Risk review (internal, supplier, architecture)

Risk Review: Internal, Supplier, and Architecture

Why Risk Review Is Important

Risk review is a critical component of an organization's ongoing risk management strategy. Risks are not static — they evolve as the business environment, technology landscape, threat actors, and organizational operations change over time. A failure to regularly review risks can lead to outdated controls, unmitigated vulnerabilities, and a false sense of security. Risk review ensures that the organization maintains an accurate understanding of its current risk posture and can make informed decisions about resource allocation, control adjustments, and strategic planning.

What Is Risk Review?

Risk review is the systematic, periodic process of reassessing previously identified risks, evaluating the effectiveness of existing controls, and identifying new or emerging risks. It encompasses three major dimensions:

1. Internal Risk Review
This involves examining risks that originate from within the organization. Internal risk reviews assess:
- Operational processes: Are current workflows introducing unnecessary risk?
- Personnel risks: Are employees following security policies? Is there insider threat potential?
- Policy and procedure compliance: Are internal policies still relevant and being enforced?
- Change management: Have recent changes to systems, processes, or personnel introduced new risks?
- Incident trends: Are internal incident reports revealing patterns that suggest unaddressed risks?
- Audit findings: Results from internal audits often feed into the risk review process.

2. Supplier (Third-Party/Vendor) Risk Review
Organizations rely on external suppliers for services, software, infrastructure, and more. Supplier risk review involves:
- Evaluating supplier security posture: Do vendors meet contractual security requirements?
- Reviewing SLAs and contracts: Are service level agreements being honored? Are security clauses adequate?
- Assessing supply chain risks: Could a compromise at a supplier cascade into the organization?
- Monitoring vendor compliance: Are suppliers compliant with regulatory requirements (e.g., GDPR, HIPAA)?
- Conducting periodic assessments: Using questionnaires, audits, or third-party risk rating services to evaluate vendor risk.
- Reviewing fourth-party risks: Understanding who your suppliers depend on and the risks those dependencies introduce.

3. Architecture Risk Review
This focuses on the technical design and infrastructure of the organization's IT environment:
- Network architecture: Are network segmentation, firewalls, and access controls adequate?
- System design: Are systems designed with security principles such as defense in depth, least privilege, and fail-secure?
- Cloud and hybrid environments: Are cloud configurations reviewed for misconfigurations and excessive permissions?
- Application architecture: Are applications designed securely, with proper input validation, encryption, and authentication mechanisms?
- Technology changes: Have new technologies, integrations, or migrations introduced architectural weaknesses?
- Threat modeling: Reviewing architecture against current threat models to identify potential attack paths.

How Risk Review Works

The risk review process typically follows these steps:

Step 1: Establish a Review Schedule
Risk reviews should be conducted at regular intervals (quarterly, annually) and triggered by significant events such as security incidents, major system changes, mergers, or new regulatory requirements.

Step 2: Gather Data and Context
Collect information from audit reports, incident logs, vulnerability assessments, penetration test results, vendor performance reports, and architecture documentation.

Step 3: Reassess Existing Risks
For each previously identified risk, evaluate whether the likelihood or impact has changed. Determine if existing controls are still effective or if they need to be updated.

Step 4: Identify New and Emerging Risks
Consider changes in the threat landscape, new technologies adopted, new suppliers onboarded, regulatory changes, and shifts in organizational objectives.

Step 5: Evaluate Control Effectiveness
Determine whether current mitigation strategies are performing as expected. This may involve testing controls, reviewing metrics, and analyzing key risk indicators (KRIs).

Step 6: Update the Risk Register
Document any changes to risk ratings, add newly identified risks, retire risks that are no longer relevant, and record decisions about risk treatment (accept, mitigate, transfer, or avoid).

Step 7: Report and Communicate
Present findings to management and relevant stakeholders. Ensure that decision-makers have the information needed to allocate resources and prioritize remediation efforts.

Step 8: Track Action Items
Assign ownership for remediation actions, set deadlines, and monitor progress until risks are addressed to acceptable levels.

Key Concepts to Remember

- Risk review is an ongoing, iterative process, not a one-time activity.
- It ties closely to the risk management lifecycle: identify, assess, mitigate, monitor, and review.
- Internal reviews focus on organizational processes, people, and compliance.
- Supplier reviews address third-party and supply chain risks.
- Architecture reviews assess the technical security posture and design of IT systems.
- The risk register is a central artifact that is updated during each review cycle.
- Key Risk Indicators (KRIs) help provide early warning signs that risk levels are changing.
- Risk reviews should align with the organization's risk appetite and risk tolerance.

Exam Tips: Answering Questions on Risk Review (Internal, Supplier, Architecture)

1. Understand the three dimensions: If a question describes a scenario involving a vendor breach or SLA failure, the answer likely relates to supplier risk review. If the scenario involves system design flaws, think architecture risk review. If it involves employee behavior or internal policy, think internal risk review.

2. Look for keywords: Terms like "periodic," "reassess," "update risk register," "control effectiveness," and "ongoing monitoring" all point toward risk review activities.

3. Remember that risk review is continuous: Exam questions may present a scenario where someone performs a risk assessment once and never revisits it. The correct answer will emphasize the need for regular, scheduled reviews.

4. Differentiate review from assessment: A risk assessment is the initial identification and analysis of risks. A risk review is the follow-up process to ensure those assessments remain current and controls remain effective.

5. Supplier risk is a hot topic: Expect questions about what happens when a vendor changes their security practices, experiences a breach, or fails to meet contractual obligations. The answer often involves conducting a supplier risk review or reassessing the vendor relationship.

6. Architecture reviews often follow changes: If a question describes a migration to the cloud, a new application deployment, or a network redesign, the correct answer will likely involve performing an architecture risk review to assess the impact of those changes.

7. Connect risk review to governance: Questions may test whether you understand that risk review findings should be reported to senior management and used to inform strategic decisions.

8. Know the risk register: Many questions will reference the risk register as the primary output of the risk review process. Understand that it is a living document that gets updated with each review cycle.

9. Think about triggers: Scheduled reviews happen at regular intervals, but event-driven reviews are triggered by incidents, regulatory changes, organizational changes, or new threats. Exam questions may test your ability to identify when an unscheduled review is warranted.

10. Eliminate overly narrow answers: If an answer option focuses on only one aspect (e.g., only technical controls) while the scenario describes a broader risk review need, choose the more comprehensive option that addresses multiple dimensions of risk.