Risk management

Last updated: Sep 6, 2023

We use risk assessments to plan short- and long-term security projects, as well as to set priorities within our Security team.

Risk assessments address risk by transferring, avoiding, or mitigating that risk, and include:

Security Risk Register (SRR)
procedural
ad hoc
development
risk treatment planning
risk treatment options

Let's dive into some details below.

SRR

SSR is our primary tool for assessing the risk exposure of every identified security threat across our environment and is the basis for most other risk management tools in play. We use the SRR to inform relevant groups (notably the Security team and the leadership/executive teams) regarding our knowledge of risk exposure.

Procedural

We use procedural risk assessments—a standard process for analyzing the risk of various input—to make informed decisions around the associated risk exposure.

Each risk assessment leverages data tabulated in the SRR to articulate the impact of various risk scenarios and inform decision-making in relevant contexts.

Ad hoc

We use ad hoc risk assessments to evaluate risk if a circumstance arises that falls outside our structured evaluations.

Development

We use development risk assessments for new major products or product features to make sure that we thoroughly evaluate critical security and legal controls.

An initial assessment gauges the overall risk of the design.
If our Security team identifies a high level of risk, we ask for more details in the product design document.
Our Security team may ask for clarification around sensitive topics and require design changes or mitigation strategies to address new risk exposure.
Follow-up risk assessments may be necessary depending on the complexity of the project.

Risk treatment planning

Enumerate existing controls per FAIR Controls Analytics Model (FAIR-CAM).
Select risk treatment approach(es) and justification.
Evaluate any additional proposed controls.
Assign lead stakeholders and other owners.
Set timeframe to achieve intended treatment.

Risk treatment options

mitigation (via remediation and countermeasures)
transfer (e.g., to third party)
avoidance (eliminate vulnerable function or service)
acceptance (based on understanding of exposure and weighted against appetite for risk)

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.