Of the many challenges managing information risk, perhaps the greatest is knowing where to focus risk management resources. If you don’t have a clear understanding of the risk associated with the information in your organization, you may end up misdirecting scarce resources. You could easily find yourself protecting information that isn’t critical to protect, or not sufficiently protecting information that needs to be protected to reduce business risk. One of the things you have to understand in order to assess where to direct resources is residual risk, or the risk that remains after measures have been taken to address the inherent risks of information.
In the first four posts in this series, we looked at how to identify information that needs to be protected to reduce business risk; how to locate important information within the organization; how to assess information risk; and how to evaluate the controls that are in place to manage risk. Once you evaluate the risk treatments that have already been applied, you can calculate the risk that remains, i.e., the residual risk. Like inherent risk, residual risk can be measured using a formula:
Residual Risk = Inherent Risk x Risk Reduction percentage
of all applied and operating risk treatments
Because no risk treatment can be relied upon to be 100% effective, the result of this type of calculation should never be zero. Risk management is not the elimination of risk; rather, it’s the ongoing effort to balance risk treatments against risk, so that the organization’s risk never exceeds its risk appetite. This requires constantly recalculating risk and paying careful attention to changes in the organization’s risk profile. The framework you build needs to include ways to measure risk tolerance and risk appetite, so that you can see when risk threatens to outweigh risk appetite, and you can make an informed determination of what to do about it.
There are a number of standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework—or NIST CSF—available to help you understand typical technical and organizational risk treatments that should be implemented for various functions and IT assets. However, the effectiveness of each risk treatment is going to vary a little for each unique organization, asset, and evolution of threats and best practices. This is why every information security specialist must carefully evaluate the effectiveness of the risk treatments that the organization has in place, as well as reevaluate effectiveness of the treatments as circumstances change.
You can find more information about residual risk, including its place in the larger context of building a framework to manage information risk, in the RSA eBook 7 Steps to Build a GRC Framework for Business Risk Management. The eBook includes example formulas for calculating inherent risk and residual risk. Read the eBook to learn more about why the ability to calculate these two types of risk is essential to making sound decisions about where to direct resources to manage information risk in your organization.