Network Rail overhauls its risk management processes over heightened IT security risks

Paul Watts describes how Network Rail has ratcheted up risk management at Computing's Enterprise Security Summit 2015

Network Rail has recently overhauled the way it approaches enterprise risk management, and is now using this to better embed cyber security risk management more deeply into the running of the organisation.

Speaking today at Computing's Enterprise Security and Risk Management Summit 2015, Network Rail's head of information security, Paul Watts, said: "If you take a traditional view of corporate risk management, risks are things that impede the delivery of business outcomes.

However the way risk was measured in the past was similarly traditional: here's a risk, here's a probability, here's an impact; high, medium or low. That single dimension of risk measure no longer supports the modern day demands for good enterprise risk management."

Furthermore, he added, the way that less mature companies handle risk management typically involved a one-off exercise. This typically results in a big document that is then put into a drawer and ignored for six years, until the organisation takes another look at risk management. In the meantime, the risk environment will change dramatically, almost from the moment that the document has been completed.

"At Network Rail we have broadened our measures out. We look at our risks through a new corporate risk methodology known as 'Corporate Risk Assessment Methodology' or CRAM - it's a Network Rail homegrown methodology. Risk is [now] measured and qualified against multiple vectors of risk outcome or impact such as safety - which is absolutely critical to Network Rail, financial, legal, regulatory and reputational," said Watts.

That enables the organisation to take a more granular approach to risk management, based on very real potential outcomes and individual tolerances. "In terms of the controls and the way that you measure it, they have got to mean something to the asset owner and to the business process owner," he added.

"That's really important. If they don't understand the effectiveness of the controls that drive the management of the risk in terms that they understand, pertinent to the outcomes that they are trying to protect against, you're not delivering any effective risk methodology there at all."

Cyber security is becoming embedded into the safety risk assessments that Network Rail is obliged to complete for operational technology assets, ratcheting it up in importance and making it a key consideration when determining levels of risk and thus the required levels and design of controls to be mandated when considering investments in new digital technology for the railway.

Embedding enhanced risk management methodologies and coupling these with security assurance and asset security accreditation schemes are key components of the railway's Cyber security strategy, which is being realised through the implementation of Network Rail's ongoing Cyber security business transformation programme.