risk management process flowRisk management programs cannot survive and perform well without 3 golden rules that should be followed in a laser guided way of doing things.

1. Involving the Executive management in risk management programs

In order for a risk management program to perform well and have extraordinary results, the executive management should have their attention draw to the program and also have their part of the action. By understanding their needs and perception of risk management policy, a strategy of prioritization can be build and proper attention can be given to the critical business units. Also, it is highly recommended to contract a third party risk assessment company to perform an outside, qualified risk survey, to highlight the severity of the knows risks and to identify any unknown and potential risk and provide immediate recommendations for high risk vulnerabilities. Any risk survey is usually followed by this set of immediate recommendations as a short term strategy, but after a thoroughly analysis the risk assessment company will provide a list with recommendations for a medium and long term strategy.

2. Make rules and establish standard procedures for risk management strategies

After receiving the feedback upon the risk survey, the executive management should continue to work closely with the risk assessment company and allow them to supervise the implementation of the proposed strategies, establish responsibilities and supervise the personnel with operational security and risk management roles that will receive proper instruction and information. Even qualified personnel exists and they are highly trained and experimented, proper documentation should be developed, in regard of establishing standard procedures for various scenarios, security architecture, sensitive data flows or production flows and data/item inventory, activities that once done, in the future will provide important reference points and aspects and a great opportunity for periodic scheduled reviews and analysis. Also, making every simple procedure or strategy a standard, providing trainings and knowledge sessions with the assigned personnel and combined with the efforts of management, the outcome will be an overall improved performance and better service levels.

3. Continuity of the risk management programs

Offering executive support and cohesive direction, the risk management personnel will monitor the organizational risks on a ongoing and continuous basis, remaining aware of their goals and the requirements of the implemented strategy. The continuity of a risk management program is an important factor for the outcome and the success of the program, being a step by step and hands on procedure, closely supervised by the risk assessment company, that will monitor periodically the daily logs, quarterly internal and external risks and vulnerabilities combined with internal and external risk assessments reports on at least an annual basis.

Keeping these 3 basic things in mind your risk management program will succeed and your company and executive management will become  better capable and more aware of managing risks. Even the practical management of technical controls and operations will remain in the hands of the technical personnel, if the executive management will offer their support and collaboration the risks effect on a company will be better understood by every employee and a clear, easier and handy strategy can be developed for risk management.

What do you think?