Peter WONG, Head of Information Security and Compliance, Asia Pacific, Edenred
One of the biggest challenges organizations face is how to justify and prioritize the risks identified in cybersecurity and work to mitigate those risks and align them with business goals. This is because risk management is often viewed as an isolated function, separate from the rest of the organization. As a result, the risks an organization manages may not be consistent with its overall business objectives.
One way to address this challenge is to combine risk governance with value chain analysis. Risk governance provides an overall framework for managing risk, while value chain analysis helps identify and assess the specific risks associated with each activity in the value chain.
risk governance It is the structure and processes used by an organization to identify, assess, manage and monitor risks. This is critical for any organization that wants to achieve its strategic goals and protect its value.
value chain analysis is a framework for understanding the activities that create value for customers and identifying the risks associated with each activity. It can be used to identify and assess risks across an organization’s entire value chain, from sourcing raw materials to delivering products and services to customers.
“Value chain analysis helps identify and assess the specific risks associated with each activity and team in the value chain by aggregating these risks and mapping the risks to business value.”
Risk governance and value chain analysis are synergistic tools. Risk governance provides the overall framework for managing risk. At the same time, value chain analysis helps identify and assess the specific risks associated with each activity and team in the value chain by aggregating risks and mapping risks to business value.
Integrating risk governance with value chain analysis
The value chain can be modeled as a sequence of activities from business value to IT assets as follows:
To combine risk governance with value chain analysis, organizations can follow these steps:
1. Inventory business solutions, business operations, business applications, and IT assets.This list should include a mapping of how each asset supports business solutions and value
2. List audit results, vulnerability reports, and security incidents and link them to each identified asset.
3. Summarize vulnerabilities and threats to the business solution and link risks to business value (e.g., revenue). This will help prioritize risks and explain why to business leaders.
Benefits of combining risk governance with value chain analysis
Benefits of combining risk governance with value chain analysis include:
● Improve visibility of risks across the value chain
● Improve the alignment of risk management efforts with business objectives
● More effective risk mitigation strategies to reduce risk exposure.
example
A company that sells retail products online has three business solutions: A, B, and C. The security team reported three vulnerabilities in two IT assets: Server X (supports both Solution A and B) and Server Y (supports Solution C only).
Typically, an organization might prioritize remediation of Server X because it supports both business solutions. However, by combining risk governance with value chain analysis, companies can find that Solution C has the greatest business value. This is because solution C may be more profitable, have a larger customer base, or be more critical to the company’s overall strategy.
Therefore, the company should prioritize remediation of Server Y because it supports the most commercially valuable business solutions. This will help companies protect their most valuable assets and achieve their strategic goals.
in conclusion
By combining risk governance with value chain analysis, organizations can make more informed decisions about how to prioritize cybersecurity risks. This helps organizations protect their most valuable assets and achieve their strategic goals.