Photo by Valentin Betancur on Unsplash
Enjoy the second of our four part series on Organisational Resilience.
When organisations talk about resilience, cyber security, or compliance, they often jump straight to solutions: encryption protocols, endpoint monitoring, threat detection, or disaster recovery.
But at the heart of all of it lies a deceptively simple question: what risk do we face?
Before any control is implemented, any framework adopted, or any policy documented, the organisation must first know what it's protecting — and what it's protecting it from.
This is why risk identification and analysis are the foundational steps of every major cybersecurity and operational resilience framework — from DORA and ISO/IEC 27001, to the CIS Critical Security Controls v8.
Why “Everything Is a Risk” Isn’t Just a Saying
In security governance, everything is a risk.
- An unpatched device.
- A staff member falling for a phishing email.
- A misconfigured backup.
- A well-meaning developer hardcoding credentials.
- A cyclone that cuts power to your server room.
These aren't hypothetical scenarios — they're latent risks, sitting quietly until triggered.
And the only way to handle them is to bring them into the open.
Risk = Impact × Likelihood
Once identified, each risk must be measured.
This is where risk assessment models come in.
Across frameworks, the basic formula remains:
Risk Score = Impact × Likelihood
Impact refers to how damaging the event would be if it occurred (e.g. financial loss, reputational harm, regulatory penalty).
Likelihood is the probability that the event will occur (e.g. based on past events, threat intelligence, or exposure).
A low-impact, high-likelihood event (like phishing spam) may be annoying but manageable. A high-impact, low-likelihood event (like a volcanic eruption disrupting fibre infrastructure) may require different types of planning altogether.
Tabulating these values provides a prioritised list of risks, allowing organisations to allocate resources toward addressing the most critical vulnerabilities first.
From Risk to Control to Policy
Once a risk is quantified, the next step is mitigation — the application of security controls.
These controls can be:
- Technical – firewalls, MFA (multi-factor authentication), data encryption
- Administrative – staff training, access review, segregation of duties
- Physical – locked server rooms, environmental monitoring, CCTV
Each control is intended to reduce either the likelihood or the impact of a specific risk.
As controls are implemented and validated, they are aggregated into policies — formalised documents that state how the organisation is managing its risk landscape.
These policies become auditable artefacts, core to frameworks like ISO 27001, DORA, and NIST SP 800-53.
Residual Risk: The Risk That Remains
Even after controls are applied, residual risk remains.
No system is 100% secure — and no executive should assume otherwise.
Residual risk is the accepted level of exposure an organisation chooses to live with after mitigation.
It is informed by cost-benefit analysis, business priorities, legal requirements, and the threat landscape.
This is why risk acceptance is as important as risk identification — it reflects strategic decision-making.
Risk cannot always be eliminated. But it can be understood, monitored, and justified.
Frameworks in Focus: DORA, ISO, and CIS
Let’s connect this thinking to key frameworks:
DORA (Digital Operational Resilience Act)
DORA mandates that financial institutions identify ICT-related risks and apply proportionate controls. It links operational continuity directly to risk-based governance and highlights incident classification, resilience testing, and risk scenario planning as requirements.
ISO/IEC 27001 / 27005
The ISO 27000 family places risk at the centre. ISO/IEC 27005 explicitly guides organisations in identifying, analysing, evaluating, treating, and monitoring information security risks. It's a lifecycle — and policy is just one output.
CIS Critical Security Controls v8
The CIS framework recommends starting with a risk-based approach to implementation, enabling organisations to tailor control adoption based on business context and threat exposure.
Executive Takeaways
- You can’t secure what you don’t understand. Risk identification is the first control.
- Security controls are tools, not goals. Their role is to reduce risk, not check a box.
- Policies must reflect actual controls. Writing a policy without implementation is theatre.
- Residual risk is unavoidable. But it must be visible, justifiable, and documented.
- Risk is dynamic. New systems, new partners, and new regulations change your risk profile. Reassessment must be routine.
Risk as a Strategic Asset
Far from being a burden, risk frameworks are a lens through which leaders can view their organisation's posture, priorities, and resilience.
When done well, risk analysis drives informed investment, measured decision-making, and cross-functional clarity.
Because resilience isn’t just about surviving the next cyber incident — it’s about knowing, in advance, which domino will fall first… and doing something about it.
When the Earth Moves
Read the first installment of our four part series on Organisational Resilience, here.
