 |
|
|
Risk Management is the
practice of ensuring Organizational assets are
appropriately protected if specific threats become a
reality. And through an ongoing programme of review,
balancing the potential impacts of the destruction or
misuse of those assets, with the selection and
implementation of additional Controls.
|
|
|
|
|
Although we have used very
generic terms above to describe Risk Management, this
same process is used for most types of "assets", such as
Projects, Buildings, Information Systems, People,
Manufacturing, Protection of national and international
security, and Information. |
|
|
|
Different sectors will have
different variations and specific considerations, but
essentially, the overall process is the same. |
| |
|
 |
|
|
Operational and Information
Risk Management is the practice of assessing and
managing the risks of Information, any associated
Information Systems, and business operational practices
within an Organisation.
|
|
|
RiskComp uses an Expertise
questionnaire based approach to Operational and Information
Risk Management, and is closely aligned to both the
International ISO/IEC 17799:2005 and British BS7799-3:2006
standards. |
Asset
Identification
RiskComp provides the
ability for an Organization to (optionally) define the
assets that will be assessed as part of the Risk
Management programme. These assets are then referred to
in the Scope of Assessment stage of the approach.
Scope Of
Assessment
The Scope of Assessment identifies exactly what is
being assessed within a specific survey. This reduces the opportunity for the
scope to be too high level or too broad, and thus ensures the assessment remains
focused. By obtaining relevant information, it guides the assessor into defining
the scope of assessment regardless of their knowledge or previous experience of
the process.
Impact Assessment
After determining the
scope of the assessment, specific relevant
questionnaires are generated to ascertain the value of
the Organizational assets that have been selected or
identified, and to determine the impact on the
Organization resulting from the destruction or misuse of
these assets.
Risk
Assessment
The results of the
Impact Assessment are subsequently used to determine
which threats and vulnerabilities warrant a detailed
investigation. Where the impact is considered to be
significant, further detailed questionnaires are
generated to assess the threats, vulnerabilities, and
existing controls. The Risk Assessment identifies where
there are perceived weaknesses in the protection of the
assets (sometimes referred to as a “gap analysis”), and
recommends actions that can be taken to reduce the risk
to an acceptable level. Some of these actions can be
defined as Policy Statements, thus becoming mandatory.
Risk
Management
Once the risk assessment
has been completed, the Organization will have a list of
areas (risk categories) where the strengthening of
controls is required, and a list of the possible actions
(recommendations and policy statements) that will reduce
the risks identified.
RiskComp provides tools to
effectively manage these identified risks, and to track
the progress made, and actions taken, to reduce the
risks to an acceptable level.
|
|
|
| |
|
|
|
 |
 |
|
