Think of risk not as an activity but as a capability. Build the capability as it will allow your organisation to scale. Things may not go entirely to plan all the time, but with this capability being constantly practised, consequences will be avoided or minimised.
Controls are the science to avoid issues, or if issues occur, they are within expected tolerances. So who implements them?
Service providers (i.e., Microsoft) or teams responsible for managing the service (application team) are ideal to implement primary controls.
Leveraged controls are provided by another party (e.g., security within an organisation) and assist the team in providing the service.
Compensating controls are implemented by a team to manage risk prior to a primary or leveraged control being implemented. This situation is not ideal, but is likely to assist in reducing inherent risk or possibly achieving a residual risk position.
The art of risk management encourages a risk culture beyond training, incentives, and consequences. Teams who analyse risks and implement controls will improve awareness and practices of risk. When completing activities like this, the team will likely identify other issues. Encourage this as it helps really bad things occurring!
Teams should always be encouraged to self-identify issues.
Issues should be documented with a forecasted closure date. If possible, expedite closure prior to the forecasted date.
Teams should also be measured on both the frequency and length of issue extension rates. An issue not closing on the forecasted date may indicate an area of underinvestment or poor vendor performance.
Always ask your people what else needs to be considered. Encourage teams to refine their ideas by applying the "Pareto Principle" to these suggestions; 20% of your effort contributing to 80% of the result
Comments