A risk management program evaluates observed risks to your organization’s security.
Typically a risk management program will dictate that all factors generating risk are evaluated on a regular basis (e.g. monthly, quarterly, or annually) and that any issues which arise in between regular analysis are evaluated.
Risks are also classified into severities such as High, Medium, or Low. The program will also dictate how much time you expect issues to be addressed based on the severity level.
Finally, the risk management program should be documented and approved, and ultimately upheld, by the business owner or executive management such as the CEO.
For example, the lack of hard disk encryption on employee laptops could present a medium risk as the loss of a laptop would expose all information on that laptop to someone that finds it. Your risk management policy may dictate that medium risks are addressed within 90 days or the risk must be accepted by the system owner and the most senior security officer.
An approved risk management program ensures that a policy is in place to manage the overall risk of an organization and is well understood by key stakeholders in the business. Being approved conveys the program is somewhat mature and ensures management agrees how risk is managed.
Your organization has a risk management policy that has been approved by executive management. The risk management program should guide how risk is evaluated, how often it is evaluated, how risks are managed, and finally who in the organization is responsible for reviewing and accepting risk.