Strategy

There are two aspects to risk and strategy - strategic risk and a strategic approach to risk. These are two markedly different things but of equal importance to the Board and Executive of a company.

Strategic risks

Strategic risks are those risks that can have such a profound effect on the organisation that their mitigation requires a Board or Executive level decision. Examples of Information security risks that might be considered in this category are risks such as:

• Outsourcing and offshoring.
• Phishing attacks
• PCI DSS (the risk of sanctions from non-compliance), other non-compliance penalties affecting financial, branding or business units

These are all risks that affect the strategic direction of a company and therefore require a strategic response. However, to identify any risks strategic or otherwise requires a strategic approach to risk.

Strategic approach to risk

"Since profits are, in part, the reward for successful risk-taking... the purpose of internal controls is to help manage and control risk (appropriately) rather than to eliminate it."
Turnbull

Turnbull sets out what it describes as a "sound system of internal control" requiring organisations to demonstrate that its risks are understood and properly managed, presented as four requirements:

• a system for the identification, evaluation, management and control of key risks
• an adequate internal control environment with regular review mechanisms, including board level oversight
• effective monitoring and corrective action
• appropriate channels for risk communication and information flow.

The key aspect to the Turnbull's recommendations is that the organisation needs a strategic approach to determining and managing its risks. What this means is that there needs to be both a structure and a procedure for risk determination from the top down in an organisation.

This would inevitably require an assessment of the impact of certain events on the business so that the cost effectiveness of remediation or mitigation may be quantified. In general strategic risks are determined by a Business Impact Assessment of the organisation as a whole or particular business areas, this is because at a strategic level areas of risk are more important than specific elements of that risk. Strategy is a broad brush and therefore its tools need to be responsive and accurate but do not need to be detailed.

Business impact assessments can be carried out either as a consultancy exercise or as a workshop featuring all of the interested parties.

For further detail on relevant services, please click here.