Your company has been managing risk since its inception. OT cyber risk is not special. It’s one more risk, albeit often ignored until recently. One clear path to failure is to try to invent your own method for managing OT cyber risk that differs from your company’s existing risk management method.
Find out who is responsible for risk management at your company and ask them how it’s done. Are there documents defining the risk management process? Is there a risk register? Are risk management reports issued periodically or when risk decisions are required by the executives or board?
Go in with a beginner’s attitude and with the approach that you are trying to understand the process so you can provide risk management with the information they need on OT cyber risk.
Don’t expect risk management to tell you all the company’s risks in detail. This is often viewed as sensitive information.
Many organizations have a 5×5 matrix / heat map like shown in the two figures below. The best part of these matrices for your purposes are the consequence categories, broken down by the type of consequence. These consequence types and categories are independent of the cause. In the sample risk matrix below a loss of over $50M would be a high consequence event whether it was caused by financial fraud, product recalls, an OT cyber incident or any other cause.
In this risk matric example, a risk score of 16 and above could be considered an unacceptable risk by the board and executives. A risk score of 9 – 15 could require mitigation to reduce to an 8 or lower unless specifically accepted by the board and executives.
If your company doesn’t have a risk matrix, they may have a risk committee, risk register procedure, or some other process where risk is identified and determined if it’s acceptable or needs to be reduced.
It’s a sad fact that many organizations, even those that run and maintain critical infrastructure, do not have a formal risk management process. If this is your company, the task is harder and still worthwhile. Interview individuals across departments, ideally at an executive level, but take what you can access. Try to understand what they would view as a high consequence event and why.
For example, Finance might tell you a 2-week outage is not a high consequence event because you can purchase an alternate supply. Or they might tell you a 2-day outage would be a high consequence event because of penalties for non-delivery.
Don’t let the perfect be the enemy of the good. If you can better understand how your company manages risk this week is a success.
_________
Department(s) and Role(s) responsible for managing risk:
Insert your company’s Risk Matrix or define what is considered a high consequence event: