NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
August 20, 2014

Building a framework for Integrated Risk Management

Justin Fimlaid Justin Fimlaid

If you ask 10 IT business leaders "What is risk management?", you will probably get 10 different answers. If you ask those same 10 IT business leaders "How can aformal risk management program help IT deliver core services and strategic processes?"…well, I hope you get an answer.

I talked with a friend last week that is the CIO for a fortune 500 company and asked those very same questions. We fumbled through the conversation but eventually reached the same conclusions.

A formal risk management program can dramatically enable IT and business operations by providing management teams with a proactive view on potential business issues and provide guidance for dealing with those potential issues before they escalate into full blown problems. When businesses are purposeful and intentional about managing risk, they can improve operational efficiency, save money, and increase chances that project or department objectives deliver on time..

When developing or maturing a risk management program, I equate the effort to trying on a pair of shoes--it needs to fit and be comfortable in order to be effective for your business.

There are critical factors to decideon before constructing or giving your Risk Management program a tune up. Here are five things to think about:

1. Agree upon language for risk and control. Establishing a common language and teaching people to learn this new language is the most important thing you can do. I don't think there are any surprises with this one and it's a pretty simple concept--if communication was not important, then the company Rosetta Stone would not exist.

2. Establish shared contexts. People do this implicitly and the value of this is often overlooked. Networking enables people with shared experiences to communicate about ideas and share opinions. When we bring this back to risk management, talking about goals of a program and shared experiences is a huge business enabler.

3. Evaluate your risks against a defined list of risk classes. Whether a four- or five-tier ranking system is best for classifying the degrees of risk across your program, it is important to clearly establish a taxonomic rank system that everyone will use. To further this one more, it's also important to have a "risk universe" defined and your business risk areas mapped out. Documenting a risk universe will drive consistency and risk mitigation coverage year after year.

4. Establish your functional risk teams. Your functional risk teams are departments such as Internal Audit, HR, SOX, Finance, IT. Every department has a risk-minded individual you can liaise with, or in larger companies, these departments might have a dedicated risk management team in that business function. When all these teams are synergized into a common risk management platform, your business will benefit through cost savings and increased operational efficiency.

5. Risks are scored in a common way. This one is on the same theme as #3, however, it is important to provide some structure as to how risks should fit into risk classifications. Ideally, the residual risks are quantified and mapped to their respective risk classification but there are always the qualitative risks to consider. Providing structure about how those qualitative measured risks fit into your taxonomy will go a long way toward driving consistency.

Formally managing risk is an enormous business enabler. For small business and for publicly traded companiesalike it is critical to deliver shareholder value in a world of cost cuttingand streamlined business operations. Businesses have a limited set of resources to deliver on strategic objectives and a well thought out risk management strategy can help you deliver your strategic objectives on time and on budget.

Over the next six weeks I will be posting the six steps to establishing a risk profile for your company. I will cover the process and provide insight about developing high-level guidelines, walk-through pieces of a risk strategy plan, action planning, and more.

Included Topics

  • Compliance
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Compliance 6 min read
The 9 Considerations to find the Right Cybersecurity Insurance Policy for Your Organization Read More
Industry Insights 12 min read
The First 101 Days as a New Chief Information Security Officer: A CISO Roadmap Playbook
Read More
2 min read
RSA Archer Upgrade - Fixing a GemStone.GemFire.Cache.DLL Error Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.