The main concept of risk management dates back hundreds of years before, since the time businesses realized the importance of reducing uncertainty through proper planning of their activities. Over the years, risk management has been associated with specific activities that impact corporate planning and organization, while implementing controls over both human and financial capital. Specifically, risk management activities evaluate and analyze individual actions, towards identifying the risks that arise when each of the actions is taken.
During the last couple of decades, the risk management process has been standardized as part of risk management frameworks. Risk management frameworks provide structured ways for identifying risks and assessing their probabilities of occurrence. In the area of IT infrastructures and services, risk management frameworks have been standardized by the International Organization for Standardization (ISO) and its 27000 family of standards, which specify processes for identifying, assessing and mitigating security risks. In principle, risk management processes involve a series of steps, including:
- Identification: An in-depth brainstorming about different risks towards identifying as many candidate risks as possible.
- Analysis: Analysis of the various risks and their pertinence to the different assets that are comprised by the infrastructure.
- Ranking and Evaluation: Ranking and evaluating the risk, through estimating its probability and impact on the organization. As a rule of thumb, the relevant importance and rank of a risk is calculated based on the multiplication of its probability with its potential damage.
- Treatment and Response: Preparing a risk mitigation plan, including concrete response actions and responsible parties (i.e. risk owners) to execute them.
- Monitor and Review: Monitoring information about the risk, while sharing relevant information with relevant stakeholders.
Conventional risk management approaches have been effective for many years. However, in recent years they fall short when it comes to addressing new risks that are associated with contemporary IT infrastructures and enterprise environments.
Changing Dynamics and Modern Challenges of Risk Management
In recent years, enterprises must operate in more dynamic and challenging environments, which are characterized by the following properties:
- Complex Political, Social and Regulatory Landscape: In the era of globalization enterprises are faced with a more complex political and social environment that imposes frequent changes in business strategies and revisions to the IT strategy that lead to regular reconfiguration of the IT infrastructure. Likewise, the regulatory landscape has become very volatile, as new regulations are introduced at very short time scales. This dynamic and volatile environment asks for revisions in risk management methodologies.
- Interconnected Assets and Infrastructures: In the era of rapid digitalization of enterprise processes, companies and their assets are increasingly becoming interconnected. This boosts business efficiency, yet it introduces new risks. The latter stem for example from threats associated with the interconnected infrastructures such as possible attacks against business partners’ infrastructures.
- Cyber-Physical Security Challenges: As a result of the advent of the Internet of Things (IoT), enterprises must deal with both cyber and physical risks at the same time. In several cases the boundaries between physical and cyber infrastructures are blurred: Physical attacks can be used to launch cyber-attacks and vice versa. As a result, the cyber-physical nature of modern critical infrastructures needs to be considered in the risk management processes.
- Challenges introduced by Artificial Intelligence (AI): The expanded deployment of AI systems introduces new risks, such as risk associated with the operation of robots, drones and automated guided vehicles. Indeed, AI’s efficiency comes with novel security and safety risks.
- Asset can become vulnerability at the same time: Recent attacks against IT infrastructures, such as the notorious Mirai Distributed Denial of Service (DDoS) attack in 2016, have manifested that an asset can be also a vulnerability. This complicates the risk assessment process.
Solutions Recommendations
Here are some guidelines about revising risk assessment frameworks and methodologies, in a direction that can effectively address the above-listed challenges:
- Continuous and Dynamic Assessments: Conventional risk assessments are usually performed at regular intervals, which is not adequate for dealing with dynamic and asymmetric risks. Therefore, risk assessments should be performed more frequently and must be always triggered when suspicious events associated with the critical infrastructure occur.
- Use of Automation (AI): To perform more and more effective risk assessments, organizations can nowadays benefit from Machine Learning and Artificial Intelligence systems. The latter can automate the risk assessment process while enabling enterprises to identify hidden risk patterns.
- Information Sharing and Collaboration: To cope with the security risks of interconnected infrastructure, there is a need for a closer collaboration between the stakeholders involved. A good practice in this direction is to share information about vulnerabilities and risks in the interconnected parties. By sharing such information, the interconnected stakeholders will become able to perform collaborative assessments of various risks. Likewise, information sharing can trigger a risk assessment based on updates to the ranking of the risks in the interconnected assets. This approach can be for example followed in the scope of industrial value chains (i.e. digitally interconnected plants), as well as in the scope of healthcare chains (e.g., interconnected hospitals, care centers, and insurance companies).
- Enriched knowledge Bases: In order to perform effective and automated risk assessment, enterprises must have access to validated knowledge about known risks, threats, and vulnerabilities, including for example malware and ransomware attacks against IT infrastructures. Currently, there is a need for enhancing conventional knowledge bases with new information that is currently lacking such as information about cyber assets, physical assets, and their combination.
- Holistic Approach: To address the challenges of globalization, there is a need for a holistic risk management approach that considers not only IT and technical risks, but also social, ecological, legal, healthcare and political risks. As a prominent example, the recent outbreak of the coronavirus (COVID-19) is introducing new risks for almost all enterprises, which should be considered in the scope of risk assessments.
Overall, risk management remains an important process for the business continuity and well-being of modern enterprises. Nevertheless, conventional risk assessment frameworks fall short when it comes to addressing risks in the scope of the modern, complex, dynamic and globalized business environments. Hence, there is a need for considering revisions and enhancement to existing frameworks and tools in order to address contemporary challenges and risks. In this context, our solution recommendations and guidelines can provide a starting point for improving your risk management processes.
