Section 9 Risk Management

Risk Management

fundamental process that involves identifying, analyzing, treating, monitoring, and reporting risks

risk assessment frequency

The regularity with which risk assessments are conducted within an organization

Ad-Hoc Risk Assessments

Conducted as and when needed, often in response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks

Recurring risk assessments

Conducted at regular intervals, such as annually, quarterly or monthly

One time risk assessments

Conducted for specific purpose, and are not repeated

Continuous risk assessments

Ongoing monitoring, and evaluation of risks

Risk Identification

Recognizing potential risks that could negatively impact an organizations, ability to operate or achieve its objectives

Business Impact Analysis (BIA)

Process that involves evaluating the potential effects of disruption to an organizations, business functions and processes

Recovery Time Objective (RTO)

It represents the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization

Recovery Point Objective (RPO)

It represents the maximum acceptable amount of data loss measured in time

Mean Time to Repair (MTTR)

It represents the average time required to repair a failed component or system

Mean Time Between Failures (MTBF)

It represents the average time between failures

Risk Register

A document in which the results of risk analysis and risk response planning are recorded.

what will the risk register contain?

risk description

risk impact

risk likelihood

risk outcome

risk level

cost

Risk Description

Entails, identifying, and providing a detailed description of the risk

Risk Impact

Potential consequences if the risk is materialized

Risk Likelihood/Probability

Chance of a particular risk occurring

Risk outcome

Results of a risk linked to its impact and likelihood

Risk level/threshold

Determined by combining the impact and the likelihood

Risk tolerance/risk acceptance

Refers to an organization or individuals willingness to deal with uncertainty and pursuit of their goals

Risk Appetite

Signifies an organizations willingness to embrace, or retains specific types and levels of risk to fulfill and strategic goals

what are the types of risk appetite?

expansionary

conservative

neutral

Expansionary risk appetite

Willingness to take higher risks for aggressive growth.

conservative risk appetite

Implies that an organization favors less risk, even if it leads to lower returns

Neutral, risk appetite

Signifies a balance between risk and return

Key risk indicators (KRIs)

Essential predictive metrics used by organizations to signal, rising levels of risk in different parts of the enterprise

Risk Owner

The person responsible for monitoring the risk and for selecting and implementing an appropriate risk response strategy.

Qualitative Risk Analysis

A method of assessing risks based on their potential impact and the likelihood of their occurrence

low med or high

Quantitative Risk Analysis

Method of evaluating risk that uses numerical measurements

Exposure Factor (EF)

Portion of an asset that is lost in an event

Single Loss Expectancy (SLE)

Monetary value expected to be lost in a single event

Annualized Rate of Occurrence (ARO)

Estimated frequency with which a threat is expected to occur within a year

Annualized Loss Expectancy (ALE)

Expected annual loss from a risk (SLE x ARO)

Risk Transference

Involves sharing some of the risk burden with someone else, such as an insurance company.

contract indemnity clause

A contractual agreement where one party agrees to cover the other's harm, liability, or loss stemming from the contract

Risk Acceptance

Recognizing a risk and choosing to address it when it arises

exemption

Provision that grants an exception from a specific rule or requirement

risk avoidance

avoiding an act that would create a risk

Risk Mitigation

Implementing measures to decrease the likelihood, or impact of a risk

Risk Monitoring

Involves continuously, tracking, identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a project lifecycle

Residual Risk

Likelihood and impact after implementing mitigation, transference, or acceptance measures on the initial risk

Control Risk

assessment of how a security measure has lost effectiveness over time

risk reporting

Process of communicating information about risk management activities

risk monitoring and reporting are essential because?

- informed decision making

- risk mitigation

- stakeholder communication

- regulatory compliance