GRC Maturity: Manual Risk Management Programs Fall BehindOrganizations pursuing and maintaining ISO 27001 certifications and an ISMS should consider continuous risk management solutions to ensure they don’t miss critical risks.
by Elliot Volkman
Whether you’re pursuing an ISO 27001 certification, going after a SOC 2 Type 2 report, or building out your cybersecurity program on top of NIST CSF, risk management will always be a common thread. However, traditionally risk management has been a manual process that puts a lot of onus on internal teams and requires a great deal of time.
However, time is a double-edged sword in cybersecurity and compliance programs. It takes time to build, manage, monitor, and maintain all of the related processes, tools, and resources. But it’s just as easy to get trapped in cycles related to managing frameworks, which cause unnecessary distractions from properly identifying and managing risks.
Take for example the common scenario of a GRC team working with a risk owner.
First, you meet with the owner or team that identified the risk.
Next, you open lines of communication with them, and then develop a risk assessment.
From here, you develop a risk treatment plan or related controls and any resources necessary to reduce its impact.
And finally, you have to work with the risk owner to monitor and report against any changes to the risk for continued visibility.
All of this requires meetings, manual work on both sides, and your risk owner commonly slides this responsibility in with their primary job. That’s a lot of back and forth and work that can otherwise be spent on identifying other risks and monitoring them.
By now, you’re probably asking if time itself is a risk, and it certainly can be if not managed properly. This is particularly true for midsized and larger companies, who a majority spend more than 1000 hours each year managing risks. This builds upon the alarming data about a lack of visibility into risks being a significant concern where 80% of companies don’t feel they have enough insight into their third parties.
Fortunately, our previous example of a GRC team interacting with a risk owner can be significantly automated to elevate risk visibility and accountability. More than anything else though, automating routine elements of risk management leaves more time spent on priority efforts such as identifying new risks or changes to current ones. And this is precisely what we’ve observed in mature GRC teams and programs.
Manual vs. Automated Risk Management Efforts Compared
Today, there is no way to fully remove manual effort from risk management. It’s an entirely human-centric exercise that requires a great deal of communication, and typically, subjective judgment and decision making. However, as previously shown, much of the work between steps is manual and drags the process down.
Take for example, ISO 27005 or the risk treatment process that is integrated into ISO 27001:2022, which now formalizes required documents that were previously only implied. According to ISO 27005, the risk treatment process should be documented as follows:
The method used to select appropriate information security risk treatment options.
The method used to determine necessary controls.
How ISO 27001:2022 Annex A was used to determine no necessary controls were accidentally overlooked.
How the risk treatment plan was produced.
How risk owners provide approval.
To obtain this documentation, there’s usually a significant amount of manual work that takes place. However, maturing GRC teams typically reduce this effort with automation.
Risk Identification and Assessment
The initial identification and assessment of risks often involve a combination of automated tools and manual analysis. Manual effort is required to gather information, conduct interviews, and analyze the potential impact and likelihood of risks.
While true, maturing GRC teams are now using automation to replace the need for manual risk analysis and impact assessments, which removes the ambiguity and assumptions that often take place.
Creating and maintaining risk documentation, including risk registers, risk assessments, and risk treatment plans are among the most cumbersome efforts. This includes documenting risk descriptions, potential impacts, likelihood assessments, and proposed risk treatments.
Nearly all of this, with the exception of creating specific documentation, can be automated. Further, an automated approach enables executives to view risk registers at an organizational level rather than just rummaging through individual reports.
Implementing security controls to mitigate identified risks typically involve the configuration, deployment, and monitoring of controls. However, mature teams often have libraries of existing controls at their disposal so they don’t have to reinvent the wheel each time.
Monitoring and Reviewing Risks
In the past, monitoring and reviewing implemented controls and the risk landscape required manual effort. This involves periodic assessments, data analysis, and updates to risk documentation based on changes in the organization's environment.
One of the areas where automation shines is in real-time control reporting and testing. This effectively allows a GRC team to hit a new level of maturity with a flip of the switch because they shift from a point-in-time process to one of always-on-visibility into risks.
Continuous Improvement and Visibility
One of the key aspects of ISO 27001 is a focus on continuous improvement cycles. This means organizations need to regularly review and update their risk assessments, which involves reassessing risks, identifying emerging threats, and adjusting risk treatment plans accordingly.
Unfortunately, if this aspect is manual, it’s easy to miss changes to risks captured in your risk register vs. conducting automated tests against controls or reviewing the status of third parties.
All of this can and should be automated.
Communication and Training
Communication and training associated with identifying and managing risks will always require manual effort. However, for teams using project management tools like Jira, they can easily automate the tasks associated with the actions items that typically follow training and their role in managing or owning risks.
Improve Your GRC Processes With Automation
Many organizations start with spreadsheets that document their risk and controls. However, as the organization grows and matures, its compliance program also needs to mature.
With so many people and moving parts involved, manually managing the risk assessment process can quickly become inefficient. As you move toward certification, you need to have a single source of information for audits, but shared spreadsheets may not always be up to date.
With Drata, everyone involved in the risk management process can collaborate without worrying about multiple copies of documents or making unauthorized changes.
Our library of pre-mapped risks and ability to create custom risks streamlines the identification, assessment, and analysis process. Our platform automatically populates a custom score that allows you to assign responsible parties and track their activities to prove compliance. As we continuously monitor your security, we also monitor your compliance, providing alerts and suggesting treatment plans so that you can proactively mitigate risks.
Learn more about how you can automate your risk management process and integrate it into your existing compliance effort with Drata.