It is easy to get lost in the realm of risk management. Whether applying it to the entire school in an Enterprise Risk Management program, or simply focusing on privacy and information security, managing risk can be a daunting task.
In order to avoid that overwhelming feeling, it is wise to start with the basics. Build a solid foundation of understanding on which the more complex processes can rest. The purpose of this article is to do just that - establish a solid foundation for understanding risk and how to manage it. In order to do so, we must understand two things: what is risk, and what can we do with it?
What is Risk?
Most of us intrinsically have a very good idea of what risk is. According to the International Organization for Standardization’s ISO 31000, risk is “the effect of uncertainty on objectives.” I like to expand this to say that risk is “anything that could harm, prevent, delay or enhance our ability to achieve our objectives.”
Notice that “enhance” is included in that definition. This reflects the implication that risk is necessary, and can be positive. Likewise, it is important to understand and remember that it is not only our actions that carry risk, there is also risk of inaction.
For example, let’s assume that a school decides that international travel entails too much risk, and prohibits it. While avoiding the inherent risk of travel, they are introducing the risk of students missing out on valuable experiences that are unique to such travel. Inaction holds its own risk.
Simple, right? Now that we have a working definition of risk, what do we do with it?
What Do We Do with Risk?
Logically, the first step must be to identify the risk.. Remember that this article is sticking with the basics, so we will not go into detail on strategies to identify risk. However, consider a broad process that involves everyone at your school. You never know who might have noticed a risk that they have not mentioned, or that has never been acted upon. Give them an opportunity to formally point out such risks, and they are likely to do so.
You may have heard that it is ill advised to identify risks, because it invites legal action if they are not acted upon and result in unfortunate consequences. While I cannot give legal advice, my professional opinion is to ignore that sentiment. Identify your risks as soon as you have a plan in place to manage them (you do not need to eliminate them). Ignoring risk or pretending it does not exist is never the correct course of action. Never.
Once a risk is identified, there are only three things that can be done with it. These can be done alone or in combination. You may see different names or slightly different definitions assigned to them, but the actions are generally the same.
They are:
- Mitigate the risk (also called treating the risk). This is the action of reducing or eliminating the risk. It could also be a plan to avoid the risk. Many risks cannot be entirely eliminated. Mitigation is where the most work is likely to be required. If a risk is mitigated, but not completely eliminated, what remains can be called residual risk.
- Transfer the risk. Sometimes risk can be transferred to someone else. This does not refer to using cloud based technology services, as the risk likely remains yours in that case. A good example of transferring risk is buying insurance. The insurance company assumes all or part of your risk.
- Accept the risk. A risk may not be able to be fully avoided, mitigated or transferred. If the risk of inaction is greater than the risk of action, then the risk just needs to be accepted. Note that identifying and accepting a risk is much different than ignoring it. In this case, leadership acknowledges the risk, and makes an informed decision to accept it and move forward.
Let’s consider a simple example. In today’s environment, it is easy for any organization to identify the risk of malware introduced by email phishing. Nearly everyone knows about it. This risk can be reduced (mitigated) through good practices, awareness training, and phishing simulations. The potential severity can be mitigated through incident response plans. Some of the remaining (residual) risk can be transferred through cyber insurance. However, even after all of this, some risk remains. Risk of system outage, lost time, lost data, etc. though a well orchestrated phishing attack remains. And it will be impactful even if insured. One could argue that the only way to fully eliminate this risk would be to eliminate electronic communications. That is not realistic or practical, so we mitigate and transfer as much as possible, and accept the residual risk.
When faced with the daunting task of managing risk, be sure to start with a simple foundation. Understand what risks are, and that there is risk of inaction as well as action. Identify risks in a comprehensive and ongoing manner. And manage them through mitigation, transfer, acceptance, or any combination or the three. Approaches to risk management may differ, but the goal is to accomplish these fundamental tasks. Understanding them first will provide the foundation on which to establish your comprehensive program.