Risk can be defined as the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level (mitigation), and maintaining that acceptable level of risk. Earlier, this chapter defined the different types of risks, such as business risk and continuity risk. As a part of ongoing IT procedures, a formal risk-management process must be incorporated into the planning, acquisition, development, testing, and deployment of information systems. Organizations can choose to transfer, reject, reduce, or accept risks. An example of transferring risk occurs when a company or individual purchases insurance. The company might purchase insurance on assets so that, in the event of theft, damage, or destruction, the asset can be replaced or repaired. The insurance might cover most of the asset, or the business might opt to pay a lower annual fee, thereby increasing the deductible on claims. The deductible on the claim would be the organization's residual risk. IS, Business, and Audit Risk (Such as Threats and Impacts)An effective risk-management program should enable the organization to realize its business objectives by doing the following:
Risk management encompasses three processes: risk assessment, risk mitigation, and risk transference. The risk-assessment process includes identifying information resources or assets that are vulnerable and might need protection. Assets are resources, processes, products, or computer infrastructures that an organization has determined must be protected. Identifying these assets includes prioritizing and might involve mission criticality/sensitivity or asset value. Examples of assets include the following:
The next step in the process is defining the threats associated with the asset(s) and the probability of the exercise of vulnerabilities. A vulnerability is a weakness in internal controls that could be exploited by a threat to gain unauthorized access to information or disrupt systems. Threats are defined as a potential danger (hazard) to information systems; the hazard is something that increases the likelihood of loss. Threats can generally be classified as natural, environmental, or manmade; they have the potential to cause such harm to the asset as destruction, disclosure, modification, or disruption. Some common classes of threats can include these:
The result of a threat exercising a vulnerability is called an impact; this can result in a loss to the organization's resources. The impact might be quantitative (direct loss of money, opportunity, disruption) or qualitative (breach of legislation, damage to reputation, endangerment of staff, breach of confidence) and represents either a direct or an indirect loss to the organization. After the resources, threats, vulnerabilities, and priorities have been established, the organization must determine whether the risk is acceptable; if not, the auditor should identify and evaluate the existing controls. This evaluation determines which controls, if any, should be implemented to further reduce risk or minimize the residual risk. These controls can be actions, devices, procedures, or techniques, and can be measured based on design strength or the likelihood of effectiveness. When evaluating the strength of controls, the IS auditor should consider whether the controls are preventative or detective, manual or programmed, and formal or informal (ad-hoc). After the organization has applied controls to the resource through transfer or reduction, the remaining risk is called residual risk. The organization's management can use the presence of residual risk to identify areas that need additional control or less stringent controls (more cost-effective). The organization's acceptance of residual risk takes into account the organizational policy, risk-management plan and measurement, and the cost-effectiveness of implementing controls. The objective of risk management is to mitigate risk to an acceptable level. Risk is mitigated, or reduced, by implementing cost-effective controls. IT managers, the steering committee, and auditors should implement a risk-management process with the goal of protecting the organization and its capability to perform its business functions, not just the organization's IT assets. |