@ISACA Volume 8  17 April 2019

Tips for Improving the Risk Management Process

By Lisa Young, CISA, CISM

The enterprise mission, strategy and objectives are the basis for understanding the dynamic risk landscape in which the enterprise operates. Whether an organization is public or private, for profit or nonprofit, government or military, it has a mission to deliver value to stakeholders and customers. In my work with senior executives, I am often asked how to get more value from the risk management process. Many risk management programs focus on the risk of noncompliance to prescribed regulations, standards and guidelines, or rooting out internal control deficiencies. Often, the business lines complain that risk management is additive to all the other important “real-work” activities already on their plates.

In the absence of a mature risk management program and process, the enterprise can be generally effective in preventing most realized risk with a robust compliance or controls testing program. However, this places emphasis on findings after the fact and makes risk management look like a pre-audit function rather than a partner that adds value to the business.

Positioning risk to the enterprise in the context of the mission, strategy and objectives is the first step in making sure that activities add value to the overall risk management process. This is known as setting the context for risk management. Pairing a risk-based approach with a strategic view of the enterprise enables communication and clarification of which uncertainties, or risk, have the highest potential to prevent the enterprise from meeting its intended targets, objectives and mission. If you want to ensure that the enterprise is managing the risk that has the most relevance to the enterprise, here are some tips to think about for improving your risk management process:

  • Periodically revisit the mechanisms for each of the risk process steps (identify, assess, analyze, plan response or treatment, communicate and monitor response) to understand if the step is efficient and effective. For example, if an enterprise is using a risk and control self-assessment (RCSA) as a technique for risk identification, is it updated periodically as conditions change or emerging risk is discovered?
  • Is there a project or program management office that can be leveraged to make risk management a normal part of enterprise operations by building risk identification into standard work procedures? Track progress of risk treatment activities against plans to get started with metrics.
  • Evaluate risk activities to ensure that the most important assets and services are in scope. Some enterprises start with high-value assets that support the most critical business lines, processes or products, or critical services and then expand the scope as the risk management capability matures.
  • Integrate the planning of risk management activities with the audit and compliance planning cycle. Often, there is economy in collecting data once and using them to satisfy multiple information needs.
  • If the risk management activities rely on quantitative models, subject the models to the risk management process to ensure that they continue to perform as intended.

The main drivers for risk management include the needs to improve decision-making in enterprises, align risk management resources to address the risk with the greatest potential impact on the enterprise and ensure that value is created by maintaining risk within acceptable tolerances and appetites. For more information on the risk management process, read the ISACA white paper Getting Started with Risk Management or sign up for the upcoming post-conference workshop on Risk Management and Communication at 2019 NA CACS in Anaheim, California, USA.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Using Continuous Oversight to Improve Security


Source: ©Purestock;
Getty Images

Monitoring information system security is an established management practice. It ensures compliance for both information security and privacy. Data protection and compliance maturity levels also help establish how to align with information assurance programs.

To help you learn how organizations can align security, privacy and compliance programs, ISACA and SecurityScorecard present the “Improve Security, Privacy and Compliance With Continuous Oversight” webinar. It will cover what you can do to ensure that those areas of data protection compliance are appropriately met and monitored. This webinar takes place on 23 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

The webinar will be hosted by Fouad Khalil, vice president of compliance at SecurityScorecard. where he is responsible for compliance programs, auditor education and alignment with best practices. With experience in the technology space, software development life cycle (SDLC), IT, program management, and, most recently, IT security and compliance management, Khalil’s career path has provided him with keen insights in the areas of network, system and database administration, software programming, and much more. Khalil will use his extensive experience in data security and compliance to help you learn to safeguard your enterprise with continuous oversight.

To learn more about this webinar or to register for it, visit the Improve Security, Privacy and Compliance With Continuous Oversight page of the ISACA website.


New ISACA Podcast Episodes Now Posting Weekly


To provide you with valuable industry insights in a quick and flexible manner, new ISACA Podcast episodes are now being released weekly. The ISACA Podcast channel covers topics related to security, recently released periodicals and publications, SheLeadsTech, ISACA’s 50th anniversary, and ISACA conferences.

In ISACA’s most recent Cyber Pros Exchange podcast, Frank Downs, director and subject matter expert of ISACA’s Cybersecurity Practice, and Dustin Brewer, manager and cybersecurity product platform developer at ISACA, discuss some of the findings of the recently released State of Cybersecurity 2019, Part 1 report. Downs and Brewer discuss the challenges of hiring qualified cybersecurity professionals and how to attract talent to the cybersecurity field.

To ensure you never miss another ISACA Podcast episode, subscribe to it on iTunes, Google Play or SoundCloud.


Call for Nominations: 2020 ISACA Awards


Do you know outstanding colleagues who have dedicated themselves to advancing ISACA’s core areas of audit, information security, risk and IT governance? Have you worked with an outstanding volunteer who has contributed to ISACA’s success? Has your ISACA chapter created an incredible member experience? Nominate them for a prestigious ISACA award.

ISACA members are invited to nominate outstanding individuals and chapters for ISACA awards online until 15 August 2019. This peer-recognition program relies on ISACA members to nominate and select the recipients who will receive their awards at ISACA events the following year. ISACA is proud to recognize the outstanding achievements of individuals and chapters within its professional community that exemplify ISACA’s values, purpose and leadership.

ISACA Global Achievement Awards include:

ISACA Chapter Awards include:

  • The K. Wayne Snipes Best Chapter Award, which recognizes chapters that exceed service goals by actively supporting local membership and thus ISACA.
  • The Innovative Chapter Program Award, which recognizes an outstanding program implemented within an ISACA chapter that demonstrates an innovative approach to member engagement, continuing education or community outreach.
  • The Outstanding Chapter Leader Award, which recognizes a chapter leader for his or her effective and inspiring leadership within the chapter, resulting in increased member engagement and a positive impact on ISACA’s professional community.

Visit the About ISACA Awards page of the ISACA Awards website for more information about submitting a nomination and to view past recipients.


Phishing Awareness and Your Enterprise


Source: MirageC;
Getty Images

Email delivery is the primary source of malware dissemination. Cyberattackers rely on phishing attacks because they work and easily can target users several times a month. While enterprises do invest both large amounts of time and effort into mitigating phishing attacks, these attacks continue to be effective. Considering this, what can organizations do to improve phishing awareness to prevent these attacks in the future?

To address both managing and maturing phishing defense techniques, ISACA and Terranova Security have developed the Phishing Defense And Governance white paper. This white paper analyzes the results and implications of ISACA’s survey data and aims to provide professionals with guidance to potentially improve phishing defenses.

To learn more, download this complimentary ISACA white paper from the Phishing Defense And Governance page of the ISACA website.