Frameworks in Practice

In traditional or operational GRC there is a prevailing concept called the three lines of defense. You can read more about it here.

Generally, however, the first line of defense is made up of the risk or control owners (typically our business stakeholders). The second line of defense are our risk managers (GRC professionals) who implement our risk management framework or processes. The third line of defense is internal audit who provide oversight to control and risk management processes.

The bridge between our security risk managers (our second line) and our business stakeholders (our first line) are risk assessments. Risk assessments are what we referred to earlier as the practice documents that organizations may refer to as risk management frameworks --- but they are truly risk assessment documents.

The way risk assessment documents operate is that they contain a listing of risk statements that risk managers will weigh against the context of a system --- determining the likelihood and the impact of a potential risk (the risk statement) on the system (whatever system you have chosen to assess). The risk assessments also typically contain statements for any mitigating controls that might exist and an assessment of the residual risk to the organization.

To set up a risk assessment document in a spreadsheet application, you can create the following columns of data:

1. Risk Statement - These are the risk statements that you’ll be evaluating against a system.

2. Likelihood - How likely the risk is to occur.

3. Impact - How impactful the risk would be if it occurs.

4. Mitigating Controls - Any existing controls that reduce risk to the organization.

5. Risk - The residual risk after weighing a risk’s likelihood, impact, and existing controls.

6. Notes - Any notes that you may wish to make regarding your final assessment of a risk.

You may additionally add columns for:

7. Risk Treatment
8. Plans of Action

We’ll discuss both of these later in this lesson.