Is Your Organization at Risk? Of Course, it is. But What Does that Even Mean?
Business leaders frequently ask whether their organizations are “at risk,” especially in cybersecurity—but the term is often misused or confused with related concepts like threats. To manage information security effectively, organizations need a clear, shared understanding of what risk truly means and how it differs from other terms.
https://delivery-p155402-e1860468.adobeaemcloud.com/adobe/assets/urn:aaid:aem:e0a2cc01-6135-42fe-8c48-524229f650c1/as/Blog-Security-2025-04-24-AdobeStock_818971961.avif
Business person analyzing a cybersecurity dashboard with a prominent lock icon
2025-04-24T00:00:00.000Z
9
Trey Guerin
Senior Cybersecurity Solutions Architect
Trey Guerin
style
section-full-width
text-color
section-text-dark

Business executives know all about risk. On the topic of cybersecurity, I bet you’ve been asked many times, “Are we at risk?”

Risk is a confusing word. It is often used interchangeably with other terms, and when that happens, the true meaning gets lost.

For example, what does it mean when someone says, “You’re at risk.” or “Your business is at risk.” At risk of what? Is it good risk or bad risk? What is the difference between a threat and a risk?

Of all the information management disciplines, risk is the one that really needs a common language.

Measuring Risk

A threat is something that can have a negative impact on your business operations. For example, malicious malware is a threat.

Risk is the output of an analysis.

Many organizations today are leaning into governance, risk, and compliance (GRC) platforms to help protect against cybersecurity threats. These tools are very effective, but they don’t replace the need for a formal Risk Management Process (RMP).

One reason organizations need a RMP is to delineate between inherent risk and residual risk. Inherent risk is risk in a vacuum. For example, organizations are constantly bombarded by cyberattacks. What is the likelihood your organization will be hit by a malicious code attack? It’s pretty high.

Residual risk is the level of risk remaining after taking into consideration countermeasures. For example, many organizations use antivirus software on endpoints, malicious code detection on firewalls, and other technologies as countermeasures against cyberattacks. As a result, residual risk is typically lower than inherent risk.

Determining your actual risk requires a RMP. Without one, you are shooting in the dark—and maybe spending a lot more money than you need to.

Managing a Risk Management Process

Risk Management involves risk identification, assessment, mitigation, and monitoring. It is a systematic, ongoing process that defines how risk will be handled within an organization and enables leaders to make sound decisions based on their business model, goals, and risk tolerance.

Risk can never be completely eliminated. But it can be reduced—sometimes to very low levels. More importantly, with a Risk Management Process, leaders have solid information from which to balance risk and reward.

A Risk Management Process consists of five elements:

1. Information Assets and Context - Risk depends on context. To determine risk, we first need to understand the information assets involved and the industry and/or operating environment of the organization.Business context is determined using input from leaders across the organization. After all, people are impacted differently, depending on their business-function roles and responsibilities. We need a clear understanding of what would happen to a business’s operation if an asset were negatively affected—this is best understood through workflow processes and data classification.Getting this step correct is vital to the whole process, because managing risk comes down to understanding potential consequences, establishing priorities, and allocating resources—three tasks that can’t be done well without first understanding information assets and context.

2. Risk Identification - This step involves two important activities: 1) identifying a comprehensive set of threats to an organization’s operations and information assets, and 2) creating likelihood statements (i.e., the chance of the event actually happening).Threats are easy to list. The key is to be thorough. For each threat identified, we need to understand the odds and the potential impact to the organization before we can assess risk.

3. Risk Analysis - Managing risk comes down to assessing the potential consequences of a threat against the cost to mitigate it. But before we can apply a risk level to a threat, we have to consider the controls we have in place to counter the threat. For illustrative purposes, consider a simple matrix like the one below:

The analysis step enables us to determine residual risk from inherent risk. For example, a potential threat such as a malware attack may have a high likelihood of occurring and could cause significant damage, resulting in a risk level of high. But after considering the countermeasures we have in place to protect against the threat, the overall risk level could shift to medium or even low.

4. Risk Response

Now that we know our true risk level, it’s decision-making time. What actions do we take in light of the information? Before we can answer that question, we first need to understand risk tolerance.

Managing risk is about operating at a risk level that is acceptable to the organization and its leaders, and every organization is a bit different. What one organization is willing to tolerate another might be completely shocked and willing to spend whatever it takes to mitigate.

There are four ways to respond to risk:

  1. Accept it

  2. Treat it
    The objective with this response is to reduce the likelihood of an occurrence, reduce the impact or consequences, or both. Risk treatments can be divided into several categories:

    • Mechanisms – typically software or hardware that constitute a component of an information asset
    • Policies – guidance in alignment with business objectives
    • Procedures – detailed activities required to meet policy objectives
    • Assurance – activities used to ensure the effectiveness of a mechanism

  3. Transfer the risk to a third party

  4. Avoid the risk by terminating the activity  It’s important to note that some threats, even after applying countermeasures or taking a response action, will require further evaluation, because the residual risk may still be too high. A Risk Management Process helps here, because each risk rating will have a communication plan and will define who has authority to make decisions on the next course of action.

5. Monitor, Report, and Review - We all know things change over time: New threats emerge, countermeasures may cease to be effective, legislative or regulatory requirements change, and leaders are replaced.Part of a Risk Management Process is the creation of a Risk Register. The Risk Register is a living document that identifies threats, consequences, current risk level, and mitigation measures.The Risk Register is a critical reporting tool to inform corporate executives, prioritize actions, and track mitigation status.

Formalizing a Risk Management Process

Risk Management is a foundational part of a Security Management Program. It enables you to explain what risk means to your organization, what consequences mean, and what likelihoods mean—three critical questions every organization must know to manage risk.Technology helps you implement and monitor countermeasures to protect your organization against threats and ensure you comply with industry standards and regulations. But it all starts with a baseline plan and an ongoing process for Risk Management.For help in creating a Risk Management Process for your organization, check out our services at ePlus Security or contact your ePlus Account Executive.

style
column-left
text-color
section-text-dark
Blog
Security
3
technology-area
true
related-cards
style
column-right
text-color
section-text-dark