Exception handling in Risk Management

Vishmini Samarawickrama
6 min readMay 30, 2021

--

In this blog we will discuss about the Information Security Risk Management and exception handling. When it comes to risk management there are some terms you should be familiar with.

Terminology

Risk = Likelihood x Impact
Total amount of risk exposure can be explained as the the probability of an threat occurring, and the potential impact incurred by that event.

Impact is the estimate of the possible losses associated with an identified risk(s)

Threat is the potential harm that can comes to an organization, asset or anything that we’re trying to protect.

Purpose of Risk Management

Information security risk management is the process of managing risk correlated with the use of Information Technology, this includes identifying the potential risk factors, assessing the risks and its impacts toward the business, risk treatment and mitigation. Final goal of the risk management process of an organization is to protect confidentiality, integrity and availability of its assets. By handling the risk management process in proper manner, organizations can identify its overall risk tolerance levels. Rather than attempting to eliminate all the risks, organizations should attempt to identify an acceptable risk level for their business and should seek to achieve that level.

Most of the organizations associated with IT had to deviate from their normal operations due to the coronavirus pandemic and started working from home in order to continue their business operations. Switching to working from home can expose organization into several new risks and can elevate the existing risk factors as well. Operation models of most organizations has been changed due to the pandemic, but the responsibilities of the senior management and executive leadership remains the same. Senior management still have the accountability to align their decisions with corporate obligations while managing the risks. Amid the pandemic, decisions made by the senior management may have a huge impact on the future of the organization, due to these reasons risk management process can be considered as a crucial process for any IT or non IT related organization.

Exception Handling

Exception handling is an essential component in risk management and decision making. Even Though there are defined policies, procedures, frameworks and processes in place, it is possible for organizations to come across circumstances that violate existing policies, procedures and defined processes. This is where the exception handling comes into the big picture. When integrating risk management into decision making there are few things organizations should take into account.

  • How does your company keep records on decision making ?
  • Does your organization have policies and procedures in place ?
  • When making decisions, how does your organization identify potential risks ?
  • How does your company handle deviations and exceptions to the current practices ?
  • Does your company have compensating controls in place ?
  • With deviations to the current controls, how does your company mitigate the introduced risk ?

Risks cannot be completely eliminated, but organizations should have the ability to identify the risk exposure and precisely where the risk exception begins. Exception handling covers the areas where organizations are not complying with policies, procedure and other regulatory requirements.

Exception handling can be easily explained using real world scenarios. Assume that there is a requirement for your company to get a service from a third service provider where they process and sanitizes your data on behalf of you. This third party service provider does not use encryption for your data at rest. Assume that in your supplier management policy you only allow three months to fix such issue. Even though third party supplier have a logical solution to this issue, in reality to fix this kind of issue third party supplier might required much time. This can be considered as a violation to your policy, but due to the business requirement you need to get the service from this third party service provider. This is precisely where we start to follow the exception handling process.

Implementing Risk Exception Handling into your Security Program.

For the first time when you're implementing exception handling into your risk management program you need to identify following details,

  • It is required to identify the people in your organization who manages and handle the risk exception process. According to your organization size, risk management framework and its business operations number of people who involve into this process might differ. It is possible for senior management to handle the exception in one company, while risk management and/or compliance team handles the risk management process in another company.
  • The next most important thing is assigning responsibilities and defining roles to the people who involved in this process. This should address communication flaw ,documenting roles and responsibilities(R&R) etc. R&R has to be formally communicated to each individual stakeholder who involve with the risk management and exception handling process.
  • Another crucial thing is defining timeline for each exception. Even though exception is a deviation or violation of a policy, exceptions are defined to address the security requirement while supporting the business functions. Sole objective of including exception handling into risk management is to maintain the stability between business and its security. There should be defined logical deadlines to track the exceptions.
  • Extending Exceptions is another scenario organization should take into the account. The Risk Management/Compliance team should explain the pros and cons of extending such exceptions. The key stakeholders should understand they are responsible in case of a system compromise that occurs due to an extension to exceptions. Stakeholders will be solely responsible and will be required to explain and problems that occur to a higher authority[1]
  • If your organization plan to include exception handling into the risk management process then you should develop some supporting policies and procedures. Policies and procedures formally defines how exceptions are managed within your company[1].

Exception Handling Process

In this section we will discuss how you handle the exception after you defined the exception handling process.

Usually a exception handling process have several steps

  • Risk exception request has to be raised
  • Assessing the risk associated with the exception, potential impact by allowing the exception has to be analyzed.
  • Implementing compensating controls-identify the compensative controls can be used to reduced the risk factors.
  • Accept or deny the exception request. Track and continuously monitor all approved risk exceptions.
  • Extend or mitigate expired risk exceptions. Monitor the risk mitigation status of all rejected or expired risk exceptions [2]

Elements of Exception Management Program

Exception handling;

  • Has to be a standardized formal process which covers the risk management exception handling end-to-end and should have the ability to cover all the exceptions regardless of the risk management framework followed by the organization.
  • When handling the exception, process should go beyond the cyber security and information security scope, all the other risk factors and their impact should take into account before accepting any exception request.
  • Should provide a holistic view to the senior management or decision makers regarding the risks and its impact due to risk exceptions[2]
  • Risk exception tracking and monitoring is the most crucial part for any organization.
  • Creating awareness regarding the exception handling process is another important element for exception handling.

Challenges and Drawbacks

  • Poor governance.
  • Lack of funds towards the information security controls.
  • Lack of understanding regarding the risk management processes.
  • Lack of management support towards the information security and risk management processes.
  • Lack of user support within the organization.
  • Poorly documented Policies and procedures
  • Lack of standardization(having more than one defined process for exception handling)
  • Lack of automated process(if organization is large scale, handling large number of exceptions manually is less effective and time consuming)
  • Cultural or political issues.

“Business people need to understand the psychology of risk more than the mathematics of risk.” Paul Gibbons.

That's all folks !
See you in my next blog 😉

References

[1]https://ignyteplatform.com/what-is-risk-exception/
[2]https://www.wipro.com/cybersecurity/why-managing-risk-exceptions-matters-during-the-unprecedented-times/

--

--

Vishmini Samarawickrama
Vishmini Samarawickrama

Written by Vishmini Samarawickrama

Cyber Security Enthusiast | GRC Consultant

No responses yet