Incident and problem management, how does it fit your risk management process? Does a risk manager need to be involved in every incident and problem? Let’s have a look at the relationship between incident management, problem management, and risk management.
Risk management does not mitigate all issues
Let’s start saying that effective risk management cannot ensure that incidents and problems will no longer appear. Risk management is performed based on a scope and a certain level. A failure of a printer on a desk will not be included in the risk assessment of your risk department. However, it will be included when multiple device failures are not solved within a certain period and disrupts critical business processes.
If one DDoS attack occurred that did not disturb your key processes, the risk may not be relevant for your risk assessment. If it starts to occur regularly and your website is not reachable, it becomes a risk you may need to include in your assessment.
Proper registration of incidents and problems
When data of incidents and problems are used for analyses, it becomes of big relevance for your risk management. Categorizing incidents and problems with source and impact provides data with a high-level overview of exposures of vulnerabilities. This combined with the impact it had provides a list of risks that could be included in your risk management. Effective and efficient incident and problem management will results in appropriate updates of your risk assessment. Of course, this process will be in harmony with ISO 9001.
Measuring the effectiveness of risk management
By an adequate registration of incidents and problems and tuning of categories between risk, incident and problem management, the effectiveness of risk management can be measured. As example, cybersecurity is a high-risk area and you discover that your web shop ‘s availability decreased due to multiple cyber-attacks. You improve or re-consider controls that are defined to mitigate/handle the risk. Of course, an overview of incidents can also be used to determine that a recently implemented control is operating effectively.
Contrisity supports in implementing, reviewing and operating effective risk management for your organization. We understand risk and control management shouldn’t be a burden for your business. It must not slow down business processes if that’s crucial for your organization.
