Risk Management Program Guidance and Best Practices

Risk Management Program Guidance and Best Practices

In the previous article, we discussed the most frequently asked questions on information security program and why it is so important for your organization, and the essential components of it. In this article, we will discuss the risk management program, as it is a critical component of the information security program.

A practical, yet formal and comprehensive risk management program should be maintained and updated to manage the risk associated with the use of information assets. The objective of the risk management is to appropriately assign safeguards/controls to information systems/assets based on the criticality/sensitivity of the information system and asset.

A formal, comprehensive, and documented risk assessment should be performed by a qualified, independent assessor/organization on at least an annual basis or whenever there is a significant change to the information system or operational environment. A risk assessment should also be performed prior to any significant change, after a serious incident, or whenever a new significant risk factor is identified. Risk assessments should be performed in a consistent way at planned intervals or when there are major changes to the organization’s environment.

Risk Assessment Best Practices

To ensure that information assets are used or disclosed in an appropriate manner and protected from unauthorized use or disclosure, a comprehensive risk assessment should be performed by the organization in working with the legal and other operational units to determine the status of the safeguards in place to protect information systems and information assets. The organization may get additional assistance in completing this risk assessment from outside independent assessors or consultants.

A risk assessment should be performed in a consistent way and at planned intervals at least annually covering all applicable areas of operations. The risk assessment should be updated whenever significant changes have taken place within the information systems or the operational environment. A review of the risk assessment results should be performed annually. Risk assessments will include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems.


Risk Analysis – a process that will be used to identify possible threats and vulnerabilities along with identifying possible ways to reduce risks to an acceptable level.

Risks may be evaluated based on the likelihood and magnitude of harm from an unauthorized use or disclosure of protected health information. The evaluation of risk may also be based on the confidentiality, integrity, availability, financial, regulatory, operational, or reputational losses of sensitive information.

Risk Assessment Process

The initial risk analysis should create a baseline for ongoing risk management activities including mitigation strategies. Any risk assessments performed should be documented in a Risk Assessment Report. The Risk Assessment Report should be a part of the overall security plan.

Testing of vulnerabilities or evaluations of new threats should be conducted on all information systems and network devices owned or operated by the organization on an annual basis in conjunction with the review of the risk assessment. Testing should be performed by an outside/3rd party assigned or hired by the organization. Risk mitigation efforts should be formally documented and the residual risks after implementation of controls will be tracked.

The risk management process should be integrated with the change management process. Risk assessments are conducted whenever there is a significant change in the environment, or a change that could have a significant impact, and the results of the assessments are included in the change management process. This should assist in guiding decisions within the change management process (e.g., approvals for changes).

What are the 11 steps in risk management process?

  1. Create an inventory of applications and systems
  2. Identify reasonably anticipated threats (consider acts of nature, acts of man, and/or environmental threats)
  3. Assess what controls are in place
  4. Assess what controls are missing. Identify how applications or systems could be exploited
  5. Determine the likelihood of each threat occurring
  6. Perform an impact analysis and rate possible impacts as High, Medium, Low
  7. Evaluate the risk identified to the enterprise
  8. Determine risk by calculating a risk score
  9. Provide recommendations to reduce or manage risks appropriately
  10. Create a summary of key findings, recommendations and remediation roadmap
  11. Document management’s decisions

What is a risk management action plan or risk treatment plan?

A formal methodology for tracking risk assessments and risk treatments would be implemented. A formal methodology would be used to defined criteria for determining risk treatments and ensuring that corrective action plans for the information security program and the associated organizational information systems are prioritized and maintained. The remedial information security actions necessary to mitigate risk to organizational operations and assets, individuals, and other organizations would be documented.

How do you mitigate risks?

Any harmful effects that are known regarding the use or disclosure of sensitive information by the organization, in violation of its policies and procedures should be mitigated. A risk treatment plan that identifies risks and nonconformity, corrective actions, resources, responsibilities and security measures should be implemented that are sufficient to reduce risks to vulnerabilities to a reasonable, appropriate, and acceptable level determined by management. Security testing, training, and monitoring activities would be developed, implemented, maintained and reviewed for consistence with the risk management strategy and response priorities.

What are the risk mitigation strategies?

Risks will be evaluated based on the impact and the probability of occurrence along with evaluating multiple factors that may impact confidentiality, integrity, or availability of information/systems. Appropriate corrective actions for risks and nonconformity should be identified, evaluated, and implemented. Any harmful effect that is known to the organization of a use/disclosure of sensitive information by the organization (or its business associate/subcontractors) in violation of policies/procedures must be mitigated.

The CISO or the security/compliance team would be responsible for performing ongoing risk management functions to include periodic reviews and evaluations of technical solutions, policies/procedures, training, contracts and agreements, and audit effectiveness. The risk assessment team should provide solutions to address any particular risk. These risk mitigation strategies will depend on size, complexity, capabilities, technical infrastructure, and the probability along with the criticality of the impact that a potential risk presents to information assets. Security and privacy safeguards should be implemented based upon a risk-based approached such that the organization does not apply the same protection requirements to information assets with differing requirements for confidentiality, integrity, availability, and privacy.

Can you accept the risk?

Yes! Risks can be accepted if the potential impact is reasonably low and the cost to mitigate such risk is extremely high. Risks can also be mitigated to an acceptable level, be transferred to another entity, or covered by insurance. Risk assessments and risk treatments should be tracked on an ongoing basis. The risk treatment plan should be regularly reviewed and updated. Risks should be addressed within the organization’s strategic planning processes, and all personnel should be properly trained on the risk management program.

If you need help creating a risk management program or performing a risk assessment, we can help. Contact us today!