“Dealing with risk is part of governance and leadership, and is fundamental

to how an organization is managed at all levels.” — International

Organization for Standardization

In February 2018, the International Organization for Standardization (ISO)

released an updated version of its risk management guidelines, ISO
31000:2018, The 2018 update, which replaced the prior version from 2009,
provides:

 Updated and simplified language and reference structures;

 A renewed focus on the key leadership role that boards and top
management must play in ensuring that risk management is fully
integrated at all levels of the organization; and

 Greater attention to the cyclical and iterative nature of risk

management, which underscores the notion that organizations must
evaluate their risk management process in light of new information or
in response to feedback about gaps that might be present in the
current risk process or associated controls.

Breaking Down ISO 31000:2018

In a world where standards often weigh in at hundreds of pages, the 16
pages of ISO 31000:2018 constitute a succinct and concentrated guide to
help organizations improve the way they manage their risks. The
document, which can be read in about one hour, consists of four major
sections:

1. The definitions of key terms such as risk, risk management,

stakeholder, risk source, event, consequence, likelihood and control;
2. The principles of risk management — namely, that risk management
is integrated, executed via a structured and comprehensive
approach, customized, inclusive, dynamic, based on the best
information available regarding both human and cultural factors, and
continuously improved;
3. A framework for ensuring that risk management is properly
implemented, well-integrated throughout the organization, carefully
designed, regularly reviewed, and continuously adapted and
improved; and
4. A section on the risk management process itself, including the
traditional elements of risk identification, analysis, evaluation and
treatment, bolstered by a monitoring and review element as well as a
 communication and consultation element — the former to improve
the effectiveness and quality of the risk management process, and
the latter to ensure that “factual, timely, relevant, accurate and
understandable” risk information is being communicated and used for
decision-making.

Five Takeaways for Boards and Top Leadership

While ISO 31000:2018 is far from the only document covering enterprise
risk management, one would be hard-pressed to find a more succinct set of
principles for implementing and evaluating a risk management process. But
brevity isn’t just the only benefit of this document. Below are five of the top
takeaways from ISO 31000:2018 for board directors and top management.

1. Executive Buy-In Is Key

The document includes clear language about the importance of strong

leadership and commitment to the risk management program. Executives
should ensure that the risk management process is fully integrated across
all levels of the organization and strongly aligned with objectives, strategy
and culture.

2. Consider Risks in Business Decisions

ISO 31000:2018 also includes reminder that boards are responsible for
ensuring that risks are given adequate consideration when decisions are
being made, since those risks can impact the organization’s ability to
deliver value.

3. Emphasize Proper Implementation

Boards also need to ensure that the risk management process is properly
implemented and that the controls have the intended effect. Board directors
may not have adequate domain expertise to fully grasp the significance and
impact that cyber risks present to the organization. In such cases, they
should bring in an external advisor to provide context and ensure that
management’s actions are in line with the strategic importance of the cyber
domain.

4. Risk Management Is Not One-Size-Fits-All

The document has a clear articulation of risk management as a cyclical

process with ample room for customization and improvement. But instead
of prescribing a one-size-fits-all approach, the ISO document advised top
leadership to customize its recommendations for the organization — in
particular, its risk profile, culture and risk appetite.

5. Be Proactive

While the document does not address cyber risks specifically, it provides
powerful guidance to help executives take a proactive stance on risk and
ensure that risk management is integrated with all aspects of decision-
making across all levels of the organization. This includes business
continuity, compliance, crisis management, HR, IT and organizational
resilience.

Five Takeaways for CISOs

While top leadership would obviously benefit from reading and
implementing the recommendations articulated in ISO 31000:2018, chief
information security officers (CISOs) can also derive value from the
guidelines. Below are five takeaways for CISOs.

1. Throw Out the Techno-Babble

The document provides a common language with simple, uncomplicated

definitions of risks, events, consequences and the subtle implications of
terms such as probability versus likelihood. The ISO document prefers
“likelihood” for its broader meaning as the “chance of something
happening, whether defined, measured or determined objectively or
subjectively, qualitatively or quantitatively, and described using general
terms or mathematically.”

CISOs should align their own use of terms to ensure communications are
taking place without the hindrance of complex language or, worse, techno-
babble. If a metric is too complex, it should not be shared with the board.
However, it might still be useful as part of a larger metric representing trend
lines on the organization’s overall cyber health and resilience.

2. Know the Cyclical Nature of Risk Management

ISO 31000:2018 focuses on the cyclical nature of risk management,

helping security leaders understand and control the impact of risks,
especially cyber risks, on business objectives. The various elements of the
guidelines — from the principles to the framework and process — converge
to improve and strengthen the organization’s ability to evaluate,
communicate and consider risks in business decisions, and to select
controls to help mitigate or transfer risks to fit within organizational
tolerances.

3. Use the Best Available Information

Much of risk management is centered on the best available information,

with all the ambiguity and imperfections the term implies. Instead of
seeking to only share absolute risk information, CISOs should embrace this
nebulous understanding and reflect on the cyber risk data they provide to
solidify their role as effective advisors to the business.

The data CISOs provide should be relevant and understandable, delivered

within a reasonable time frame and qualified with appropriate statements
regarding its accuracy. This is especially true when responding to a cyber
incident because the quality of the information that is initially available is
often very different from the data revealed by a forensic review.

4. Measure Success

The guidelines also emphasize the value of measuring, evaluating and

improving the risk management system itself. The idea isn’t to get
everything right the first time around, but to improve every time the cycle is
completed. Even imperfect risk data can be useful, as long as it is
presented along with a timeline showing a trend. Flat trend lines might be
acceptable for some risks and controls, whereas for others, top
management and board directors should expect to see clear signs of
progress. Ultimately, CISO reports should provide quality information to
executives.

5. Engage Top Leadership in Risk Management

The ISO guidelines, together with the “Director’s Handbook on Cyber-Risk

Oversight,” published by the National Association of Corporate Directors
(NACD), outline a road map to help CISOs engage with top management
on the governance of cyber risks. Both of these documents were created
for business leaders, but they are also useful resources to help CISOs
guide the thinking and activities of executives.

Ready to Get Started?

A companion summary of the changes outlined three action items to help
CISOs and business leaders get on the path to improved risk management,
which are outlined below.

1. “Be aware of your organization’s key objectives”: Having clearly

articulated objectives is key to identifying risk management targets
and requirements.
2. “Assess your current governance structure”: This helps business
leaders ensure that lines of reporting and roles/responsibilities are
adequate, that the board has unobstructed access to CISOs and that
CISOs have proper visibility and support.
3. “Define your level of commitment”: Organizations should precisely
state and share their commitment to the risk management process,
and consciously evaluate both their risk tolerance and where they
should be on the risk appetite scale.

Whether you’re ready to implement your first risk management process or

looking to improve an existing one, the ISO 31000:2018 guidelines can
help manage uncertainty while protecting value. When it comes to cyber
risks, organizations cannot afford to take a wait-and-see approach.

Thanks to Google.