I work with a lot of organizations who are seeking to implement a “risk based security” framework, but are struggling with getting everyone to agree which risks are the highest priority (and, therefore, worth a larger investment). We often make this exercise more complicated than it needs to be. After all, in our daily lives we all apply risk frameworks whether we realize it or not.
Think of the things you own. Intuitively, you know the difference between those things you’d feel comfortable leaving outside on your front step all night and those which you will take the extra step to ensure they are locked inside at night.
Furthermore, you can probably name the shorter list of your possessions that you’d like to not only have inside, but you make sure they are accounted for and locked up securely inside your house or in a safe deposit box at the bank.
Congratulations, my friends, you have just applied a risk model!
In this example, how would you go about articulating the factors you used to decide which of your possessions warranted a certain level of protection or precaution? It could be tricky, and it may take a few tries to get it right.
In business, the challenge is similar: how can we enumerate the factors and our decision-making process so that different people across the business – armed with our process – can evaluate risk independently and come up with similar risk rankings?
One secret to success is to create the model, test it, and engage a larger group with different perspectives to evaluate and improve the model.
Success goes beyond the process used – it also requires context that is known, documented, and shared with others in your organization. After all, if you make decisions about a gaudy old chair without realizing that it is invaluable to your spouse because her beloved great grandfather made it, you will certainly make her angry with your decision about how much you want to invest to protect it.
When developing your risk framework, ensure you realize the difference between the most important, “make or break,” items in your business and those that are easily replaced. Then, get as crisp as you can in describing the thought process and criteria you employed to come up with your classification. This will make it easier to get everyone on the same page about risk evaluations.