Risky Business

Companies typically define risk as the probability or likelihood of an event happening multiplied by the potential impact to the organization, according to Steve Schlarman, RSA Archer strategist at Bedford, Mass.-based RSA.

Businesses can reduce the likelihood or impact of a negative event through a variety of mechanisms such as mitigating risk, managing risk, transferring risk, or establishing certain controls, Schlarman said. The overriding objective of risk management is to identify potential adverse events and make a decision about what to do to address those risks, according to Schlarman.

Organizations have been identifying and assessing risk at some level for quite a while now, Schlarman said, with security teams deploying vulnerability scanners and assessing what any identified vulnerabilities mean to the company's overall security posture.

But risk management has often focused too narrowly on just the IT department, failing to account for risks associated with business processes in other areas. As part of CRN's Cybersecurity Week 2018, here's a dive deep into the key elements that comprise a robust risk management plan.