Think ‘Context’ When Managing Information Risks
A common failing that we often see when organisations perform risk management is a lack of ‘complete’ understanding of the potential impacts of an information security breach from both internal and external perspectives, i.e. not fully understanding the context of the organisation. You need to be thinking of risks from the perspective of all stakeholders, e.g. Board, shareholders, employees, customers, regulators, partners. You also need to be assessing not just the financial impacts of a breach (e.g. fines from regulators, loss of revenue) but from a brand and reputation perspective and corporate culture perspective (e.g. health and safety).
Understanding the needs and expectations of all interested parties will help you assess what types of threats could be the most harmful to the organisation. In order to gain a ‘complete’ understanding, it is important to engage as many of the different areas of your organisation as possible, e.g. Sales, Finance, HR, Legal, Operations, Purchasing in order to understand what risks are of greatest concern.
It is also absolutely critical to obtain the views of the Board and Senior Management Team as they are ultimately accountable for the risks the organisation faces. By ensuring their most significant risks are being fully assessed, you are most likely to gain full buy in to any risk remediation programme and investment in your information security management system.