Risk Management: Back to the Basics, Part 3

Gap Analysis and Risk Treatment

Introduction

Now that you have completed the risk analysis, the next steps are performing a gap analysis and the risk treatment process. This article provides a simplified framework for completing these steps.

Gap Analysis

A gap analysis is the evaluation process of the status of mitigating controls. The purpose of a gap analysis is to gain an understanding of the management system in question in regards to the risk management process. Further, it provides you with an overview of where the management system will be in the future. That is to say, the gap analysis shows you where you are in relationship to where you would like to be. A gap analysis is often used in the audit process, both internally and externally, as the gap analysis provides a bird’s eye view of the control implementation and risk management process status.

To perform a gap analysis you will need to list the controls of a specific standard(s) or internal guidelines your organization is complying with. Next, with key members of your team, those who are directly involved with the inner workings of the organization, assess the level of implementation of each control within the scope of the compliance efforts. From there, your team should determine if the control is:

• Implemented: all aspects of the control are in place and functioning
• Partially implemented: Some aspects of the control are in place and functioning
• Not implemented: No aspects of the control are in place and functioning, but should be in place
• Future control: A decision has been made to implement this control in near future
• Not applicable: The control does not apply to the business[/li][/list]

With each control status determination, a justification for the control status must be provided. This information will inform auditors or other reviewers of the compliance status with information regarding the status of the control. Once this process is complete, it should be considered a working document and be reviewed regularly as the business environment changes.

Risk Treatment

Now that you have completed the risk assessment and gap analysis, it is time to perform the risk treatment process. The risk treatment process is meant to outline an action plan for; you guessed it, the treatment for the risks present to the business entity. The risk treatment should take as an input the results of the risk assessment and gap analysis.

The first step of the risk treatment is to reevaluate the risk assessment, while taking into consideration the status of the controls identified in the gap analysis. This provides you with your current security risk level, while the risk assessment provided the base security risk level. By taking future controls into consideration, you can calculate your future security risk level. Understanding your future security risk level, can be essential in obtaining project support and resources for risk management efforts and the implementation of future controls.

Next, a risk appetite should be established. The risk appetite is the range or level of acceptance of risk that the management has defined as acceptable. With this information, risk levels of threats should be reviewed, and a treatment objective should be put in place for risk that exceeds the acceptable level. Example risk treatment objectives include:

• Accept risk: the level of risk is acceptable for the organization
• Reduce risk: the risk is beyond the acceptable risk level for the organization and should be lessened
• Transfer risk: the risk level is beyond the acceptable risk level and it is more beneficial to transfer the risk to another department within your organization or to a third party
• Avoid risk: the risk level is beyond the acceptable level and should be eluded by the organization (such as relocating the office due to risk factors)

Similar to the gap analysis, a justification should always be provided for the selected treatment objective. When this is complete, you have completed the cycle, and now it is time to execute the plan.

The risk management process is a continuous process. The steps outlined should be repeated regularly. A key factor in a successful risk management program is continuous improvement.

We hope you have enjoyed our series, Risk Management – Back to the Basics. We encourage you to comment on our blogs and share them with others who are concerned with the risk management process.