6.2 (ENTERPRISE RISK MANAGEMENT (Risk management (Risk management…
ENTERPRISE RISK MANAGEMENT
is the process
of identifying vulnerabilities and threats to the information resources
used by an organization in achieving business objectives
deciding what countermeasures (safeguards or controls), if any, to take in reducing risk to an acceptable level
(i.e., residual risk), based on the value of the information resource to the organization.
Risk management encompasses ,
the impact of risk on IT processes.
Risk management process
Effective risk management begins
with a clear understanding of the organization’s appetite for risk. This
impacts future investments in technology,
the extent to which IT assets are protected and
to the extent the level of assurance required.
drives all risk management efforts and,
Having defined risk appetite
and identified risk exposure, strategies for managing risk can be set and responsibilities clarified.
Depending on the type of risk and its significance to the business, management and the board may choose to:
Share risk with partners or transfer via insurance
coverage, contractual agreement or other means.
Formally acknowledge the existence of the risk and monitor it
Lessen the probability or impact of the risk by defining,
implementing and monitoring appropriate controls.
Eliminate the risk by eliminating the cause (e.g., where feasible, choose not to implement certain activities or processes that would incur risk)