As described in risk management essentials, the basic formula for determining the level of risk is to multiply the likelihood of potential future events by the projected impact of those events. You can enhance that formula in numerous ways. This post proposes a modified formula to facilitate risk prioritization for business-critical processes and systems, improving risk management effectiveness:
Identify business-critical processes
You may already identify business-critical teams, processes and systems as part of your resilience or business continuity program. If so, use that information for this analysis. If this information isn’t already available, identify these processes. This analysis should include considerations such as essential operations, safety, regulatory compliance and your ability to provide products/services that your customers rely on for their operations.
You should consult a broad range of internal stakeholders to identify process disruptions which would escalate to executives quickly. For example, finance systems typically qualify as essential. Some sector-specific examples include:
- point of sale systems and online stores for retail
- electronic health records systems for health care
- payment processing systems for financial institutions
- industrial control systems for utilities and manufacturing
List systems supporting those business-critical processes
For each business-critical process, there are two parts to determining the relevant systems necessary for executing those processes. The first part is to identify the systems with direct employee, public or customer interaction by asking the process experts and analyzing the procedural instructions for the processes. For the second part, ask the IT teams supporting those applications to identify the indirect system dependencies and essential integrations. For example, an order management system may rely on an external tax calculation system. If tax can’t be calculated, the order entry process might be incorrect or disrupted.
Identify potential events, assigning likelihood and impact
You should consider the types of events which might negatively impact the critical process and supporting systems. If guidance would be helpful, consider Executive Perspective on Top Risks for 2024 and 2034 or the sources of events in the risk management essentials post. Include potential events in these categories:
It can be helpful to define time-based events for critical process disruptions, so that longer disruptions are assigned a higher impact score. For example, the “financial system is unavailable for 10 minutes” event may have a lower impact than the “financial system is unavailable for 10 hours” event.
Apply business-criticality to impact score
Here’s where the enhanced risk formula gets used to generate the inherent risk score per event. Let’s suppose the methodology multiples the impact by 2 for events affecting a business-critical process or system, while impact for non-critical events is multiplied by 1.
To illustrate, we’ll compare similar events for critical and non-critical disruptions. In this example, the risk management methodology will use event likelihood and impact values of 0-10. Assigning a likelihood of “3” and an impact of “5” for both events, the enhanced formula scores the inherent risk for the critical system as “30”, compared to the non-critical system inherent risk score of “15”:
Inherent Risk = Likelihood X (Impact X Business Criticality)
“Critical system 2-hour outage” event inherent risk = 30
3 X (5 X 2) = 30
“Non-critical system 2-hour outage” event inherent risk = 15
3 X (5 X 1) = 15
Adjust risk scores based on existing controls
Risk management methodologies should then determine residual risk by adjusting the inherent risk scores to reflect the preventive and detective controls which reduce the likelihood or impact of adverse events for systems supporting business-critical processes. For events that focus on data protection, leverage recommended information security controls in industry standards such as SOC 2 Trust Criteria. ISO 27001, US NIST 800-53 and CIS.
Let’s walk through an example of adjusting risk scores for a critical financial system. Residual risk would be reduced if these types of security controls are in place:
- Strict role-based access is enforced using a ”least privilege” approach
- Login (authentication) credentials and other sensitive data are encrypted in transmission and storage
- Appropriate security logs are created, monitored and actioned
- Systems are in a physically secure location with limited access
- Weekly and daily backups are both performed and validated, with periodic tests of restoring from backup
Align risk level to executive risk tolerance
If residual risk scores exceed executive guidance, implement changes which modify the likelihood or impact of the potential events, so that residual risk is at acceptable levels. You can start with the highest risks first, select some “easy wins”, or combine these approaches.
Recommendations
Oracle offers these suggestions and resources to help customers manage risk for their business-critical processes and supporting systems:
- Select and implement a risk management methodology, such as NIST Risk Management Framework (RMF), ISO 31000 or those listed in EU ENISA’s list of risk management frameworks.
- Periodically perform a risk analysis, with attention to critical processes and their supporting systems. Keep this up to date for changes in processes, technology, policies, acquisitions or regulations.
- If Oracle products are used in business-critical systems:
- Explore Oracle’s Trust Center including security practices and watch the tour video.
- Subscribe to email notifications about Oracle’s Critical Patch Updates and Security Alerts.