In our first post in this series, we introduced core concepts of risk assessments, including where they fit within the overall risk management process and the exceptional importance of first completing the context-setting stage of the process. In that post, we looked at ISO 31000 as a reasonable model for an overall risk management process, but stopped short of diving into specific standards (frameworks and methodologies) for risk assessment.
In today’s post we will look at standards and how they can best be leveraged by your organization to improve risk assessment efficiency and effectiveness. We will also highlight some common data collection standards that may be useful. The key takeaways for this article are to first determine whether or not a standard will benefit your organization, what sort of standards might be useful and how to pick one, and a brief summary of major standards that are available.
Without further adieu, let’s delve into the first question.
Do I Even Need a Standard?
At first, this may seem like a silly question. On the one hand, it may seem absurd that an organization would need a standard for what might appear to be basic and foundational. As ISO 31000 readily demonstrates, there is nothing “whiz bang” special about risk management and risk assessments. Create a process, gather data, conduct analysis, and make the best decision possible. However, is this true, or are we oversimplifying matters?
On the other hand, standards can seem quite logical and appropriate – maybe even appealing – to help us construct and operate our risk management programs. However, not all standards are created equal, nor in fact do they accomplish the same things. As we’ll discuss later in this post, some standards can be quite large and overwhelming, while other standards have a more focused purpose and may need to be used in conjunction with other standards.
The base answer to the question of whether or not a standard will be useful ends up being fairly straightforward: All standards should be approached as guides to help fill in gaps in your overall risk management program. Standards can be useful in helping ensure you have the right steps in your overall process, and they can provide further value in helping you identify opportunities to refine and improve process definition and execution.
Choosing a Good Fit
Thankfully, most standards conform to the guidelines set forth in ISO 31000, which means picking a standard as a reference for risk management program development should not be scary (there are, of course, exceptions to this rule – COBIT 5, in particular). As such, the focus of your quest for a standard should be born out of a desire to find something that works for your organization without being so diametrically opposed to corporate culture that it will almost assuredly result in failure.
That may seem scary, but at heart the point is this: Read several standards and find the one that sounds and/or feels most like your organization’s culture. How does your organization function? How do people interact? What is the nature of the business being conducted? What sort of backgrounds do people have (e.g., public vs. private sector)? To what regulations is your organization subject?
As is often the case with risk management, it is imperative that you know your organization, and know it well. Risk assessments are as much art as science, and thus require having a good sense for how people think and behave. For example, consider the differences in culture, operations, and personnel between a stringent military organization versus a manufacturer versus a very white-collar financial services company versus a Wall Street trading house with very sensitive real-time processing requirements versus the typically laid-back and laissez faire environment of most higher education institutions.
Proper fit is key to success. If you want people to listen to you, hear you, and take you seriously, then you cannot present an approach that is radically different from how business is conducted, or worse, that interferes with their ability to complete their assigned duties.
- Information Security Forum Information Risk Analysis Methodology (ISF IRAM): ISF IRAM is an interesting reference because it does an effective job of breaking down the process in a meaningful and useful manner. ISF’s overall approach to risk assessment starts with completing a business impact assessment (BIA), then performing a threat and vulnerability analysis, and then moving into control selection. This approach roughly approximates the ISO 31000 process (context-setting, assessment, and remediation), and the tooling support can be interesting. The biggest downsides to ISF IRAM are that organization membership can be expensive and the tools themselves may not easily integrate with a risk management or GRC platform. Nonetheless, studying their approach and any open materials you can find on how the conduct the BIA is interesting and might help you refine your approach.
- ISACA COBIT 5 for Risk: A very commonly referenced standard, COBIT 5 itself can be incredibly overwhelming as it is intended to be a full-scale IT governance program and not just a risk management standard. ISACA has produced subsidiary documents specific to defining and conducting a risk management program, and that documentation can be useful and interesting as a reference. One of the largest challenges with COBIT 5 is learning enough about it to go through scoping, design, and implementation. Often, specialized resources are required to get through these steps. However, the average organization is not in financial services (the primary audience), and thus we recommend reading the COBIT 5 for Risk documentation, approaching it as a comprehensive reference, but not as a standard that any sane person might try to implement as-is.
- ISO 27000 series: As has been noted before, ISO 31000 provides a generic guideline for the risk management process and its subsidiary components. This approach is further refined with more details within ISO 27005, which is designed to align with the Information Security Management System described in ISO 27001 and ISO 27002. For those organizations with an international presence, those subject to frequent external audits, or with a specific interest in acquiring an ISO certification as a liability shield, it is (obviously) useful to become acquainted with ISO 27005. Beyond that, the standard does not provide much more value beyond ISO 31000 itself, and thus may have limited reference value outside of seeking a certification.
- OCTAVE Allegro: A product of CERT’s Risk Resiliency Center, OCTAVE Allegro is the most recent risk management publication in the OCTAVE methodology series. Overall, OCTAVE can be a good fit for organizations that tend more toward an analytical or engineering mindset. It includes supplemental worksheets that can be fairly easily integrated into risk analytics tools, and it has a reasonable amount of reference materials that can help in identify gaps and opportunities for improvement. Training is available from CERT for using OCTAVE, which could also provide value, especially for organizations that are just getting started with a formalized risk management program.
- Open FAIR: In contrast to the other standards listed here, Open FAIR is not generally focused on the overall risk management process (not completely true, but bear with us), but rather provides a discrete approach for conducting risk assessment and risk analysis. That said, following the entire Open FAIR approach from start to finish definitely does take you through context-setting and risk assessment, and in some cases may even be used for analyzing risk remediation options. One of the most important and valuable components of Open FAIR is the Risk Taxonomy, which takes the concept of “risk” (defined therein as “probable frequency and probable magnitude of future loss”) and factors it into easily understood components. Open FAIR is intended as a quantitative risk assessment methodology, which is also unique in this list. However, the Risk Taxonomy itself can absolutely be used in a qualitative manner to quickly “back-of-the-napkin” assess a situation. Such a snap assessment can often be useful as an initial triage step before deciding whether or not an in-depth risk assessment is warranted. The Open FAIR standard is written in accessible language and can be a worthwhile resource for shaping your thinking and approach to risk assessment and risk management.
- USG Standards: The United States Government’s National Institute of Standards and Technology provides a large amount of free, open source standards on a number of interesting and useful topics. Included among these are an entire series of standards for risk management and risk assessment that generally conform to the ISO 31000 guideline and provide worthwhile information on structuring an approach. As is unsurprising, the NIST methodologies do tend to be a bit more bureaucratic in nature, but that attribute may fit well with some organizations. We recommend reviewing NIST Special Publications 800-39, 800-37r1, and 800-30r1.
- Regulatory guidance or requirements: When designing and refining your approach to risk assessment, please be mindful that most standards from the past decade have included guidance and requirements, to some degree, for risk management or risk assessment. Be sure to account for any such requirements when designing your approach. You may find that certain standards may have better alignment than others with these stipulations.
- Data collection tools: Most risk management platforms will include a reference library of questionnaires to aid in data collection. One common standard is the Shared Assessments SIG and SIG lite set of questionnaires. If your organization works in or with financial services you may already be familiar with these tools. Even if your organization is not in financial services, or you do not foresee direct use of them, they can be worthwhile references in developing your own data collection tools. That said, please bear in mind the point made in our first post: Data collection is not the same as risk assessment or risk analysis. Data is just the input, not the actual evaluation.
As we have discussed throughout this post, standards can provide value for defining and refining your risk management and risk assessment approach. Moreover, standards for data collection (such as from Shared Assessments) can provide additional value in improving overall performance. However, finding a standard can at times be daunting, and implementation can be soul-crushingly overwhelming.
It is thus important to approach standards with a learning mindset intent on investigating different theories on risk assessment, and then assimilating those pieces that best match with your organization’s culture, rather than necessarily seeking to make wholesale changes that may be at complete odds with how business is performed. As always, risk management must be nuanced and seek to integrate seamlessly with existing practices and processes in order to be successful. If not done well, the risk management process will get bypassed in the name of “getting work done” and, as a result, will falter (if not fail completely).
In our next post in this series we will be exploring how to “right-size” risk assessments, as well as discussing the pros and cons of qualitative versus quantitative risk assessments (including defining just what those terms mean). Our decisions can only be as good as the data we collect and analyze, which means it’s important to understand what both good and bad data look like. You may be surprised by what we have to share.