RISK ANALYSIS

Risk Analysis

Risk Analysis

Introduction

(See Excel file for risk register). Over the past decade the line between risk management and compliance has been blurred to the point where, in many organizations, it is impossible to determine if they are not one and the same. In part, this confusion between the two functions was initiated and then exacerbated by the passage of the Sarbanes-Oxley Act of 2002 and the implementation of Basel II. Both of these events consumed a great deal of resources, and many consulting firms labeled these efforts “risk management.” They are, in fact, compliance requirements designed to protect stakeholders and, in the latter case, ensure the viability of the financial system. They are not designed for, and nor can their implementation achieve, the management of risk in individual companies or financial institutions.

This confusion between compliance and risk management has led to a defensive posture in dealing with the uncertainties of the competitive business environment. Risk has been confined to the analysis of what could go wrong rather than what needs to go right. Risk management organizations have become the arbiters of what constitutes risk and have assumed an adversarial relationship with business managers, particularly in capital allocation exercises. Failures and scandals are met with calls for more regulation, the implementation of regulations becomes the province of risk management organizations, and the execution of strategy (arguably the area in most need of risk management) becomes further separated from any kind of disciplined analysis.

Purpose

Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

In addition, this guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information. Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this guide and tailor them to their environment in managing IT-related mission risks.

Objective

The objective of performing risk management is to enable the organization to accomplish its mission(s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation resulting from the performance of risk management.

Risk Management Overview

Importance Of Risk Management

As Peter Bernstein tells us in his book Against the Gods: The Remarkable Story of Risk, the word risk comes from the old Italian risicare, which means ...