Governance, Risk Management, and Compliance blog

Risk assessments must align with business goals

[fa icon="calendar"] Monday, 16 December 2019 / by Jakob Holm Hansen

It is not just a huge help for general management when company risk assessments are based on concrete business goals. Business-based risk assessments also help information security managers to prioritize what scarce resources they have.

German language version Danish language version Norwegian language version

When information security managers undertake risk assessments, they quite often follow a fixed procedure. They base their approach around a range of systems and processes that have at some point been defined as critical. They go through the threat catalog. If there are any known vulnerabilities in a system, they dive down into the details and develop a concrete threat assessment for that system – even if it doesn't play a central role in the overarching operations of the business.

"This approach has broadly worked well so far. Many vulnerabilities have been identified this way. But instead of assessing everything, our recommendation is that it is only necessary to carry out risk assessments that are directly related to the goals of the business," says Jakob Holm Hansen, NorthGRC CEO.

"Instead of assessing everything, our suggestion is that
it is only necessary to carry out
risk assessments
are directly related to the goals of the business"

Jakob Holm Hansen

Break down into sub-goals

No matter whether you are a public organization that provides citizen services or a private company that sells a product, your company management will have defined a strategy in place. This strategy typically consists of business goals, enshrined values, or something similar.

"As an information security manager, you need to break each overarching goal down into sub-goals and then carry out threat assessments on the systems and processes that support each sub-goal.

If, for example, a company has an overarching strategy to deliver the best customer service in the country, then the information security manager should assess threats to the communication channels that make it possible for customers to contact the company at all times."

Access to general management

Whenever information security managers carry out risk assessments based on business goals, this can help to strengthen their collaborative relationship with general management. It is not reasonable to expect general management to understand a technical risk assessment that covers the entire system landscape and all of its infrastructure. But it is easy enough for them to understand a security assessment based on business goals that they themselves have helped to shape.

"For example, it might be the case that a company's growth in the next two-to-three quarters is bound up with the launch of a new product. If the information security manager takes this product launch as their starting point, they can give management a goal-oriented risk assessment of the aspects that interest them the most. They understand very well what it means for the business if something such as a product launch has to be postponed because of IT security challenges."

Use common sense

Jakob Holm Hansen emphasizes that information security managers do not need to totally reinvent their working methods in order to start basing their threat assessment work around business goals. It is primarily about flipping the traditional approach on its head.

"You still have to take a position on threats. The only difference is that the priority level is changed. It involves a great deal of common sense in that respect. It's about undertaking risk assessments in areas where the company most stands to benefit. That way you can save resources and streamline your own workflow."

Break the habit

Conducting risk assessments based on business goals may well mean an end to that typical 'what-we-always-do' mentality.

"A lot of risk assessments are repeatedly performed simply because they have always been done. This simply means that somebody once considered certain systems and processes to be critical to the business. But are they still critical?" asks Jakob Holm Hansen, concluding that:

"When you perform risk assessments based on business goals, you automatically put yourself more prominently into play and display an acute understanding of the business. This is a good way to come closer to management decisions."

Our GRC platform can help you to perform efficient risk assessments. Read more here

Free guide on risk management

Download our guidance manual and learn how to base your information security on the actual risks facing your organization. Just as ISO 27001 prescribes.

The guidance manual is based on risk management standard ISO 27005.

Download it here

Free guide on risk management



Emner: information security, Risk assessments, risk treatment

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts