Risk assessments as a team: “It’s incredibly important to have a common language”

Marc from Marketing fears that a phishing attack, that could lead to the misuse of customer contact details, is just around the corner, and he marks it as high risk in the risk matrix. Meanwhile, Lisa from HR thinks a ransomware attack sounds like something that’s unlikely to ever affect her department.

Identifying cyber threats to the business can be a subjective process, where employees’ personal concerns and fears come into play. So how do you create alignment and ensure everyone is speaking the same language?

That’s what information security expert Marie Bjerre Simonsen from Wired Relations and Head of Cyber Risk Advisory Sofie Freja Christensen from Dubex discuss in a webinar on risk management.‍

Risk assessments need insights

At first glance, many might think that risk assessments belong solely to the compliance team. But as Sofie explains, risk assessments only come to life when they’re informed by the people who work with the systems and processes every day:

"If you centralise risk assessments, you don’t necessarily have the knowledge or understanding of how things actually work in the day-to-day reality of the different departments".

That’s why cross-functional collaboration is essential. You need a good process in place with a coordinator responsible for driving the process, and “risk owners” who hold practical knowledge and provide input.

"Risk owners aren't necessarily experts in risk assessments or how to perform them. They’re the ones who have local insight into the use of a specific system or process," Sofie explains.

"At the same time, you need the deep subject-matter expertise from the compliance team, which can feed into reporting and translate what it is you're actually looking at," adds Marie.‍

A common language

You need both roles to put together a solid and accurate risk assessment, and that requires finding the right people and, as mentioned earlier, being able to speak the same language.

In smaller companies, knowledge often sits with just a few people, making it easy to know who to involve. But in larger organisations, it can be harder to know where to start.

"In that case, it’s a good idea to look to the department manager or the people responsible for the specific system or process you’re assessing," Marie explains.

Once the risk owners have been identified, the next step is to establish a clear framework that defines what each value in the risk assessment represents.

"In my view, it’s incredibly important that we have a common language. It can be really tough, and it may need to be adjusted over time, but to sit down and say: What does it mean when we have a scale from 1 to 5, where the consequence is 3 on confidentiality? It’s essential that people understand what 3 means in their context. You can find inspiration for that in ISO 27005".

"That’s what it takes to speak the same language. Otherwise, it becomes a gut feeling – and Marc thinks, ‘this must never happen,’ while Lisa on the other side of the hall, doesn’t think it’s a big deal," says Marie.

Tie a bow on it

With a common framework – and input from both Marc and Lisa – how do you make sure the risk assessment process is completed?

Sofie and Marie explain that the results must be analysed. You can’t just look at individual risks, you also need to identify whether there are clusters of high risks in specific areas or systems.

"If we land in the yellow or red zones, we should at least ask the risk owner: What can we do? What would you recommend that management does? Should we accept the yellow risk because there’s not much more we can do? Or are there certain measures we can take?" says Sofie.

From there, it needs to go to management, she explains.

"At the end of the day, they’re the ones who sign off, accepting the risks we’ve identified or approving our plan to mitigate them".
‍