Please enable JavaScript.
Coggle requires JavaScript to display documents.
Lecture 6: Risk Frameworks (Risk Response Options using RiskIT (Step 3:…
Lecture 6: Risk Frameworks
ISO 31000 Series
Risk mgmt process 5 activities
Communication and consultation
Establishing the context
Risk Assessment
Risk Treatment
Monitoring and review
Objective
More
confident and rigorous
basis for decision making and planning
Better
identification
of opp and threats
Gaining value
from uncertainty and variabiltiy
ISACA RiskIT Framework
3 Domains
Risk Governance
risk mgmt embedded in ent
Risk Evaluation
Risk identified, analysed and presented
Risk Response
Address risk in cost effective manner
CoBIT 5 Risk Scenario
Risk Scenario: Description of possible event that if occurs = uncertain impact on ent obj
Contains:
Actor (Internal - staff /External - biz partner, competitor)
Threat Type (Malicious, accidental, error, failure, nature, ext req)
Event (disclosure, interruption, modification, theft, destruction, ineffective design, ineffective execution, rules and reg, inappropriate use
Asset affected by risk event (people and skills, org structure, process, infra, IT infra, information, applications)
Time (if relevant to scenario) - duration, timing occurance, detection, time lag
Benefits:
Provide tool to facilitate communication
Enhance risk mgmt effort
Provide realistic view of risk
Risk Response Options using RiskIT
Step 1: Risk Analysis
Estimate freq and magnitude of IT risk scenarios
Initial steps of risk mgmt:
Analyse
value
of assets to biz
Identify threats
to assets
Evaluate how vul each asset
is to those threats
Step 2: Risk Response
Acceptable risk = no follow up but documented
Factors considered as input of response selection:
Cost of response to reduce risk within tolerance level
Impt of risk
Capability to implement responses
Effectiveness of response
Efficiency of response
Options:
Avoid
Eliminate risk by
not
performing activities associated w risk
Only chosen when other options not feasible
Reduce/Mitigate
Bring down risk level to acceptable tolerance
Implement best prac/controls
Most desirable and realistic option
Share/Transfer
Share risk w other entities
Gains also shared
Transferred through outsourcing
Accept
Only can be accepted by snr mgmt
Need document risk w proper auth
Document for acct and audit trails
Step 3: Risk Prioritisation
Resource limitation = cannot respond to all risk at once
Priority 1: Quick Wins - high efficiency to addr high risk level
Priority 2: Business case - opt requiring further consideration best studied w biz case
Priority 3: Deter - low priority opt as addr low priority risk w high cost
^
|Biz case|Quick wins
|Defer |Biz case
__
>
Step 4: Risk Action Plan
Output of framework = Risk Action plan
To be executed as proj or program
If eff deployed, risk exceeding tolerance can be responded to
Risk Frameworks
Risk Aggregation
Various risk combined w multiplied effect
Cascading Risk
Risk at higher level can be inherited at lower level