Operational Risk Management Plan Framework

Risk Management Plan – 7 Key Steps

Russ Harris

Every small business needs to start building a Risk Management Plan as part of their IT strategy.  We published a blog post “7 Powerful Reasons for an Operational Risk Management Framework Now” in 2021 that really explains why.

The purpose of this blog provides small business guidance on how to create risk management plan.

Risk management plan definition is a document that will anticipate future risks, estimate impacts, and define responses to risks.

Risk Management Plan Strategy
Risk Management Plan Strategy

Developing a Risk Management Plan

The following describes 7 key components of a risk management plan for your guidance.

Document your Risk Management Plan

Some people think a new software solution will solve all security concerns and increase their protection.  While software solutions help mitigate risk, in some cases you may be spending money unnecessarily.  Know what you need.

  • The first step in the process really is documentation.  Document your plans as well as link to policies and procedures which enhance them.
  • Analyze your environment at a minimum annually for vulnerabilities and risks.
  • Finally update your documentation based on findings and company changes.

When you analyze your environment, consider regulatory and economic changes and pressure to the business.  Also, vendors and third party relationship will impact the risk equation negatively or positively.

Risk Assessment Frequency

First step in your risk management plan, decide how often you will conduct a vulnerability and risk assessment exercise.  Document time of month or week this will take place.

For simple IT environments, at a minimum you need to do this annually.  For more complex IT environments, we recommend executing a vulnerability and risk assessment quarterly.

Keep this in mind, your end user devices can be a window of opportunity for any cyber attacker or insider attack.  As the number of employees increase within your business, your risk increases as well.

Rate Identified Risks

The Common Vulnerability Scoring System (CVSS) provides a numerical score of a known vulnerability.  With this score, an evaluation process will rate identified risks to the business.

As you evaluate the risk, take into consideration these three components:

  • Numerical CVSS value
  • Likelihood an event will happen
  • System impact to the environment

Once the vulnerabilities are identified during a risk assessment, the next step will be to understand how they relate to the identified business systems.

Identify Critical Business Information

A critical step in the process is to know thy self or in this case know your business.  What are the critical business processes that handle business operations?

Once you know you business process and flow, identify all assets tied to the process.  Next prioritize the critical information assets within the business flow.  Keep in mind, your business probably contains multiple business workflows.  Depending on the service you provide to your customers.

The final step, identify external and internal risks associated with the business information.  Analyze and assess the vulnerabilities associated with the risks.

Define Risk Tolerances

Set you risk tolerance.  How willing are you to accept potential risk?

  • Aggressive – Willing to take on most any risk without considering the consequences
  • Moderate – Only willing to take on the risk if proper controls are in place
  • Conservative – Hardly ever take on any risk, utilizes the avoidance strategy

Once your organization decides your risk tolerance, develop a risk strategy.

Document Risk Response Strategies

Address risks using the four risk response strategies (avoidance, acceptance, mitigation, transfer):

  • Avoidance Strategy – Never attempt or engage in the activity that will cause the risk.
  • Acceptance Strategy – Accept the idea a loss might occur.
  • Mitigation Strategy – Reduce risk through controls or improved security solutions.
  • Transfer Strategy – Companies utilize insurance policies or indemnification clauses.

Additional thoughts on these strategies:

Avoidance Strategy

Risk avoidance means to avoid an action, service or engagement that may bring additional liability or risk to your small business.

Acceptance Strategy

Risk acceptance means as a small business you accept the risk and do nothing to mitigate the risk.

The most common reason to accept a risk is when the cost of another strategy is greater than the loss.

Mitigation Strategy

Risk mitigation means controls and solutions reduce or eliminate the potential loss to the small business.

A couple mitigation strategies Defense in Depth and Zero Trust will reduce your cyber risk.

Transfer Strategy

Most organizations use cyber insurance as a risk transfer strategy.  However, indemnification clauses can also be a key strategy in transferring risk.

Communication

The last important step in your risk management plan is communication.  A well communicated plan will help employees mitigate risks.

Here are a few really important risk management items to communicate and implement in your organization:

  • Incident Response Plan – Know how to react in any destructive incident instead of trying to wing it when it happens.
  • Cyber Awareness Training Program – An annual cyber security awareness training program help mitigate risk through your employees.
  • Policies or guidelines – The controls and procedures to keep employees and the environment a safe place.

 

Our Final Thought

As you build out your plan, we hope these components of risk management plan help your strategic thoughts.

Both internal and external risks will always exist.  What you do as an organization will prepare and guide your company to success!