Describe the risk management measures

Each phase of the process also includes

• risk communication and information exchange
• risk monitoring and
• risk review.

Read more about risk communication on the guide’s page Communication on digital security risks.

It observes

• internal and external changes in the operating environment
• risk changes
• the need to change the risk criteria.

Monitoring and review involves monitoring and inspections that can be carried out at regular intervals or on a case-by-case basis.

Risk management should also be documented so that it can be verified, the organisation can learn, and costs can be monitored.

You can find frameworks and tools for implementing risk management in organisations of all sizes and for different needs.

General risk management:

• Riskienhallinnan käsikirja valtionhallinnon toimijoille (Ministry of Finance, in Finnish)Opens in a new window.
• Riskien arviointi ja hallinta työpaikalla -työkirja (Ministry of Social Affairs and Health, in Finnish, PDF)Opens in a new window.
• SWOT analysis (Wikipedia)Opens in a new window.

Risk management in digital security:

• Digital security architecture guidelines (Digital and Population Data Services Agency)
• Digital security service catalogue (Digital and Population Data Services Agency, in Finnish)Opens in a new window.

What are the risks to my organisation? What are their sources, areas of influence and consequences?

The identification phase

• identifies factors that may prevent, hinder or delay the achievement of objectives
• identifies the risks of losing or not taking advantage of opportunities
• list the risks as comprehensively as possible.

The risks are listed regardless of whether their source is under the control of the organisation and even if their source or cause is not known.

The aim is to detect and describe, as extensively and comprehensively as possible,

• all significant risks and opportunities
• the sources of risks
• the scope of risks
• any changes in circumstances and their causes
• the consequences of the risks.

There are different tools to help you identify risks: you can use check lists, vulnerability analysis, or risk maps, for example. Risks are also classified according to the division selected by the organisation. Make sure that the persons involved in identifying the risks have sufficient expertise in the activities under examination.

After identifying the risks, you have a list of the risks whose probability and impact you can assess in the analysis phase.

How likely and large are the risks I have recorded? What kinds of impacts can they have?

The risk analysis assesses the nature and magnitude of the risk. The analysis is used to lay the foundation for decisions on what and how risks are processed in your organisation. The analysis may be based on a quantitative or qualitative examination or a combination of them.

Risks can be divided into four categories:

• strategic
• operative
• financial
• risks of loss.

Strategic risks and new opportunities are often assessed qualitatively. Operational risks and risks of loss are often assessed quantitatively, as it is easier to provide a numeric analysis of the likelihood of their occurrence and the economic impacts, for example.

Your organisation can use a four-step scale to assess the likelihood and impact of risks, for example.

How significant are the risks I have listed from the perspective of my organisation? What is the order of priority in their handling?

The aim of the significance assessment is to

• guide decision-making related to risks
• decide which risks need to be addressed and
• decide on the priority of the processing.

Some risks require immediate action, others’ impact or probability can be reduced and some will be monitored further. A decision can also be made to consciously take the risk in order to achieve an opportunity.

The most likely risk may not be the most critical or significant, but the significance of the risks may change and need to be reassessed.

• Time: the significance of a risk that seems minor may change substantially over time.
• Psychological and human factors: the risk tolerance, handling or identification ability may vary between individuals.
• Interdependencies: risks may be interdependent, in which case their multiplier effects may be significant.

The owner of the risk is the person or party who has the responsibility and authority to manage the risk. There is usually also a person responsible for the risk measures, who practically monitors and coordinates a certain risk.

– Ministry of Finance Finland, Risk management policy's annex

Processing options may include:

• prevention (for example, by refraining from activities that pose risks)
• taking or adding risk (to achieve an opportunity)
• removing the cause of the risk (for example, by terminating risky activities);
• influencing the likelihood of a risk happening
• preparing for or influencing the consequences of risk realisation
• sharing a risk partly or completely between one of more parties
• preserving the situation as it is.

The same risk may have one or more processing options.

The actor carries out the agreed risk management measures and the supervisor oversees their implementation. Processing must be a regular and repeated process.

The processing of risks also requires active and regular exchange of information between the parties involved for as long as the risk persists.

A target schedule must be set for identified risks that have been assigned, for their management measures and for the processing of residual risks. The target schedule specifies by when the planned measures must be carried out. You must also get the management’s approval for the schedule.

Scheduling, monitoring and reporting must be documented and communicated so that risk management is successful and efficient and appropriate. You must report on the schedule and implementation of the measures to the appropriate parties, such as the management.

Sometimes risk management may be inefficient, targeted incorrectly, or the risk management measures are insufficient. This can be due to one of the following, for example:

• the parts and controls of the risk management process are not properly accountable
• they are not adequately documented, or
• there are other shortcomings in the process.