Risk Management - Udemy

What is Risk Management?

Fundamental process involving identification, analysis, treatment, monitoring, and reporting of risks

What are the five phases of the Risk Management Lifecycle?

Risk Identification, Risk Analysis, Risk Treatment, Risk Monitoring, Risk Reporting

What is Risk Identification?

Proactive process recognizing potential risks with the goal of creating a comprehensive list based on events hindering objectives

What is Risk Analysis?

Process to evaluate likelihood and potential impact of risks using qualitative or quantitative methods to create a prioritized list for guiding risk treatment

What are the four Risk Treatment strategies?

Avoidance, Reduction, Sharing, Acceptance

What is Risk Monitoring?

Ongoing process tracking identified risks, monitoring residual risks, identifying new risks, and reviewing risk management effectiveness

What is Risk Reporting?

Communicating risk information and effectiveness of risk management to stakeholders through dashboards, heat maps, and detailed reports

What are Ad-Hoc Risk Assessments?

Risk assessments conducted as needed, often in response to specific events or situations to address potential new risks or changes in existing risks

May be repeated

What are Recurring Risk Assessments?

Risk assessments conducted at regular intervals (annually, quarterly, monthly) as part of standard operating procedures for continual risk identification and management

What are One-Time Risk Assessments?

Risk assessments conducted for specific projects or initiatives that are not repeated and associated with a particular purpose

NOT repeated

What are Continuous Risk Assessments?

Ongoing monitoring and evaluation of risks enabled by technology, involving real-time data collection and analysis for proactive threat monitoring

What is Risk Identification

Crucial first step in risk management, Involves recognizing potential risks that could impact an organization, Risks can vary from financial and operational to strategic and reputational

What is Business Impact Analysis (BIA)?

Process that evaluates effects of disruptions on business functions, identifies and prioritizes critical functions, and determines required recovery time

What is Recovery Time Objective (RTO)?

Maximum acceptable time before severe impact occurs; the target time for restoring a business process

What is Recovery Point Objective (RPO)?

Maximum acceptable data loss measured in time; the point in time data must be restored to

What is Mean Time to Repair (MTTR)?

Average time to repair a failed component or system; indicator of repair speed and downtime minimization

What is Mean Time Between Failures (MTBF)?

Average time between system or component failures; measure of reliability

What is a Risk Register?

Key tool in risk management that records identified risks, descriptions, impacts, likelihoods, and mitigation actions; may resemble a heat map risk matrix

What is Risk Description (in a Risk Register)?

Component that identifies and describes the risk in a clear and concise manner

What is Risk Impact?

Potential consequences of risk occurrence; rated on a scale (low, medium, high)

What is Risk Likelihood?

Probability of risk occurrence; rated on a scale (numerical or descriptive)

What is Risk Outcome?

Result of the risk if it occurs; related to impact and likelihood

What is Risk Level or Threshold?

Determined by combining impact and likelihood; prioritizes risks (high, medium, low)

What is Risk Tolerance/Risk Acceptance?

An organization or individual's willingness to deal with uncertainty in pursuit of their goals; maximum amount of risk they are willing to accept without countermeasures

What is Risk Appetite?

Willingness to pursue or retain risk; can be Expansionary, Conservative, or Neutral

What are Key Risk Indicators (KRIs)?

Predictive metrics signaling increasing risk exposure; provide early warning of potential risks and are tied to the organization's objectives

What is a Risk Owner?

Person responsible for managing the risk, monitoring it, implementing mitigation actions, updating the Risk Register, and being accountable for risk management

What is Qualitative Risk Analysis?

Subjective risk analysis that offers high-level view of risk: that assesses risks based on potential impact and likelihood; categorizes risks as high, medium, or low using subjective expertise and experience

What is Likelihood/Probability in Qualitative Risk Analysis?

Chance of risk occurrence qualitatively expressed as low, medium, or high; based on past experience, statistical analysis, or expert judgment

What is Impact in Qualitative Risk Analysis?

Potential consequences ifthe risk materializes. Could be in terms of cost, time quality, or other critical project objectives

What is Low Impact?

Minor damage where essential functions remain operational

What is Medium Impact?

Significant damage with loss to assets

What is High Impact?

Major damage where essential functions are impaired

What is Quantitative Risk Analysis?

Method that provides objective and numerical evaluation of risks; used for financial, safety, and scheduling decisions

What is Exposure Factor (EF)?

Proportion of asset lost in an event (0% to 100%); indicates asset loss severity

What is Single Loss Expectancy (SLE)?

Monetary value expected to be lost in a single event; calculated as Asset Value x Exposure Factor (EF)

What is Annualized Rate of Occurrence (ARO)?

Estimated frequency of threat occurrence within a year; provides a yearly probability

What is Annualized Loss Expectancy (ALE)?

Expected annual loss from a risk; calculated as SLE x ARO

What is Risk Transference?

Risk management strategy that shifts risk to another party through insurance or contract indemnity clauses; doesn't remove the risk but shifts responsibility for handling financial consequences

What is a Contract Indemnity Clause?

Contractual agreement where one party agrees to cover the other's harm, liability, or loss stemming from the contract

Someone you’re contracting with agrees to compensate you if their actions cause a loss.

What is Risk Acceptance?

Acknowledging and dealing with risk if it occurs; used when cost of managing the risk outweighs potential loss; no actions to mitigate the risk are taken

What is an Exemption in Risk Acceptance?

When the organization doesn't have to obey a specific rule or requirement; there is no risk of not complying with the rule

What is an Exception in Risk Acceptance?

Allows party to avoid rule under specific conditions; organization operates in a way that lets them evade the risk

What is Risk Avoidance?

Changing plans or strategies to eliminate a specific risk; chosen when the risk is too great to accept or transfer

What is Risk Mitigation?

Taking steps to reduce likelihood or impact of risk; common strategy involving various actions

What is Residual Risk?

The likelihood and impact of the risk after mitigation, transference, or acceptance measures have been taken on the initial risk

What is Control Risk?

Assessment of how a security measure has lost effectiveness over time

What are the four purposes of Risk Monitoring and Reporting?

Informed decision making, Risk mitigation, Stakeholder communication, Regulatory compliance

What is risk monitoring

The process of tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk response plans

What is risk reporting

Process of communicating information about risk management activites