Identifying Your Biggest Risks: 2 Practical Tips
Risk management is vital. That’s something everyone working with information security and data protection can agree on.
.webp)
Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.
Read more from the authorBut the next question is:
“How do we identify and prioritise the biggest risks in our organisation?”
That was exactly what a reader of Sustainable Compliance recently asked us.
The Risk Triangle
A risk consists of three elements: a threat (for example, a hacker or a disgruntled employee) exploits a vulnerability (such as outdated software or weak passwords) to attack something that has value to us – like our reputation or production.
And that’s the key to identifying the most important risks.
Value: What keeps leadership awake at night
We should always start with what matters most to us.
As Marie Bjerre Simonsen from Wired Relations puts it, the key to effective risk management is figuring out:
“What keeps your manager awake at night.”
We usually know which systems and processes are mission-critical in our organisation. If the coffee machine gets hacked, we’ll survive. But if a dismissed employee tampers with a system that halts production for a week – that’s a much bigger problem.
So that’s the best place to start: Get an overview of which systems and processes are essential to your business.
That requires visibility into your systems and vendors – which you can learn more about here. https://www.wiredrelations.com/dk/produkt/systemer-og-leverandoerer
{{factbox-light}}
Threats: A Good Catalogue Goes a Long Way
What – or who – are you most worried about? Hackers? Disgruntled employees? Flooding?
The threats to your organisation’s information security are numerous. That’s why many of us turn to threat catalogues for inspiration and structure when identifying and prioritising our key risks.
Here are a few examples of threat catalogues:
- ISO 27005 includes a threat catalogue
- ENISA provides a taxonomy
- OCTAVE model
- MITRE ATT&CK
- Solove's taxonomy
Each of these brings a different perspective – some focus on privacy and data protection, others on cyber threats. What they all offer is inspiration and a systematic approach.
{{factbox-dark}}
The Most Important Step: Just Get Started
The best way to learn about your organisation’s risks? Start conducting risk assessments.
The first one probably won’t be perfect. But over time, your understanding of what truly poses a risk will improve significantly.
So here’s the best advice we can offer:
Just get started.
Resources on Risk Management
Risk management is a core element of effective data protection and information security. Here are some resources to explore further:
Identification Is the First Step in Risk Management
Effective risk management involves four key stages:
- Identifying risks
- Assessing risks
- Mitigating risks
- Monitoring risks
Here's how to structure your entire risk management process.
📰 Stay Ahead in GRC
Get stories like this straight to your inbox. From GDPR to cybersecurity – we’ll keep you informed on what’s shaping the digital future.
