Risk Management Roles and Responsibilities Checklist

Enterprise risk management is all about decision support for the organization. By tracking the risks facing the organization, you can determine whether its overall risk profile is acceptable or if activities must be done to reduce risk to a tolerable level.

Use this checklist as an outline of specific roles and responsibilities to build a dedicated risk management group. Keep in mind that many of its responsibilities may overlap with and/or be performed in tandem with other groups not included within this document (i.e., internal audit, control owners, governance, etc.).

Risk Establishment 

• Establish a Risk Management Framework
  • Create a unified approach to evaluating risks by:
    • Deciding on a methodology (e.g., FAIR, NIST RMF, OCTAVE, etc.)
    • Implementing it for the organization
    • Ensure all parties agree to and understand the formula used to assess risk
  • Ensure individuals use a standard method and language to communicate risk to the organization
  • Allow the use of a more extensive risk measurement for more granular prioritization (i.e., sorting security events for triaging), but ensure such measurements can be mapped back to the base risk scale)
• Document Risk Appetite for the organization and various stakeholders
  • Determine which areas (e.g., emerging markets) can tolerate more risk
  • Determine which areas (e.g., established, regulated markets) can tolerate less risk 
• Create a risk register that encapsulates risks affecting the business
  • Facilitate gathering all the identified risks for the organization
  • Categorize and collect the main threats involving the organization’s:
    • Assets
    • Information
    • Operations
    • Other factors
  • Collect the risks in a central place for tracking and reporting
• Scope the Risk Management Activities
  • Understand the scope and context of your risk management activities, including the products or business activities to be incorporated
  • Do not begin with the whole organization
  • Focus on areas that may warrant more attention, like regulated or higher-risk products

   

READ: Risk Management Terminology for InfoSec Teams 

Risk Monitoring 

• Integrate into business activities
  • Align with the business to implement events to trigger risk evaluations with critical business processes (i.e., application changes, process adjustments, new projects objectives, etc.)
  • Establish risk approval workflows for risks that supersede the stated risk tolerance
  • Ensure stakeholders either accept the risk, implement appropriate treatments and mitigations, or avoid the risk altogether
• Perform ad hoc risk evaluations
  • Evaluate the changing business environment to ensure changes are aligned to the company’s risk tolerance, including:
    • Acquisitions
    • New products/markets
    • New technology stacks
• Incorporate any newly identified threats and exposures
  • As uncalculated scenarios are discovered, evaluate them using the established risk management framework
• Reevaluate the organization’s current risk stance based on the controls in place
  • Work with the governance and audit teams to accurately incorporate the risk reduction controls to reflect the present risk
  • Calculate and score based on the strength of the controls in place:
    • Automated vs. manual
    • Preventative vs. detective
• Plan regular risk assessment activities
  • Evaluate currently documented risks on regularly planned intervals
  • Identify which risks may warrant more reviews; for example, technical risk attributes may require more frequent reviews than natural disaster risks
    

Risk Treatment 

• Manage Risk Exceptions and Related Treatment Plans
  • Centralize the tracking of exceptions that exceed the risk tolerance of the organization
  • Track the implementation of treatment plans for issues with approved exceptions (e.g., added detection capabilities to unsupported systems)
  • Coordinate with stakeholders to reevaluate the exceptions on a predetermined interval (i.e., annually) to ensure they are still appropriate?
• Incorporate Treatment Plans Within the Risk Methodology
  • Design treatment plans to help lower the inherent risk of the scenario 
  • Incorporate treatment plans within the scoring to appropriately reflect the risk within the environment
• Establish a Decision Escalation Workflow
  • Implement a risk exception approval workflow for the various stakeholders
  • Determine whether approvals should be localized at the affected business unit or escalated to senior management, depending on the severity and scope

Risk Metrics 

• Design Metrics for Distribution to Various Audiences
  • Create metrics to show progress (or deterioration) in the organization's risk management program and to help track and facilitate a conversation among stakeholders
  • Ensure metrics show both the overall risk for the organization and the risk across various business units, products, markets, etc., where it makes sense
• Communicate Security Metrics to that Matter to Senior Leadership and Other Stakeholders
  • Establish a regular cadence to communicate metrics to multiple audiences
  • Convey the change in risk within the organization, including whether it is increasing, decreasing or staying the same
  • Compare risk metrics with the documented risk tolerance of the organization, highlighting exceptions to the process
  • Facilitate a conversation about risk reduction or acceptance of the most significant risks

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.