We believe that organisational resilience is underpinned by good risk management which can be used to indicate areas requiring investment or tighter control. Our risk management pedigree is bourne from safety critical industries such as military aviation however our primary mission is to make sure risk management is not just the preserve of those who can afford expensive risk management consultants.
In an ever interconnected world and with the growing use of SaaS and Cloud technology all organisations now require the ability to identify, understand and mitigate the risks they face – particularly in the Cyber domain. Recent legislation such as General Data Protection Regulations (GDPR) and the Network and Information Systems Regulations 2018 (NIS) has driven Information Security to the forefront of the agenda for most business but the question still remains, how do I manage my risks in this area?
Traditional risk management often lacks dynamism, engagement and frequently lags behind reality which means it is often the last agenda item not the first!
Traditionally risk management has been an area of specialist knowledge and approaches to risk management have been highly process-driven. Without frequent and time consuming engagement, usually by risk managers using enormous spreadsheets, these traditional methods result in mitigation measures very often lagging behind reality.
The Petrochemical and Aviation industries realised this approach wasn’t working for them sometime ago and moved to using a “Bow Tie” barrier model which visualises risk so that experts and non-experts can understand where to focus effort, what it is they need to do and why.
In the barrier model above, the center refers to an event occurring, a loss of control, a website being hacked for instance. Those boxes on the left are threats that can lead to that event occurring and the boxes on the right are consequences of that event occurring. The lines and the barriers on them describe controls you can put in place to attempt to stop and event from occurring or once it has attempt to stop a consequence from occurring. The diagram loosely resembles a “Bow Tie” which is how that methodology got its name.
This premise that layering controls can help stop threats from realising events and consequences comes from the Swiss Cheese Model created by Professor James Reason. If we say that no one control is absolute and therefore always has a hole or two, then there is always a lieklyhood that a control will fail to stop a threat or an event from realising a consequence.
If however we layer different controls with different holes the probability that a threat or event can successfully navigate through them all is greatly reduced. In Cyber security terms this was later reflected in the “Defence in Depth” approach where the layering and overlapping of security enforcing functions greatly reduces the ability of an attack(er) to move throughout a system based on one or two exploits alone.
Our risk experts can work with your team to develop barrier models for your organisation and advise on the best way for your own team to maintain them. We also work with our experts in Cyber and Intelligence to make sure you have the most complete picture possible of your risk holding.
As part of our risk portfolio we provide application risk assurance for high risk partners. We validate application interoperability ensuring that critical information is where it needs to be, when it needs to be there and most importantly that it is complete. Over the last 8 years we have found numerous instances of standards being "interpreted" by vendors leading to implementations that on paper are interoperable when in practice they aren't.
Our services focus around two main areas;
Provides overarching understanding by detailing operational context, data, information sharing requirements, data flows and specific details associated with an issue or shortfall.Find Out More
This provides a managed approach to the planning and execution of real world tests to help reduce risk through actual use and rehersal.Find Out More
Interoperability issues can at best add significant delay and cost to a project, at worst they can lead to the most severe types of risk being realised if the issues are unknown.
If you operate in high risk or highly regulated areas such as Financial Services our application risk assurance offerings can help you assure your supply chain decisions and fix interoperability issues much earlier in your projects protecting your organisation from shock later down the line.
"I most often see two obstacles getting in the way of building a risk management culture; perceptions and priorities"
Our risk experts have extensive experience of developing risk management doctrine and cultural programmes for Government and high risk commercial clients. Coming from an environment where risk management is primacy yet having worked extensively in industry means they are ideally placed to help balance risk management priorities against commercial operational environments.
Risk doctrine in the form of policy and process must be proportionate to the organisation, pragmatic for its staff and help support the organisational culture. There is often a disconnect between what is written and "the way things are done around here" which immediately leads to risk in itself. Our team can help identify deltas in both your doctrine and its implementation and assist you in bringing both closer.
The development of a culture of risk management has been very successfully used in safety critical industries and has been proven to reduce the incidences and severity of a large number of risks. We dont believe it should stop there, we believe that a culture of risk management should exist in every business, regardless of size, because the weakest link in the chain is ultimately human.
Our risk experts can draft and review your policy and process to make sure it is proportionate to your business and through cultural development that it is used by your employees rather than just used against them. Empowering people to speak out about risk, whether Cyber based or not, enables the organisation to manage it at the earliest opportunity and thus likely avoid the coming to pass of an event or consequence.