The Secureframe Risk Management Module allows organizations to assess, track, and mitigate risks. Within the Risk Library, predefined risks are available for selection based on industry standards and compliance requirements. Organizations can filter risks based on categories such as Information Security, Privacy, and Fraud to identify those most relevant to their business.

Overview

• Risk Library
• Robust workflows for risk assessment
• Robust workflows for risk review
• Robust workflow for risk mitigation and remediation

Our new Risk Management module is to help users streamline their risk identification, assessment, and management process. Using our new module & workflows, users can determine which risks are truly applicable to them and determine how to handle them. 

Utilizing our Risk Library/workflow

Our new risk library contains hundreds of common & pre- populated risks that you can select from and assess as you conduct your risk due diligence. As you add any of these risks to your Risk Management module, you will be able to review, document, treat the risk as needed for your risk management posture. If none of these risks apply to your organization, that’s fine, you can create custom risks!

In addition to our risk library, Secureframe allows you to create custom risks for your organization. Users have the same capabilities with these risks as the ones from the risk library, just with more customization capabilities. 

This is the first page within the risk assessment workflow and is where crucial details for each risk are to be inputted and defined. The platform includes validations to ensure that critical information is entered. If these are not filled out, the platform will not allow you to complete the risk assessment. The details page as seen below includes risk formula calculations and the appropriate owner, departments, category, and tags defined for each risk.

Selecting Relevant Risks

When selecting risks from the Risk Library, consider:

• Your compliance framework requirements (e.g., SOC 2 requires Information Security and Fraud risks).
• The nature of your business operations and data handling processes.
• Industry-specific risks and historical incidents within your organization.

You can also link Secureframe’s blog on risk assessment here for further guidance HERE.

Historical vs. Future Risks

Organizations should evaluate risks based on two key perspectives:

• Historical Risks: Risks that have previously occurred in the organization, which can be identified through past incidents, audit findings, or security breaches.
• Future Risks: Potential threats that could impact the organization due to industry changes, new technology adoption, or evolving regulatory requirements.

By combining historical risk data with proactive risk assessment, organizations can create a comprehensive risk management strategy.

Managing Risks

Once risks have been selected, organizations should:

• Assess Likelihood & Impact: Determine how likely the risk is to occur and its potential consequences.
• Implement Controls: Use security controls, policies, and processes to mitigate risk.
• Monitor & Review: Regularly review risks to ensure they remain relevant and mitigation strategies are effective.

Conducting a Risk Assessment

As you create or select risks, you will need to conduct a risk assessment for each risk. Make sure to consider the following:

• This risk assessment involves selecting the impact and likelihood scores which are part of the formula to calculate overall risk.
• The likelihood-impact risk formula assesses the potential risk of an event by considering the probability of its occurrence (likelihood) multiplied by the magnitude of its potential consequences (impact).
• This helps prioritize and manage risks based on their overall potential impact on a system or project.

Treatment

Within the treatment section, your organization will determine how to handle the risk, whether that be via risk acceptance, transfer, avoidance, or mitigation. Within this screen you will justify any decisions regarding treatment as well as residual risk. Residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.

• Acceptance - Retain the risk as-is with no further changes.
• Transfer - Shift the risk outside of your organization, e.g., cyber liability insurance
• Avoid - Fix the risk and remove the risk entirely or reduce the threat of the risk.
• Mitigation - Identify controls or other solutions to put in place that can reduce the threat of the risk. 

Risk Review

This is where the risk assessment is completed. Please confirm all information and ensure the completeness and accuracy of it prior to hitting “complete assessment”.

Risk Categories

These can be used to organize risks. 

Risk Stages - Draft/Complete

Risks have two stages; draft and complete. Risks in draft can be worked on, completed, or deleted and are fully customizable as needed. Completed risks can be edited, however they must be reverted to draft in order to do that. Additionally, you can click into each risk to see relevant risk details and calculations. 

View Risk History

View history is where users and/or auditors can export a history of risks and actions taken for them when needed for an audit or security questionnaire. Any updates to the risk item are captured here in a change log.

Risk Management Settings

Within settings, users can configure their “tags” and their “scoring” configurations. Please see the respective sections below for more information. 

Risk Tags

Tags are used to assign relevant details, categories, & information to individual risks. Similar to categories, tags help risks provide context & information to the admins that are responsible for risk management. Secureframe provides Categories and Departments for you to choose from, but you can customize or add tags if needed.

Risk Scoring

This is where users can assign or set weights for respective risk scores. Different scores & weights may impact different organizations differently, so we wanted to give our users the flexibility to weigh scores differently. Be sure to edit scoring before adding risks.