysis
- Mapping of risks to performance targets and budgets
- Key indicators to monitor the effectiveness of controls
The IRM policy provides the infrastructure for the organization's risk management processes and procedures, and should address all issues of information security, from personnel screening and the insider threat to physical security and firewalls. It should provide direction on how the IRM team relates information on company risks to senior management and how to properly execute management's decisions on risk mitigation tasks.
The IRM policy can be written by outside security consultants, the CISO or the internal security team. The following is an example of a university IRM policy that can be used as a guideline to help in constructing a policy for your organization.
______________ Council has approved the introduction and embedding of risk management into the key controls and approval processes of all major business processes and functions of the University.
Risk is inherent in all academic, administrative and business activities, and every member of the University community continuously manages risk. _____________ recognizes that the aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize and manage the risks involved in all University activities. It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.
____________ acknowledges that risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls -- not to impose risk management as an extra requirement.
The Risk Management Policy has been created to:
- Protect the University from those risks of significant likelihood and consequence in the pursuit of the University's stated strategic goals and objectives;
- Provide a consistent risk management framework in which the risks concerning business processes and functions of the University will be identified, considered and addressed in key approval, review and control processes;
- Encourage pro-active rather than re-active management;
- Provide assistance to and improve the quality of decision making throughout the University;
- Meet legal or statutory requirements; and
- Assist in safeguarding the University's assets --¬ people, finance, property and reputation.
_____________ adopts the Risk Management approach and general methodology specified in the AS/NZS4360:1999 Risk Management Standard.
All ______________ business processes and functions will adopt a risk management approach consistent with the AS/NZS4360:1999 Risk Management Standard in their approval, review and control processes. The generic ____________ risk management approach and methodology for this purpose is as set out in the __________ Risk Management Guidelines, as approved by the Vice-Chancellor from time-to-time.
The responsible manager for each ___________ business process and function shall develop a form of risk management approach and associated documentation appropriate to their domain, which will be approved by the Vice-Chancellor upon recommendation from the Vice-President (Organizational Support).
This policy is applicable to all areas of the University, including:
- Faculties and academic units;
- ________ centers and institutes;
- Administrative units;
- Controlled entities, and entities that are derived from the University's legal status.
Everyone in the University has a role in the effective management of risk. All staff should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions.
The Vice-Chancellor will be responsible on behalf of _________ Council for ensuring that a risk management system is established, implemented and maintained in accordance with this policy.
The Audit and Review Committee of _______________ Council will be responsible for oversight and assurance of the processes for the identification and assessment of the strategic-level risk environment.
The Vice-Chancellor has delegated responsibility for oversight and implementation of this policy to the Vice-President (Organizational Support).
The Senior Executive of the University will ensure risk management is embedded into the key controls and approval processes of all major business processes and functions. The Executive will be responsible to the Vice-President (Organizational Support) for the implementation of this policy within their respective areas of responsibility.
Heads of ______________ subsidiaries and controlled entities ¬and associated entities operating under the name or legal status of the University ¬will be responsible to their respective Boards for the implementation and maintenance of appropriate risk management processes; and will provide reports to the Vice-Chancellor as directed on the implementation of these risk management processes.
The Planning & Quality Unit will provide reports to the Vice-Chancellor, Vice-President (Organizational Support), and Audit and Review Committee on the status of risk management implementation and effectiveness across the University; and will periodically report on the identification and assessment of major, strategic risk levels.
This policy is to be made available to all ____________ staff, observed by all members of staff, both academic and administrative.
There will be an ongoing professional development and educational strategy to accompany the implementation of this policy.
Definitions are taken from the Australian and New Zealand Risk Management Standard, with some modifications as appropriate to the particular ____________ context.
A complete listing of methodology definitions related to risk management at ____________ are included in the ________________ Risk Management Guidelines.
Key definitions are:
- Risk The chance of something happening, which will have an impact upon objectives. It is measured in terms of consequence and likelihood.
- Consequence The outcome of an event or situation, expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event.
- Likelihood A qualitative description or synonym for probability or frequency.
- Risk Assessment The overall process of risk analysis and risk evaluation.
- Risk Management The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
- Risk Treatment Selection and implementation of appropriate options for dealing with risk. Conceptually, treatment options will involve one or a combination of the following five strategies:
- Avoid the risk
- Reduce the likelihood of occurrence
- Reduce the consequences of occurrence
- Transfer the risk
- Retain/accept the risk
- Risk Management Process The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risk.
There are no exclusions. This policy applies to all areas of the University.
Further administrative information about this policy
Responsibilities and contacts
|Implementation of the policy:||Vice-President (Organizational Support)|
|Monitoring & evaluation of the policy:||Planning & Quality|
|Development/revision of the policy||Planning & Quality|
The following person may be approached on a routine basis in relation to this policy:
The following are more examples and guidelines on how to properly create your IRM policy to ensure that it meets your organizational needs.
RISK MANAGEMENT GUIDE
About the author: Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.