lecture 3 Flashcards
COSO ERM framework, every risk management decision either increases, decrease or erodes value:
- Aligning risk appetite
- reducing operational suprises
- enhancing risk response
- identifying and managing multiple and cross enterprise risks
- seizing opportunities
- improving deployment of capital
Risk identification
Processes for identifying the risks and opportunities that ccould impact on an organisation
risk assessment
the identification and analysis of risks to the achievement of business objectives. it forms a basis for determining how risks should be managed. Includes development of risk treatment strategies
Strategic understanding of information value
the strategic objectives, how, why, what information is most critical. value of other information assets
risk appetite
is a high level view of how much risk management is willing to accept
Risk identification mini steps
Identify information/ICT processes and then develop a set of risk indicators relative to these
threat
potential cause of an unwanted incident, which may result in harm to a system or organisation
likelihood
the probability of a risk eventuating
Consequence
the impact of an adverse change to the level of business objectives achieved
existing controls
safeguards and countermeasures in place to manage risk
Jacobsons window
Isolates four classes of risk, low-low, high-low
low-high and hihgh-high. these four are easily broken down into either inconsequential or significant risk classes
options available for risks
accept = monitor avoid = eliminate reduce = institute controls share = partner with someone
Key elements of impact analysis
Assess the degree of harm or loss that can occur as a result of exploitation of vulnerability
determining acceptable risk levels
evaluating risks on the basis of the likelihood of and consequences provides two factors that can be used to prioritize risk management
Expected value of risk
EVR = estimated loss from specific risk * % likelihood of loss