Every successful risk management strategy needs to be supported by a risk management program, which is the focus of Pitfall #10 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.

The development, along with the implementation, of a risk management program is critical to achieving the intended goals of an organization’s risk management strategy. Program implementation should align with other defined security program goals. The lack of a risk management program may lead to ineffective implementation of an organization’s risk management strategy. Without an overall risk management strategy, an organization’s overall security program is likely to falter. This most frequently occurs due to control owners not being assigned the necessary actions that are required to manage a wholistic program. Risk management control assignment, accountability, and continuous management are key to maintaining an effective program.

A risk management program that is consistent with your organization’s control environment should be developed, implemented, and maintained to manage or otherwise limit the impact of risks, including cybersecurity risks, to an acceptable level. This program should ensure plans for conducting security testing, privacy testing, training, and monitoring activities associated with information systems are developed. These plans need to be executed in a timely manner, according to the defined control requirements. Testing, training, and monitoring plans should be reviewed consistently, in accordance with the risk management strategy, to align with organization-wide priorities for risk response actions.

The risk management program should include the overall objectives of the risk management processes for your organization. The mitigation of risks identified from risk assessments, risk treatment, and threat monitoring processes should be addressed. The risk management program should specifically address risks beyond the boundaries of technological impacts. These risk areas may include financial, strategic, operational, internal business, and regulatory compliance risks.

A formal risk assessment and risk treatment process should be implemented for your organization. At a minimum, this should include tracking capabilities within a repository system that stores risk assessments that have been performed, the risks identified, and the remediation performed or that is currently in progress.

To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.