Organisations are subject to ongoing risk, whether from their remote working systems or process, from the implementation of new systems such as a cloud based ERP, to changing business or economic environments, e.g. the risks associated with COVID19
Risk Management is a system and process that requires continuous application and needs sustainable practices in order to be continuously effective. From Ward Solutions 20 years’ experience helping organisations manage their information risk, these are the top 5 tips that help us help our clients to sustain their risk management programs
So what are the top 5 tips to sustain your remote working risk management program
- Treat this remote working risk assessment as a small part of a larger journey not a destination – A one off risk assessment and remediation project is of very limited value. You need to position your remote working risk assessment as one part of a bigger and more comprehensive, continuous risk management program and process. Risk Management is a continuous process of assessing risks, tracking and managing your remediation program(s), verifying your controls are in place and working, reassessing already identified risks, looking for new risks, fixing noncompliance, performing after action reviews to incident. Keep your risk register alive, up to date, and accessible.
- Embed Remote Working Risk assessment into your overall Risk Management system and onwards into your SSDLC – Your remote working risk assessment and risk management exercise is just one part of and needs to fit into an overall organisation risk management system. Whatever systems development model you use Waterfall, Agile, DevOps etc. – you need to embed risk assessment and risk management into this lifecycle. Conceptualise that you have an SSDLC Secure Systems Development Lifecycle – Sec Dev Ops. Embed risk and security management activities and process into every stage appropriately – secure design at the design stage, security and risk management requirements at your requirements stage etc. Follow your standard ISMS lifecycle of Plan Do Check Act (PDCA).
- Communicate, communicate, communicate – really strong and proactive communication of your risk management program is key to sustaining momentum and buy-in to your risk management program. Tailoring the message and the relevant parts of the risk program to relevant audiences is also key. You will have a different and higher level message for your executive and a more specific and perhaps operational message for e.g. your grass roots remote worker teams. Even within those teams you might have a different ask or update for remote sales teams vs remote finance or customer support teams. Formatting the message to successful remediation’s, progress, wins areas for continuous improvements is important rather than “shouting at the wind” with a list of failures, unaddressed risks, controls failures also sets a better and more encouraging tone.
- Test, Test and After action review – don’t assume that the controls you implemented continue to operate or even to operate as designed. It is important to continuously validate your controls and remediation’s with a series of audits and tests to verify compliance with their design. You should also design your tests to challenge continued effectiveness of the control. New threats and vulnerabilities may have emerged since you designed the control. New controls may have emerged that are more effective or easier to operate. Users may have adapted the control based on business process or operations. So you need to challenge the effectiveness of the control as well as its continuous operation. You also need to review controls in after action reviews of incidents and events to see how those incidents occurred and whether the control was applied and was effective. It may be that the control was in compliance but now additional controls are required.
