Advanced Governance & Compliance

Risk management — identify, assess, treat, and accept risk

Risk management is the systematic process of understanding what can go wrong, estimating the impact, and addressing it proportionally. Without managed risk, there is no security — just expensive, slow, and misdirected controls. ISO 27005 and NIST SP 800-30 are the most widely referenced frameworks in this space.

Core Concepts

Risk = Likelihood × Impact

Threat: what can cause harm (e.g., ransomware, malicious insider)
Vulnerability: weakness the threat can exploit (e.g., missing backups)
Asset: what needs protection (e.g., customer database)
Control: measure that reduces likelihood or impact

Process Steps

1. Asset Identification

List information assets by category:

Data: customer database, contracts, credentials
Systems: ERP, email, production servers
Processes: onboarding, billing, support
People: admins, developers, vendors
Infrastructure: data center, network, endpoints

Assign an owner to each asset. Without an owner, there is no accountability.

2. Risk Assessment

Use a risk matrix with a defined scale. Example using a 1–3 scale:

         IMPACT
         Low(1) Medium(2) High(3)
LIKELIH.
High(3)    3       6        9   ← unacceptable
Medium(2)  2       4        6   ← attention required
Low(1)     1       2        3   ← acceptable

Example:
Asset: production server
Threat: ransomware attack
Vulnerability: untested backups, exposed RDP port
Likelihood: 3 (high — exposed environment)
Impact: 3 (high — full operational outage)
Gross risk: 9 → unacceptable

3. Treatment Options

OptionWhen to useExample
MitigateHigh risk, control is feasibleDeploy EDR, segment network
TransferFinancial impact, insurance viableCyber insurance, outsource
AcceptLow risk or cost exceeds impactDocument residual risk
AvoidActivity is more dangerous than valuableDecommission legacy service

4. Risk Treatment Plan (RTP)

Risk ID: R-042
Asset: production server (192.168.1.10)
Gross risk: 9
Planned control: block RDP at perimeter, deploy VPN with MFA
Owner: Jane Smith (Infrastructure)
Deadline: 2026-07-30
Expected residual risk: 4 (medium)
Approval: executive sign-off on 2026-06-25

5. Risk Acceptance

Residual risks after treatment must be formally accepted by leadership. Document:

  • Which risk is being accepted
  • Why (cost/benefit, timeline, feasibility)
  • Who accepts it (role and signature)
  • For how long (scheduled review date)

Continuous Monitoring

Risk changes. New assets emerge, threats evolve, and the business shifts. Establish:

  • Annual full review of the risk inventory
  • Re-assessment triggered by significant incidents
  • KRIs (Key Risk Indicators): threshold alerts, e.g., number of unauthorized access attempts per week
  • Integration with change management: every significant IT change must go through risk assessment

Common Tools

  • Structured spreadsheet (minimum viable for SMBs)
  • GRC platforms: ServiceNow GRC, Archer, MetaCompliance
  • Open source: MONARC, SimpleRisk