Risk Management

Risk Management

Fundamental process that involves identifying, analyzing, treating, monitoring, and reporting risks

Risk Assessment Frequency

Refers to how often the risk assessment process is conducted within an organization

What are the 4 types of risk assessment frequency?

Ad-Hoc, Recurring, One-Time, and Continuous

Ad-Hoc Risk Assessments

Conducted as and when needed, often in response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks

Recurring Risk Assessments

Conducted at regular intervals, such as annually, quarterly, or monthly

One-Time Risk Assessments

Conducted for a specific purpose and are not repeated

Continuous Risk Assessments

Ongoing monitoring and evaluation of risks

Risk Identification

Recognizing potential risks that could negatively impact an organization’s ability to operate or achieve its objectives

What are some techniques used in Risk Identification?

Brainstorming, Checklists, Interviews, and Scenario Analysis

Business Impact Analysis

Process that involves evaluating the potential effects of disruption to an organization’s business functions and processes

Recovery Time Objective (RTO)

It represents the maximum acceptable lenght of time that can elapse beofre the lack of a business function severely impacts the organization

Recovery Point Objective (RPO)

It represents the maximum acceptible amount of data loss measured in time. If this data point equals four hours, it means the business can tolerate a data loss of up to four hours in the event of a system failure.

Mean Time to Repair (MTTR)

It represents the average time required to repair a failed component or system

Mean Time Between Failures (MTBF)

It represents the average time between failures

Risk Register (Risk Log)

A document detailing identified risks, including their description, impact likelihood, and mitigation strategies. This also resembles the heat map risk matrix.

Risk Description

Entails identifying and providing a detailed description of the risk

Risk Impact

Potential consequences if the risk materializes

Risk Likelihood/Probability

Chance of a particular risk occuring

Risk Outcome

Result of a risk, linked to its impact and likelihood

Risk Level/Threshold

Determined by combining the impact and likelihood

Cost

Pertains to its financial impact on the project, including potential expenses if it occurs or the cost of risk mitigation

Risk Tolerance/Risk Acceptance

Refers to an organization or individual’s willingness to deal with uncertainty in pursuit of their goals

Risk Appetite

Signifies an organization’s willingness to embrace or retain specific types and levels of risk to fulfill its strategic goals

What are the 3 types of risk appetite?

Expansionary, Conservative, and Neutral

Expansionary Risk Appetite

Organization is open to taking more risk in the hopes of achieving greater returns

Conservative Risk Appetite

Implies that an organization favors less risk, even if it leads to lower returns

Neutral Risk Appetite

Signifies a balance between risk and return

Key Risk Indicators (KRIs)

Essential predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise

Risk Owner

Person or group responsible for managing the risk

Qualitative Risk Analysis

A method of assessing risks based on their potential impact and the likelihood of their occurence. This method is subjective and relies on the expertise and experience of the project team and stakeholders

What is the difference between Qualitative and Quantitative Risk Analysis

Qualitative Risk Analysis offers a Subjective and high-level view of risks, while Quantitative Risk Analysis offers an objective and numerical evaluation of risks

Quantitative Risk Analysis

Method of evaluating risk that uses numerical measurements

Exposure Factor (EF)

Proportion of an asset that is lost in an event

Single Loss Expectancy (SLE)

Monetary value expected to be lost in a single event

Annualized Rate of Occurrence (ARO)

Estimated frequency with which a threat is expected to occur within a year

Annualized Loss Expectancy (ALE)

Expected annual loss from a risk (SLE x ARO)

What are the 4 risk management strategies?

Transfer, Accept, Avoid and Mitigate

Risk Transference (Risk Sharing)

Involves shifting the risk from the organization to another party. This is typically done through insurance or contract clauses

Contract Indemnity Clause

A contractual agreement where one party agrees to cover the other’s harm, liability, or loss stemming from the contract

Risk Acceptance

Recognizing a risk and choosing to address it when it arises. This is often done when the cost of preventing the risk is greater than the potential loss or when the potential gain outweighs the potential loss

Exemption

Provision that grants an exception from a specific rule or requirement

Exception

Provision that permits a party to bypass a rule or requirement in certain situations

Risk Avoidance

Strategy of altering plans or approaches to completely eliminate a specific risk

Risk Mitigation

Implementing measures to decrease the likelihood or impact of a risk

Risk Monitoring

Involves continuously tracking identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a project’s lifecycle

Residual Risk

Likelihood and impact after implementing mitigation, transference, or acceptance measures on the initial risk

Control Risk

Assessment of how a security measure has lost effectiveness over time

Risk Reporting

Process of communicating information about risk management activities

Informed Decision-Making

Offer insights for informed decisions on resource allocation, project timelines, and strategic planning

Risk Mitigation

Recognize when a risk is escalating to mitigate it before becoming an issue

Stakeholder Communication

Assist in setting expectations and showing effective risk management

Regulatory Compliance

Demonstrate compliance with these regulations