Risk management and leadership

Digital security risk management comprehensively supports an organisation’s activities in a digitalised society, promotes the development of digitalisation and appropriately and efficiently allocates the organisation’s resources.
Digital security risk management can

• assess and survey significant threats and risks in the digital operating environment
• identify and determine risk management methods
• accept residual risks, and
• prepare for the release of residual risks.

Management

• set objectives for the organisation
• is responsible for organising risk management
• defines the criteria for approving information security risks and the methods for approving residual risks
• ensures that the organisation’s risk management supports knowledge-based management.

Management decides on risk management responsibilities, such as risk management policy, which defines the organisation’s top-level risk management

• objectives
• principles
• responsibilities, and
• key operating methods.

The purpose of the risk management policy is to make risk management part of the organisation’s steering and management system.

Risk management is part of the organisation’s objectives and provides management with information to support decision-making and knowledge-based management. Knowledge-based management and risk-conscious decision-making are based on high-quality information produced through risk management.

Risk management principles are also defined that will describe how risks are managed. The combination of risk management principles and frameworks is often referred to as a risk management policy that explains the relationship between risk management principles and the organisation’s objectives.

Practical implementation of the risk management policy is one way of developing the organisation’s risk management culture. You can find tips for how to prepare digital security guidelines and training and how to develop the digital security culture in the Digital and Population Data Services Agency's Guide on digital security competence and culture development (in Finnish, PPTX)Opens in a new window..

Monitoring is an essential part of the risk management process. It enables effective, flexible and effective risk management

• manages costs and resources
• identifies variable conditions, and
• can be used to better allocate measures.

Monitoring also ensures that the tasks have been carried out and that the responsibilities related to them have been properly taken care of. Based on the monitoring documentation, you can also report on risk handling measures to management and stakeholders.

A part of the risk management policy can be published on the organisation’s website, for example.

Use the Digital and Population Data Services Agency’s Risk management information service of digital security (in Finnish)Opens in a new window. to assess and monitor the status of risk management.

Good awareness of changes in the risk environment and obtaining information about new risks are a prerequisite for successful risk management.

• VAHTI hyvät käytännöt -tukimateriaali: Digitaalisen turvallisuuden havainnoinnin kehittäminen (VAHTI-verkosto, in Finnish, PDF)Opens in a new window.