Risk Management Flashcards
What are Ad-Hoc Risk Assessments?
Conducted as needed, often in response to specific events or situations
They address potential new risks or changes in existing risks.
What characterizes Recurring Risk Assessments?
Conducted at regular intervals (e.g., annually, quarterly, monthly)
They are part of standard operating procedures for continual risk identification and management.
What is the purpose of One-Time Risk Assessments?
Conducted for specific projects or initiatives, not repeated, associated with a particular purpose
They focus on a unique situation or event.
What defines Continuous Risk Assessments?
Ongoing monitoring and evaluation of risks
Enabled by technology, involving real-time data collection and analysis.
What is the role of technology in Continuous Risk Assessments?
Facilitates real-time data collection and analysis
It is used for proactive threat and vulnerability monitoring, facilitating quick responses.
Business Impact Analysis (BIA)
■ Evaluates effects of disruptions on business functions
■ Identifies and prioritizes critical functions
■ Assesses impact of risks on functions
■ Determines required recovery time for functions
Key Metrics in BIA
Recovery Time Objective (RTO)
○ Maximum acceptable time before severe impact
○ Target time for restoring a business process
Key Metrics in BIA
Recovery Point Objective (RPO)
○ Maximum acceptable data loss measured in time
○ Point in time data must be restored to
Key Metrics in BIA
Mean Time to Repair (MTTR)
○ Average time to repair a failed component or system
○ Indicator of repair speed and downtime minimization
Key Metrics in BIA
Mean Time Between Failures (MTBF)
○ Average time between system or component failures
○ Measure of reliability
Risk Register
■ Records identified risks, descriptions, impacts, likelihoods, and mitigation actions
■ May resemble a heat map risk matrix
■ Facilitates communication and risk tracking
■ Key component of project and business operations
Risk Description
Components of Risk Register
● Identifies and describes the risk
● Clear and concise description
Risk Impact
Components of Risk Register
● Potential consequences of risk occurrence
● Rated on a scale (e.g., low, medium, high)
Risk Likelihood
Components of Risk Register
● Probability of risk occurrence
● Rated on a scale (e.g., numerical or descriptive)
Risk Outcome
Components of Risk Register
● Result of the risk if it occurs
● Related to impact and likelihood
Risk Level or Threshold
Components of Risk Register
● Determined by combining the impact and likelihood
● Determined by combining the impact and likelihood
Cost
Components of Risk Register
● Financial impact on the project
● includes potential expenses if it occurs or the cost of risk mitigation
Risk Tolerance/Risk Acceptance
● An organization or individual’s willingness to deal with uncertainty in
pursuit of their goals
● Maximum amount of risk they are willing to accept
● Acceptance without countermeasures
Risk Appetite
● Willingness to pursue or retain risk
○ Expansionary
○ Conservative
○ Neutral
Key Risk Indicators (KRIs)
■ Predictive metrics signaling increasing risk exposure
■ Provide early warning of potential risks
■ Tied to the organization’s objectives
■ Used to monitor risk changes and take proactive steps
Risk Owner
■ Responsible for managing the risk
■ Monitors, implements mitigation actions, and updates Risk Register
■ Accountable for risk management
Qualitative Risk Analysis
■ Primary method in risk management
■ Assesses risks based on potential impact and likelihood
■ Categorizes risks as high, medium, or low
■ Subjective and relies on expertise and experience
■ Avoids quantitative complexity
Likelihood/Probability
Qualitative Risk Component
● Chance of risk occurrence
● Qualitatively expressed as low, medium, or high
● Based on past experience, statistical analysis, or expert judgment
Impact
Qualitative Risk Component
○ Low Impact
■ Minor damage, essential functions operational
○ Medium Impact
■ Significant damage, loss to assets
○ High Impact
■ Major damage, essential functions impaired
Exposure Factor (EF)
Quantitative Risk Analysis Component
● Proportion of asset lost in an event (0% to 100%)
● Indicates asset loss severity
Single Loss Expectancy (SLE)
Quantitative Risk Analysis Component
● Monetary value expected to be lost in a single event
● Calculated as Asset Value x Exposure Factor (EF)
Annualized Rate of Occurrence (ARO)
Quantitative Risk Analysis Component
● Estimated frequency of threat occurrence within a year
● Provides a yearly probability
Annualized Loss Expectancy (ALE)
Quantitative Risk Analysis Component
● Expected annual loss from a risk
● Calculated as SLE x ARO
Risk Transference
● Shifts risk to another party
● Doesn’t remove the risk
Risk Acceptance
● Acknowledge and deal with risk if it occurs
● Used when cost of managing the risk outweighs potential loss or risk is
unlikely to have a significant impact
● No actions to mitigate the risk are taken
Risk Avoidance
● Change plans or strategies to eliminate a specific risk
● Chosen when the risk is too great to accept or transfer
Risk Mitigation
● Take steps to reduce likelihood or impact of risk
● Common strategy involving various actions
Residual Risk
○ The likelihood and impact of the risk after mitigation,
transference, or acceptance measures have been taken on the
initial risk
Control Risk
Assessment of how a security measure has lost effectiveness over
time