Risk management is essential to the success of every company
In business, risk is the likelihood that a loss will occur if a threat exposes a vulnerability. An organization must take risks to thrive, but must also recognize that risk cannot be ignored. The key is to understand threats and vulnerabilities, and then mitigate the threat to vulnerabilities by reducing the vulnerability itself, or reducing the impact of the risk. Risk related concerns to consider are:
- Compromise of business functions that are the activities a business performs to sell products or services. If these functions are negatively affected, a business will lose revenue.
- Business assets which are anything that has measurable value to a company which can be of tangible or intangible value. This can typically include items such as repair costs, lost revenue, loss of future revenue, cost of gaining customers, customer influence, IT system equipment, network equipment, software, and data.
- Driver of business costs. Risk and risk management controls add additional cost to running a business.
- Profit compared to survivability. Profitability is a company’s ability to make a profit. Survivability is a company’s ability to survive a loss due to risk. Funds used to mitigate risk takes away from a company’s profits and do not directly contribute to revenue increases. A core concept of risk management is to weigh the cost of risk management against the risk of threats that can affect the survivability of a business. If too much is spent on risk controls, the company will not make profits, fail to adequately mitigate significant threats, the company may fail due to loss from risk.
The National Institute of Standards and Technology (NIST) Special Publication 800-30 provides a guideline for applying risk management frameworks to federal information systems. This publication states that organizations depend on information technology and information systems to successfully carry out their missions and business functions. Information within these systems and the systems themselves are subject to significant threat that can have an adverse impact on organizations operations. Given the significant and growing danger of these threats, it is critical that leadership at all levels of an organization recognize the importance of managing information system-related security risks and implement well defined risk management systems (Locke & Gallagher, 2010).
In summary, since risk can result in losses that negatively affects business functions to include causing a business to fail. A comprehensive risk management program is essential to the success of every company.
References
Locke, G., & Gallagher, P. (2010, February ). NIST SP 800-30 Guide for Applying the Risk Management Framework to Federal Information Systems. Retrieved August 25, 2016, from NIST, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.