The business should always work with risk management (RM). RM provides directions on how to work with security risks at Schibsted.
RM tasks shall be part of the daily operation; identifying and managing risks and opportunities shall be integrated into the business planning, control, and working processes. The brands and the group functions have the primary responsibility for managing their risks. The RM process is based on the principles of ISO standard 31000 for RM. Security risk management at Schibsted includes:
- Identifying and assessing risks from a probability and impact aspect for current and target state
- Making decisions on the risk strategy and proposed actions on how to manage risks
- Assign a risk owner and setting a due date on each risk
- A risk register and a risk log (can be the same)
All of the above steps shall be documented.
To ensure that risks are continuously managed and logged and not only mapped once a year, the process for Security Risk Management within Schibsted shall also be followed. This process includes individual risk registers and logs for each brand that are followed up monthly with the central Security team.
Identified risks in the individual risk register valid for the whole of Schibsted are then escalated into a Schibsted Security Risk register. A risk register includes all risks and turns into a log when a timestamp is set on risk and its mitigation with an owner. The escalated risks are re-assessed from a Schibsted overall perspective, and a central risk owner is appointed for each risk.
A security risk report to executive management is created every half and full year based on the Schibsted Security Risk Log. The reports are distributed to executive management and the Board of Directors.