Chapter 3: Domain Three: Risk Managment Flashcards
All-Hazards Approach
Looks not only at high-consequence, low-probability events (Terrorism, extreme natural disasters), but also lower-consequence, high-probability events (power outages, cyberattacks).
Asset
Anything that has tangible or intangible value to the organziation.
NOTE 1: Tangible assets include human, physical, and enviromental assets.
NOTE 2: Intangible assets include informatoin, intellectuval protpery, bruand, and reputation.
Audit
Systematic, independent, objective, and documented process for obtaining, examining, verifying, and evaulating informaotin relative to a set of criteria.
Business Continuity
A comprehensive, managed effort to prioritize key business processes and identify significant threats to normal operations. It also includes planning mitigation strategies to ensure effective and efficient organizational responses to the challenes that surgace during and after a crisis.
Business Impact Analysis
(BIA) Provides a structured approach to gaining informatoin about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events.
Capability Analysis
Process of evaluating the competence, aptitude, and experience of people and the organization; the suitablity of technology; and the application of processes for particular purposes to determine whethere or not the expected output will fall within an acceptable range.
Client
Organization or person that receives a product or service.
NOTE 1: Examples include consumers, contractors, end users, retailers, beneficiaries, and purchasers.
NOTE 2: A client can be inernal or external to the organization.
Community
A group of associated organizations and people sharing common interests.
Competence
Demonstable ability to apply knowlede and skills to achieve intended results.
Conformity
Compliance with a requirement.
Consequence
Results or effect of an action, condition, or decision.
NOTE 1: Uncertainties interact and may result in singular or multiple consequences with a potential for postive or negative effects on objectives.
NOTE 2: Consequences should consider both tangible and intangible factors and can be expressed qualitatively or quantitively, or both.
NOTE 3: Consequence may be cascading effects.
Consultation
Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision makers regarding the managment of risk.
NOTE 1: Informatoin may relate to the context of the organization of the reisks and assessment and the slection and evaulation of risk treatment options.
NOTE 2: Communication and consulatation informs the decision-making process but does not infer joint decision making.
Continual Improvement
Ongoing processes to improve products, services, and maagment practives to enahe the ability to fulfill requirments.
NOTE: Canges may be incremetntal or comprehensive.
Corrective Action
An action made to rectify the causes of a detected nonconformity or other undersirable circumstances.
NOTE 1: There can more than one cause for a nonconformity.
NOTE 2: Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence.
Critical Control Point
(CCP) A point, step, or process at whic controls can be applied to modify risk.
NOTE 1: A threat or hazard can be prevented, eliminated, or reduced to targeted levels.
NOTE 2: A point at which opportunity can be leveraged.
Criticality
Of essential importance with respected to objectives and outcomes. (ANSI/ASIS SPC.1-2009)
Criticality Analysis
A process designed to systematically identify, evaluate, and rank postive and negative impacts on an organization’s stakeholders, assets, services, and activities, based on the importance of its mission or function or the significance of risks on the organization’s ability to meet its objectives and expections.
NOTE: Determines which qualities or degress of risk are of the highest importance for successful execution of an organization’s objectives or which might represent a decisive turning point in the execution of strategy.
Derivative Criticality
Indicates the indirect conssequences of a risk event and how the resulant consequences indirectly related to the asset, activity, or function will affect the organization achieving its objectives.
Disruptive Event
An event that interrupts planned activities, operations, or functions, whether anticipated or unanticipated.
Document
INformation and supporting medium in any format.
Effectiveness
Extent to which planned activities accomplish a purprose, thereby producing the intended or expected outcomes.
Error Analysis
Considers the kind of quantity of error that may occur in a risk assessment.
Event
Change occurring in an interval of time with the potential to alter outcomes.
NOTE 1: Likelihood and consequence of an event may be predictable using qualiative or quantitative measures.
NOTE 2: An event may be due to singular or multiple causes and may have more than one occurrence.
NOTE 3: The nononccurrence of an anticipated change is also an event.
NOTE 4: An event is not a risk, rather it is the uncertainity in the outcomes that create risk.
External Threat
Can Include theft/burglary, vandalism, and assault.
Gap Analysis
Technique that can be used to determine what steps might need to be taken to improve the organziation’s capacity to condut a risk assessment to move from a current state to a desired, future state. Also referenced as need-gap analysis, needs analysis, and needs assessment, gap analysis seeks to answer the questions : “where are we?” - the currentl state: and “where do we want to be?” the future state. The gap analysis includes an evaulation of the suitablity of the current process for assessing risk and if it is suffient to manage risks. Gap analysis can also be used withing the indvidual risk assessment.
Holistic Approach
Should include a prevention paln, an all-hazards emergency operations plan (EOP), a mitigation plan, a recovery plan, and a continuity-of operations plan (COOP).
Impact
The positive or negative effect on someone or something (see consequence).
Impact Analysis
Process that identifies and evaluates the potential effects of change upon an organization. This may include an assessment of the pros and cons of pursuing a course of action in light of its posssible consequences or the extent and nature of further change (intended or unintended) that such change may cause.
Incident
An event that has the capacity to lead to human, intangible, or physical loss or a disruption of an organization’s operations, services, or function. If not managed, an incident can escalate in an emergency, crisis, or disaster.
Intergrity
Assuring the soundess, reliability, and completeness of tangible and intangible assets.
Instrinsic Criticality
Indicates the direct value of the asset, activity, or function in achieveing the objectives of the organziation.
Likelihood
Chance or probablity that something will happen.
Managment System
Framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.
NOTE: Management systems are used by organization to establish their policies, objectivies, and targets; determine and allocate resources; define roles and authorities: implement procedures; and evaulate performance to achieve desired outcomes and objectives.
Monitoring
Ongoing scruntiny, oversight, evaluation, and situational awareness for determining the current status of performance and to indentify changes in the internal and external enviroments.
Nonconformity
Failure to fulfill a requirement.
Opportunity Analysis
Process of indentifying uncertainties that may be exploited and analyzing the organization’s capability and readiness to exploit them. The process may include indentifying unmet or underserved customer/client needs, indentifying target markets, analyzing competitive advantages, and analyzing the organizatoin’s resource capacity to unertake an opportunity.
Organization
Group of people and facilities with an arrangement of responsbilities, authorities, and realtionships.
NOTE: An organization can be a goverment or public entity, company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combinations thereof.
Organizational Resilience
The adaptive capacity of an organization in an complex and changing enviroment.
Planning
Part of a magagement process focused on setting objectives, projecting risks to these objectivies, and ensuring resources and systems are in place to ensure objectives are achieved.
Prevention
Measures that enable an organization to avoid, preclude, or limit the impact of an undesired or potentially disruptive event.
Preventive action
Proactive change or improvement implemented ot address a weakness that is not yet respobsible for causing nonconformity.
NOTE 1: A potential nonconformity may have one or more root causes.
NOTE 2: Preventive action is taken to avoid occurence whereas corrective action is taken to rectify a problem and prevent recurrence.
Procedure
An established or specified way to conduct an activity or a process.
Random Error
Inaccuracies that cluctuate from one measurement to the next and yield results where the man value varies.
NOTE: Random errors can occur for a variety of reasons, including poor written questions, imprecise definition of terminology, or lack of sensitivity of the analysis models.
Record
A document set down in writing or some other permanent form for later reference.
Residual Risk
Remaining risk after treatment.
NOTE: Residual risk may include risk retained by informed decision, untreatable risk, and/or unidentified risk.
Resilience
Adaptive capacity of an organization in a complex and changing enviroment. (ANSI/ASIS SPC.1-2009)
Resources
Any asset (human, physical, information, or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used. (ANSI/ASIS SPC.1-2009)
Review
Activity undetaken to determine the suitability, adequacy, and effectiveness of the management system and its component elements to achieve established objectives.
Risk
Effect of uncertainty on the achievement of strategic, tactical, and operational objectives.
NOTE 1: Risk is considered as potentially having positive and/or negative outcomes.
NOTE 2: Uncertaint is the state where outcomes are unknown, lacking sufficient informatoin, or otherwise undeterminded or undefined in the course of decision-making.
NOTE 3: Objectives may include strategic goals related to the whole or parts of the organization and its value chain, as well as operational and tactical issues at levels of the organization.
NOTE 4: Risk can be characterized by the effect of uncertainty on tangible and/or intangible assets and/or potential risk events.
NOTE 5: Risk is often expressed in terms of a combination of the consequences and likelihood of the outcomes of uncertainty.
NOTE 6: Sometimes risk is focused on negative outcomes where it is considered a function of threats, vulnerabilities, and consequences.
Risk Acceptance
Informed action of consenting to retain, recieve, or undertake a particular risk
Risk Analysis
Process to characterize and understand the nature of risk and to define the level of risk.
NOTE: Risk analysis assesses the likelihood and consqequences of a risk to provide the basis for risk evaluation and risk treatment decision making.
Risk Appetite
The total exposed amount that an organization wishes to undertake on the basis of risk-return tade-offs for one or more desired and expected outcomes. (RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance)
Risk Assessment
Overall and systematic process of evaluating the effects of uncertainty on achieving objectives.
NOTE: Risk assessment includes risk indentification, risk analysis, and risk evaluation.
Risk Attitude
Organization’s or individual’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparision to the related potential loss or losses. (RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance)
Risk Criteria
Terms of reference used to measure and evaluate the significance and effects of risk.
NOTE 1: Risk criteria are a function of the organization’s objectives, values, and policies, as well as the external and internal enviroment.
NOTE 2: Risk criteria can be derived from jurisdictional laws, obligations, and other requirements.
Risk Driver
Event, individual(s), process, or trends having impact on the objectives of the organization.
Risk Evaluation
Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity.
Note: Risk evaluation provides the basis for decision about risk treatment methods.
Risk Identification
Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes.
NOTE: Risk indentification involves the identification of threats, opportunities, criticalities, weaknesses, and strengths, as well as identifying sources of risk and potential events and their causes and impacts.
Risk Management
A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (RIMS Resources)
Risk Register
A compilation of all risks indentified, analysex, and evaluated in the resk assessment process.
NOTE: The risk register includes informatoin on likelihood, consequences, treatments, and risk owners.
Risk Source
A factor with the potential to create uncertainty in achieving objectives.
NOTE: The risk source may include tangible or intangible factors alone or in combination.
Risk Tolerance
The amount of uncertainty an organization is prepared to accept in total or more narrowl within a certain business unit, a particular risk category, or for a specific initiative.
NOTE: The level of tolerance or acceptable level or variation related to achieving objectives may be influenced by jurisdiction law and stakeholder requirements. (RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance)
Risk Treatment
Process of selecting and implementing measures to modify risk to achieve objectives.
NOTE 1: Risk treatment can change the characteristics of existing risks or gererate new risks.
NOTE 2: Risk treatment may require a reallocation of resources or modification of plans and priorities.
Sampling
The process or Technique of selecting a representative part of a population for the purpose of determining parameters or characteristics of the whole population.
Scenario Analysis
A process using descriptive models to ascertain and analyze possible events that may occur in the future and their potential outcomes. It can be used identify risks by considering possible future developments and exploring their implications.
NOTE: Sets of scenarios reflecting best case, worse case, and expected case may be used to analyze potential consequences and probabilities for each scenario as a form of sensitivity analysis when analyzing risk.
Security
The condition of being protected against hazards, threats, risk, or loss.
Sensitivity Analysis
Any systematic technique used to understand how risk estimates and risk-based decisions are dependent on variablity and uncertainty in the factors contributing to risk.
NOTE 1: Sensitivity generally referes to the variation in output of a risk analysis model with respect to changes in the values of the model’s input.
NOTE 2: Sensitivity analysis attempts to provide a ranking of the model inputs based on their reative contribut9ions to model output variablity and uncertainty.
Stakeholder
Person or organization with an interest or concern.
NOTE: A stakeholder can affect and may be affected by the organization and its achievement of its objectives (real or perceived).
Stress Test
A form simulation used to determine reactions to different situations and is also used to guage how certain stressors will affect a company or industry.
Supply Chain
A two-way realtionship of organizations, people, activities, logistics, informatoin, technology, and resources engaged in activities and creating values from point of orginin to point of consumption, including transforming materials/components to products and services for end users.
NOTE: The supply chain may include vendors, subcontractors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.
Systematic Error
Inaccuracies that tend to shift all mesasurements in a systematic way so that their mean value is displaced.
NOTE: This may be due to such things as biased questionnaries or the preconceived notions of the people conducting the measurements.
Threat Analysis
Process of identifying and quantifying the potential cause of the unwanted event that may result in harm to inviduals, assets, a system or organization, the enviroment, or the community.
Threat From
Based on the nature and attributes of the threat and how the threat may cause harm and/or uncertainty.
Threat To
Considers the locations of the potential assets and services.
Top Management
Person or group of people responsible and accountable for formulating organizational goals, objectives, strategies, policies, and/or allocating resources.
Undesirable Event
Any event that has the potential to cause a negative impact on the achievement of objectivbies or assets whether tangible or intangible.
Value Chain
The series of functions, processes, or activities from raw materials to the eventual end user that creates and builds value at every step to deliver a product or service.
Violence Risk Assessment
The investigative and analystical process followed by a qualified professional to determine the nature and level of risk of violence presented by a person and the steps that could be taken to respond to, manage, and mitigate the risk.
Violence Risk Screening
The investigative and analystical process followed by the threat management team to make a gross and general determination of whether particular behavior should be viewed as generating a concern for possible violence and thereby should be treated under the organization’s threat management protocols. Distinct from the violence risk assessment, which requires specifically trained and qualified personnel.
Vulnerability
Susceptibility related to the entity’s preparedness, agility, and adaptability.
Workplace Violence
A spectrum of behaviors, including overt acts of violence, threats, and other conduct, that generate a reasonable concern for safety of employees and others (such as customers, clients and business associates) on site or off-site when related to the organization.
