Assessing the Severity of Risk — RockCyber

[ad_1]

Last time I introduced the 1st point under the principle of Coso’s management of Performance, which has identified the risk. This week we will move on to the second point pursuing which is Evaluates the weight of the risk

The performance has 5 points:

Identifies the risk
Evaluates the weight of the risk
Prioritize the risk
Realizes risky answers
Develops portfolio views

Since the risks have been documented in the risk register, it is now time to evaluate the weight of the potential of any risk of violating the organization’s ability to achieve its business goals and strategic goals.

A Risk registration Not only does it act as an inventory of identified risks. It is used to track risk exposure (including probability and impact), risk owners, risk treatment solutions, action plans and residual risk.

Residual risk is the size of the risk that is left after treatment of the risk.

Management cannot address or mitigate all risks due to budget and resources restrictions; Therefore, management decides how to distribute resources for a given risk based on risk assessment to ensure that residual risk remains within the organization’s risk appetite. Risk assessment methods fall into two buckets:

Do not impose a dove in one of these two camps. There is room for both of us in our lives. I witnessed that Cisos failed because they used only quality analysis without supporting the solid data supporting their assessment or the severity of the risk. I have also witnessed that Cisos fails, as they used only quantitative analysis without considering quality factors, such as the organization’s commitment to resilience or unfolding a new product or service on time. Full and protective risk analysis depends on both the qualitative and quantitative considerations.

Risk assessment depends on the assessment of the likelihood and effect of risk.

I spoke in previous videos to evaluate the impact of potential risk effects by performing business impact analysis. The book “How to measure something in the risk of cybersecurity” by Doug Hubbard and Richard Searssen does a good job to outline some techniques to assess the likelihood of a risk. These include.

Decomposition: A model that breaks big, ambiguous problems of smaller, smaller subordinate.
Bayev Analysis: A model that improves with a previous likelihood as more evidence or information is available. In other words, how we update the previous probability with new information.
Monte-Carlo: A computer simulation model that generates many scenarios based on the probability of inputs. The process is iterative and can go through thousands of circles.

The tracking of risks and their potential consequences in a risk register allows you to integrate these risks into a risk management program more efficiently.

Remember that when you evaluate the likelihood and impact of the risks, it is not just about the controls that your organization is missing. You should also consider existing security controls.

Do they compensate for the risk? If so, how much?
Once a risk treatment plan has been set, be sure to document the residual risk. Be sure to use the same method to calculate the residual risk as you have done for the initial risk to make sure you compare apples to apples.

To summarize it and break down – here are some key risk assessment activities.

Determine the correct combination of quality and quantitative risk assessment approaches for your organization. Do not paralyze yourself as you can always add a quantitative analysis to quality analysis later. Think about your audience and culture.
- What is your ERM team doing now?
- Are there any opportunities to improve?
- Do you have political capital to challenge the status quo?
Develop the risk register to track the risks and potential consequences.
Make sure you evaluate the residual risk by using the same method as you did for the initial risk.