Like deck building tabletop games, enterprise risk management (ERM) frameworks offer different strategies for determining risk and how to mitigate those risks. Just as building a Pokemon The Card Game deck requires reviewing not only your Pokemon’s strengths and weaknesses but ways to support them during battle, so do your risk mitigation strategies focus on your organization’s strengths and weaknesses so that you can determine how to create supporting controls that protect your information.
Defining Risk Mitigation & Five Ways To Deal With Risk
What is risk mitigation?
Risk mitigation requires assessing strategic, compliance, operational, financial, and reputational risks and putting controls into place that try to keep those from harming your business. In the same way, a deck building game like Pokemon TCG requires you to assess the various threats to your characters so that you can determine your gaming strategy.
Within the information landscape, several frameworks help organize your enterprise risk mitigation process. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) developed by the CERT Coordination Center at Carnegie Mellon University offers a self-directed methodology customizable to an organization’s size. The FAIR (Factor Analysis of Information Risk) attempts to address security practice weaknesses providing a common risk mitigation vocabulary. The NIST RMF (National Institute of Standards and Technology’s Risk Management Framework), whose Congressional oversight involved proven research methods, provides strategies for selecting initial controls and assessing methods. The COSO CSF (Committee of Sponsoring Organizations of the Treadway Commission Cybersecurity Framework) helps establish industry-respected controls and suggests data to support decisions.
Risk mitigation’s varied options act like the different types of decks you can build. Once a player chooses a theme around which to build their deck, they need to determine the different ways to protect their pocket monsters. Similarly, risk mitigation’s individualized opportunities.
Step 1: Establish Organizational Objectives
Before beginning the risk assessment process, organizations need to determine their business goals. Organizations must create cross-departmental business objectives so that risk reviews align with corporate goals. Similarly, playing a deck building game requires understanding the different strategies that lead to scoring highest or winning.
Risk mitigation strategies strengthen profitability through enhanced business performance. Unexpected events, especially cyber risks, reduce operational efficiency leading to lost customers as well as costs associated with employee remediation efforts. Focusing only on lost profit, however, ignores risk management’s more significant value-add, client confidence. In an ongoing era of data breach awareness, customers become more loyal knowing their partners not only understand but prepare for potential information security risks.
Establishing organizational objectives, therefore, means companies review not only the current risks facing them but also the threats facing potential new revenue streams. For example, a company that focuses on payment systems may be PCI DSS compliant. However, if that same organization decides to increase profitability by shifting to the healthcare industry, looking at HIPAA compliance becomes essential. As organizations scale, their risks change. Understanding organizational objectives before assessing risks increases the risk mitigation process’s value just as knowing the different paths to winning a game allow players to make choices.
Step 2: Assess the Risks
Whether you’re building a playable gaming deck or engaging in ERM, you need to assess vulnerabilities.
Assessing risks starts with reviewing assets. For example, when playing a deck building game like Pokemon, cards are the assets that determine strategy. In a corporate risk analysis, your financial, customer, physical, employee/supplier, and organizational assets determine what you need to protect and how to protect it.
After reviewing your assets (or cards), you need to examine how opponents can exploit those assets. In a game like Pokemon, your character may have listed specific weaknesses that increase the damage your opponent can inflict. Similarly, your different assets come with weaknesses that more easily damage your revenue or reputation. To strengthen your compliance stance, you must recognize ways that opponents (or malicious attackers) can use even your best defenses to their advantage.
Step 3: Determine Risk Acceptance or Risk Avoidance
Risk tolerance assessments involve accepting or avoiding risk. In a gaming context, this might mean recognizing that your most reliable Pokemon takes additional damage from other Pokemon because the card expressly notes this weakness. However, you know that your Pokemon has a high health number and valuable attacks that protect it. In this scenario, the player analyzed the landscape, determined the strengths of the card, then accepted the risk associated with that choice.
Similarly, reviewing the IT landscape means looking at the controls in place and accepting risks or avoiding risks based on your risk assessment and assets. For example, many consider Amazon Web Services (AWS) one of the safer Cloud Service Providers (CSP). However, malicious attackers increasingly target AWS leading to DDoS attacks that cause data breaches. Although an organization recognizes the vulnerabilities associated with AWS, it may still determine that AWS’s overall health can protections outweigh that weakness, so management accepts the risk rather than avoiding it.
Step 4: Map Internal and External Risks
After determining risk tolerance, organizations need to create risk mitigation strategies. Similar to deck building games where players choose cards that help mitigate problems with their chosen players but ones that stymie the risks posed by their opponent. In a card game, this means choosing the right helper cards to strengthen the internal strategy while also findings better attack or protections against opponent threats.
When mapping internal and external risks, organizations engage in the same thought process. Internally, a particular business unit may have training issues or access control management weaknesses. For example, when human resources lack timely reporting on employment termination, the IT department lags in its ability to remove access placing information at risk.
Externally, two different risks present themselves.
Business partners’ lack of security risk enterprise data through access points. Meanwhile, malicious attackers exploit system vulnerability.
Mapping internal and external risk across your enterprise provides valuable insight regarding interconnectedness of risks. For example, vendors lacking endpoint encryption place data at risk, but an organization’s access management controls incorporate external vendor risk and internal risk. Thus, mapping the risks across the enterprise helps showcase the interconnected nature of both risk types.
Step 5: Set Controls and KPIs
Agile compliance, similar to deck building games, requires monitoring and modification. When building a playable deck, competitors choose the cards they think work best against an opponent’s strategy but may learn that their hand remained vulnerable. For the next competition, they rebuild their deck and plan to optimize their outcomes. Additionally, they determine their strategy’s effectiveness using measurements such as time played before winning or the number of points ahead.
Similarly, using project management strategies to review and reinforce strategies. Project managers recognize agile’s value when creating products. Risk managers and the c-suite can adapt this premise to meet risk mitigation goals. Agile product management requires communication across developmental departments to ensure ongoing project feasibility. Risk mitigation requires similar ongoing conversations between departments. Moreover, agile development requires product testing done in small increments to keep the project moving forward. Continuous control monitoring and testing perform the same function in the risk and compliance areas.
How Automation Benefits Risk Mitigation
Our risk heat maps provide easy-to-digest graphical representations of high, low, and medium risk areas within your organization. This visual provides the c-suite and Board of Directors with the information needed to meet oversight requirements.
Moreover, ZenGRC’s seed content allows organizations to start organizing their risk mitigation strategies rapidly. Our seed content helps organizations align with a variety of frameworks and standards to help companies map their risks and controls. After engaging in this step, companies can engage in gap analyses to determine the needed additional controls.
While building the right competition deck in Pokemon can take time and money, building the right risk mitigation strategy can be cost-effect and efficient with the right automated solution.
For more information on how ZenGRC can help you establish a risk mitigation strategy, schedule a demo today.