• Jim Seaman

Risk Management: Time for T


The British are renowned for their love of tea (T) but how might the love of T help businesses to improve their Risk Management practices?

By embracing their love for T, businesses can brew up more effective Risk Management operations, ensuring that everything stops for T.

What has T to do with Risk Management, I hear you scream?

When the Royal Air Force Police first taught me how to carry out Risk Management, everything revolved around T:

  • Tolerate

  • Treat

  • Terminate

  • Transfer

  • Take the opportunity

Following a risk assessment, you have identified a new risk that exceeds your risk appetite and, as a result, you need to present suitable courses of action (CoAs), which provides the Risk Owner with sufficient background data so that they are able to make an informed decision as to the best CoA for them to choose. By taking time for T, you will be better placed to provide a range of workable mitigation options to help bring the risks to within acceptable tolerances.

Brewing up a suitable cuppa

Each of the Ts should provide at least a single alternative approach to help mitigate your newly identified risks. Let's take a look at each one in turn and see what this might look like.


You have been seeing a growing number of organizations that have fallen victim to Ransomware attacks. Consequently, you decide to analyze the potential risk for your critical business operations, to quantify the potential impact of a ransomware infection on these parts of the business.

The initial risk analysis provided the following quantitative risk analysis results:


Based upon the risk analysis, this CoA would be for the business to accept the risk of a 59.29% vulnerability and an Annualized Loss Exposure (ALE) of between £0 (not a victim of a ransomware attack) and £55.7 Million (with an average ALE of £17.7 Million).


Identify the most suitable security controls (e.g. CIS, NIST, NCSC, etc.) to ensure that the defenses against a ransomware style of cyberattack were enhanced. The estimated costs for maintaining this CoA were between were £150,000 - £200,000 and the updated risk analysis were identified as follows:

  • Average ALE reduction = £17.7 Million to £5.7 Million

  • Vulnerability reduction = 59.29% to 19.2%


One option could be to place these essential business functions into their own secure bunkers, with no internet or email connectivity and operating on strictly configured IT systems, within their own standalone networks. This was seen to be the nearest CoA to terminate this risk and the estimated costs for operating this CoA was estimated at between £1,000,000 - £1,500,000 and the updated risk analysis was observed to look as follows:

  • Average Annualized Loss Exposure (ALE) reduction = £17.7 Million to £821, 000

  • Vulnerability reduction = 59.29% to 2.81%


Another CoA would be to transfer the risk to a third-party supplier. However, it is important to remember that accountability still resides with your business. An example of this might be to transfer the need to handle sensitive data assets, through the use of a tokenization service provider. An important part of transferring the risk is to ensure that you carry out effective due diligence and risk analysis of the third-party's capabilities.

For example, in relation to the consideration for the use of a tokenization service provider, to help mitigate any associated ransomware risks, it is important that you understand how a Ransomware attack on their business might impact your organization and how well prepared they are for such an incident. An example of such an incident being the impact on the global Universities, as a result of the ransomware attack on Blackbaud.

Consequently, it is essential that you ask the relevant questions and understand their capabilities, as a result of their responses. Asking these questions against Zortrex (tokenized service provider), resulted in the following answers?

"As a supplier to a VICTIM of ransomware the recovery is straight forward;
1. Tokenvault contains references to tokens and the unique key in the source DB and the tokens contain references to the encrypted data we hold in the vault
2. Customer activates a support call and emergency recovery of data (due to volumes it needs to be monitored by Zortrex) - use the APIs to make a full recall of all their data
3a. Customers tokens get encrypted but DB reference is still there - we can overwrite the encrypted data with the correct token and all starts working again
3b.Customers entire DB is encrypted or their object store is encrypted - we can restore the DB from backup and the roll forward to the current token state in the vault as per the 3a scenario for DB's and for objects; we use an api call (special, one off return of RAW data) to the customer they get all their original data back and then we can use the onboarding process to re-tokenise it all with new references, OR we can return all the object ID's and matching tokens we hold if that suffices - this is obviously quicker than the first one!
4. Customer is compromised and attacker sends junk data to poison the tokenvault - we have filters and will reject nonsensical/encrypted data we also have version control and can roll back changes as needed to ensure customers vault remains intact.
As a Service provider - we get hit - all of the above applies as we are essentially our own customer - so our critical data will be in a protected DB Vault and we use tokenisation across our HR and CM/ERP services to ensure limited damage from any attack either on us or our suppliers".

This extra piece of due diligence allowed the following risk analysis to be carried out for the use of Zortrex's tokenized service.

  • Average Annualized Loss Exposure (ALE) reduction = £17.7 Million to £3.7 Million

  • Vulnerability reduction = 59.29% to 12.13%

Take the opportunity

This is probably the least popular of the brands of T. However, when used correctly this can be really beneficial and can provide some significant return on investment.

Where you are providing services to other organizations, why not show how the use of your services can help to mitigate their business to reduce their risks and save them time, effort, and money?


If you are not already doing so, consider carrying out risk analysis exercises for your critical business operations, against any newly emerging threats, so that your organization is better placed to better appreciate how these threats might impact your business and to be better placed to make informed decisions as to the best CoAs for your company.


Threats have become a part of doing business and these threats will be ever-present. However, by making time for T you can start to get an improved understanding of the associated risks and the best measures needed to bring these risks to within acceptable tolerances.

Go on, grab yourself a brew!
35 views0 comments