5.2 Flashcards
Risk Management
the process involving identification, analysis, treatment, monitoring and reporting of risks
Risk identification
roactive process recognizing potential risks
● Goal
○ Create a comprehensive list based on events hindering objectives
Risk Analysis
● Evaluate likelihood and potential impact
● Qualitative or quantitative methods
● Outcome
○ Prioritized list for guiding risk treatmen
Risk Treatment
● Develop strategies
○ Avoidance
○ Reduction
○ Sharing
○ Acceptance
Strategy choice based on potential impact and risk tolerance
Risk Monitoring
● Ongoing process tracking identified risks
● Monitor residual risks, identify new risks, and review risk management
effectiveness
● Ensures dynamic responsiveness to organizational change
Risk Reporting
● Communicate risk information and effectiveness of risk management to
stakeholders
● Various forms
○ Dashboards
○ Heat Maps
○ Detailed Reports
● Crucial for accountability and informed decision-ma
When are ad-hoc risk assessments used
when needed often for specific things like launching a new product
one time risk assessment
used for a new it system for example not repeated
Techniques for risk identification
brainstorming, checklists, interviews and scenario analysis
BIA
business impact analysus
■ Evaluates effects of disruptions on business functions
■ Identifies and prioritizes critical functions
■ Assesses impact of risks on functions
■ Determines required recovery time for function
RTO
recovery time objective
max acceptable time before there is a severe impact
RPO
recovery point objective
max acceptable data loss measured in time
MTTR
average time to repair a failed component or system
MTBF
a high MTBF means system doesnt fail often
mean time between failures
Risk register
■ Records identified risks, descriptions, impacts, likelihoods, and mitigation actions
■ Key tool in risk management
■ May resemble a heat map risk matrix
■ Facilitates communication and risk tracking
■ Key component of project and business operations
its a document
includes risk description, impact, likelihood,outcome, level and threshold
Risk impact
potential consequences of risk occurence
rated on scale low medium or high
Risk likelihood
probability of risk occurence
rated on scale numerically or descriptive
Risk outcome
result of the risk if it occurs related to impact and likelihood of
Risk level or threshold
determined by combining the impact and likelihood
prioritize risks high medium and low
Risk Tolerance/Acceptance
● An organization or individual’s willingness to deal with uncertainty in
pursuit of their goals
● Maximum amount of risk they are willing to accept
● Acceptance without countermeasures
Risk Appetite
willingess to pursue risk
expansionary
conservative
neutral
KRIs
key risk indicators
Predictive metrics signaling increasing risk exposure
■ Provide early warning of potential risks
■ Tied to the organization’s objectives
■ Used to monitor risk changes and take proactive step
Risk owner
■ Responsible for managing the risk
■ Monitors, implements mitigation actions, and updates Risk Register
■ Accountable for risk management
Qualitative Risk Analysis
■ Primary method in risk management
■ Assesses risks based on potential impact and likelihood
■ Categorizes risks as high, medium, or low
■ Subjective and relies on expertise and experience
■ Avoids quantitative complexity
includes low medium and high impact
Quantitative Risk Analysis
■ Provides objective and numerical evaluation of risks
■ Used for financial, safety, and scheduling decisions
■ Utilizes key components
● Single Loss Expectancy (SLE)
● Exposure Factor (EF)
● Annualized Rate of Occurrence (ARO)
● Annualized Loss Expectancy (ALE)
EF
exposure factor
● Proportion of asset lost in an event (0% to 100%)
● Indicates asset loss severity
ex flooding hitting headquarters would be 70% loss in assets
SLE
single loss expectancy
Calculated as Asset Value x Exposure Factor (EF)
70% x say $5,000 (cost of asset)
ARO
annualized rate of occurrence
● Estimated frequency of threat occurrence within a year
● Provides a yearly probability
ALE
Annualized Loss Expectancy (ALE)
SLE x ARO
Give an example of risk transference
insurance
Contract indemnity clauses
■ A contractual agreement where one party agrees to cover
the other’s harm, liability, or loss stemming from the
contrac
Risk Acceptance
Used when cost of managing the risk outweighs potential loss or risk is
unlikely to have a significant impac
exception
Exception (allows party to avoid rule under specific conditions)
Risk avoidance
● Change plans or strategies to eliminate a specific risk
● Chosen when the risk is too great to accept or transfer
Risk mitigation
● Take steps to reduce likelihood or impact of risk
● Common strategy involving various actions
Risk Monitoring
● Tracking identified risks
● Monitoring residual risks
● Identifying new risks
● Evaluating risk response plan
Residual Risk
The likelihood and impact of the risk after mitigation,
transference, or acceptance measures have been taken on the
initial risk assessment
Control Risk
○ Assessment of how a security measure has lost effectiveness over
time
