Crafting and Evalutating Risk-Based Recommendations

Making good risk-informed recommendations is very important for the security of the organization. Risk-informed decision-making is transitory and subject to change based on new information, knowledge, or findings. Risk-informed decision-making is more inclusive and sustainable in the sense that it understands risks often resurface and that it isn’t a perfect world.

Firstly, I will discuss how you can use tools and resources to make risk-informed recommendations and justify my response with a relevant example. Next, I will consider how to identify and minimize my bias when making risk-informed recommendations. Then, I will underscore the importance of system thinking in assessing the impact of my decision on people, processes, and technology. This approach broadens the perspective and ensures a comprehensive evaluation. Finally, I will explain what evidence I would use to evaluate whether I made a good decision.

Many tools are available that help make good risk-informed recommendations for an organization. Utilizing the correct security tools within an organization is vital. According to Asana, risk registers are documents used as a risk management assessment tool to identify potential setbacks or risks within a project. It is widely used and should be considered for all projects. The process aims to collectively identify, analyze, and attempt to solve risks before they become problems. It determines what triggers the risk, the probability and impact, what will happen if we don’t take action, how we will respond to the risk (mitigate, accept, transfer, etc.), and what we expect from our efforts. An example of the tool in use was when I collaborated with Green Thumb Nursery, and we used a risk register to assess the challenges they were facing and attempt to implement solutions to keep the risks from becoming a reality.

Many resources are available to help make good risk-informed recommendations for an organization. Resources such as NIST (National Institute of Standards and Technology) or CIS (Center for Internet Security) Controls provide a framework to help improve your security posture. The NIST cybersecurity framework specifically helps businesses of all sizes understand, manage, and reduce their cybersecurity risk to better protect their network and data. The framework is entirely voluntary. However, it gives organizations an outline of best cybersecurity practices that should be implemented in all businesses. The five main areas of the NIST are identify, protect, detect, respond, and recover. A relevant example I remember was an assignment in another class where we had to use the NIST cybersecurity framework to recommend security measures to implement for a small business. The NIST guidelines are relevant and within the best interest of the organization.

Identifying and minimizing our own bias can be difficult, especially when we must put that aside when making risk-informed recommendations. This is important because we often allow our biases to overlook or exaggerate risks depending on the situation. Many techniques can help minimize bias, including conferring with people with differing viewpoints, utilizing quantitative vs qualitative risk assessments, and strictly following an established framework, such as the NIST cybersecurity framework. Implementing a structured decision-making process backed by a diverse team can help you consider all aspects of a problem. Most importantly, I believe in self-awareness surrounding bias and the knowledge that everyone, including yourself, has bias in same way, shape, or form.

According to TechTarget, systems thinking is a holistic analysis approach that focuses on how a system’s constituent parts interrelate and how over time and within the context of larger systems. This can also relate to how teams work together and their outcomes. Utilizing systems thinking can significantly affect the people, processes, and technologies you have within your organization. First, I find it essential to identify all affected people, including stakeholders, managers, employees, customers, etc., operational processes, and technology that your decision might influence. You have to understand what you are affecting before you can even begin to make a decision. You also need to know how the people, processes, and technologies are interconnected and what their behaviors are. Simulations and models may help predict outcomes of changes that the organization may implement in the future. I will ensure that diverse perspectives and feedback are included in all changes. Finally, I would document and reflect on the what, why, when, where, and how of my decision or risk-informed recommendation and how it affected the organization's people, processes, and technology.

There are many ways to evaluate risk-informed decision-making. Evidence is often used to convey a point or make a decision. Metrics are quantitative assessments used for tracking performance. These metrics can include key performance indicators such as sales figures, profit and loss statements, customer satisfaction scores, etc. Real-time changes to these metrics allow for the proper changes to be implemented again to offset them or keep them going in the right direction. Process reviews help ensure that the processes used to make the decision are practical, thorough enough, and involve the right people. Gathering feedback from those affected is another excellent way to gauge if a decision was good or bad. I also ensure that the decisions align with business operational goals and future needs. There must be a correlation between the two.

References

Asana, T. (2024, February 1). Risk register: A project manager’s guide with examples [2024] • asana. Asana. https://asana.com/resources/risk-register

Understanding the NIST cybersecurity framework. (2018, October 5). Federal Trade Commission. https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/nist-framework

Ridley, T. (2021, November 28). Risk-Informed Decision Making: Real world effectiveness as opposed to risk-based decision making, which remains extremely limiting, if not dangerous. https://www.linkedin.com/pulse/risk-informed-decision-making-real-world-opposed-tony

Lutkevich, B. (2023, March 31). Systems thinking. TechTarget. https://www.techtarget.com/searchcio/definition/systems-thinking

Goodman, M. (2016, February 27). Systems thinking: What, why, when, where, and how? The Systems Thinker. https://thesystemsthinker.com/systems-thinking-what-why-when-where-and-how/