〈   Contracts and audit
Digital risk assessment and management, and integration into processes

Chapter 2.2

How to identify, assess and treat digital risks

The digital risk management process comprises five major, consecutive stages. By drawing on these steps, you can mitigate the risk, its likelihood and its impacts.

A. Identification

The first stage in the process is the identification of threats and risks affecting the activities, the company’s services and/or the major projects. This makes it possible both to establish which aspects to focus your attention on and to better define the resources earmarked for protection.

B. Assessment

Once the risks have been identified, an assessment should be made of how likely they are to occur, as well as the impact they could have on the company’s activities. This assessment must be quantified and substantiated so that management is in possession of as much information as possible in order to take the appropriate measures.

C. Treatment

There are several risk treatment categories. The first is to avoid or eliminate the risk by abandoning the risky project or activity. This option is rarely chosen because of the major impacts it would have on the company’s strategy.

The second strategy involves mitigating the risk by reducing the probability, or by minimising the impact of the risk that it could have if it materialised: implementation of security measures, controls that will provide some assurance that the risk is decreasing; and, if the scenario does occur, security measures that will lower its impact.

The third category entails transferring the risk, either to a service provider who will take on the risk (although the accountability chain in the event of a crisis may have some impacts for the customer) or to an insurer, via the cybersecurity insurance solutions offered by certain companies.

D. Analysis

The next phase of digital risk management is a periodic analysis of the effectiveness of the implemented controls and measures. These operations make it possible to determine whether the risk is actually reduced, or whether it remains at a worrying level. In the latter case, an action plan must be defined to deal with any crisis that might arise.

E. Reporting or monitoring

The last phase consists of a compilation of the findings made during the four previous stages, so that management can see, by means of a detailed report, the situation in terms of risks, the outcome of the analysis of controls and measures, and also the action plan envisaged in the event that deficiencies are identified.

2023 © Trust Valley. All rights reserved.