Recommendations for Implementing a Practical Risk Management Program
This final post in the series will be some recommendations on ?how? to implement a practical risk management in your organization. Check out parts one and two for the ?why? and ?what? of practical risk management.
Educate Decision Makers - Practical risk management relies on buy in for the decision makers. Only by understanding the process can they make good decisions about which risks are accepted and which need to be reduced. A clear definition of risk severity levels is critical to this step.
Integrate to Existing Processes ? Chances are you already have processes in place to manage and control new and changing technology and processes. Tie risk management to these processes instead of making another meeting. A Project Management Office, purchasing process, technical review process, and change management process are all great candidates to integrate with risk management. Try to catch the potential risks as early as possible in the process. It?s much, much easier to change a process or technology before implementation.
Create a Register -? Track all active risks. Document each risk as it travels through the management process. Be consistent with your documentation so it becomes the trusted log of your actions to reduce risk at your organization.
Keep Score ? Good documentation will allow you to produce good metrics and report back a summary to the decision makers on the effectiveness of the program. Breaking down risks by business division or process can help with some peer pressure on problem areas. Also measuring the time risks spend in the process before reduction to an acceptable level is a great measurement of the overall effectiveness of the information security program.
Follow Up ? Commit to service level agreements with your practical risk management program. This keeps risks from stalling through continuous discussion without some sort of escalation. This can also help keep the decision makers committed to guiding and supporting the program.
Be Flexible ? Above all develop a practical risk management program that works for your environment. The program should be able to keep up with the changing business goals of the organization. And through that improve the overall information security posture.
Tags: IT GRC, IT risk managementgary carter dies oolong tea survivor one world lil kim progeria what will my baby look like gary carter died
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.