5.2 The risk management process

Risk identification

the initial step in the risk management process, aimed at identifying potential threats and vulnerabilities that could adversely affect an organization.

Risk assessment

the process of analyzing identified risks to evaluate the

likelihood of their occurrence and their potential impact

Ad hoc risk assessments

conducted in response to specific incidents or

triggers

One-time risk assessments

often conducted for specific events or changes.

For instance, when introducing a new system, launching a new product, or

during a business merger or acquisition, a company would conduct a one-time

assessment to understand the potential risks associated with these activities

Recurring assessments

conducted at regular intervals, such as annually,

semi-annually, or quarterly, depending on the organization’s requirements and

nature of the industry

continuous risk assessment

risk environment is monitored in

real time, and risks are assessed on an ongoing basis

risk analysis

The process dealing with the calculation of risk and the return

on investment for security measures, involving the identification of threats,

estimation of potential losses, and identification of mitigation strategies

Qualitative risk analysis

subjective approach that assesses risks based on

non-numeric criteria

Quantitative risk analysis

offers an objective means to evaluate risk, assigning

numerical values to the potential loss and the likelihood of risk occurrence

Single loss expectancy (SLE)

the expected monetary loss every time a risk

occurs. SLE equals asset value multiplied by the threat exposure factor, which

is the percentage of the asset lost in a successful attack

annual rate of occurrence (ARO)

the estimated possibility of a specific

threat taking place in a 1-year time frame

annual loss expectancy (ALE)

the monetary loss that can be expected

for an asset from risk over a 1-year period

Probability

Probability is a fundamental concept in risk

analysis that describes the chance of a specific event

occurring. It is quantified as a number between 0 and 10

Likelihood

representing the possibility of a risk

materializing

Exposure Factor (EF)

a measure of the magnitude of

loss or damage that can be expected if a risk event occurs. It

is represented as a percentage, reflecting the portion of an

asset’s value likely to be affected

Impact

the consequence or the effect that a risk

event has on an organization or a specific asset

risk register

gives an organization a way to record information about

identified risks, and it’s usually implemented as a specialized software

program, cloud service, or master doc

key risk indicators (KRIs)

function as early warning signs for potential increases in risk

Risk owners

individuals or teams designated with the responsibility of

managing specific risks

risk thresholds

help an organization determine the maximum amount

of risk it can tolerate. This is a measure of the acceptable level of risk exposure

for the company

Risk tolerance

the organization’s personalized threshold for

embracing the unknown

Risk appetite

the total amount of risk that an organization is prepared to

accept or be exposed to at any point in time

Expansionary or aggressive

willing to take on more risk for the potential of higher returns.

These companies are often in high-growth industries where the benefits of

taking a riskier approach can result in significant returns, such as tech

startups and investment banking

Neutral

strikes a balance between

being too risky and overly cautious

Conservative

involves low tolerance for risk

and a preference for safer investments with predictable outcomes

Risk Management Strategies

creating a risk register document that details all

known risks and their related mitigation strategies

Avoid

Risk avoidance seeks to eliminate the vulnerability that gives rise

to a particular risk

Transfer

With risk transference, a risk or the effect of its exposure is

transferred by moving to hosted providers that assume the responsibility for

recovery and restoration, also includes insurance

Accept

With risk acceptance, an organization recognizes a risk, identifies

it, and accepts that it is sufficiently unlikely or of such limited impact that

corrective controls are not warranted (also known as risk exemption)

risk exception

a formal

acknowledgment that a system or process is not compliant with an applied

standard or policy but has been permitted to operate because the risk is

acknowledged and accepted

Mitigate

involves reducing the likelihood or impact of a

risk’s exposure

Risk reporting

involves the regular and ad hoc

dissemination of risk-related information, from the operational level to senior

management and the board of directors, ensuring that all parties are informed

about current risks, their potential impact, and the actions taken to mitigate

them

Business impact analysis (BIA)

the process of determining the potential

impacts resulting from the interruption of time-sensitive or critical business

processes

Recovery point objective (RPO)

The amount of time that can elapse during

a disruption before the quantity of data lost during that period exceeds the

business continuity plan’s maximum allowable threshold

recovery time objective (RTO)

A measure of the time in which a service

should be restored during disaster recovery operations

Mean Time to Repair (MTTR)

signifies the average

duration needed to restore a malfunctioned system to its

optimal operating condition

Mean Time Between Failures (MTBF)

provides insights into the

average time a system or component operates without

failure