Overview of Risk Management
As a risk manager, what is the most concerned? First of all, risks and the threat of risks must have little impact on the business processes as possible. This is really our underlying mission.
We want to achieve for officer of our organization, for executive management, for stakeholders and shareholders, what we want is to give back to them, as a risk manager, is an acceptable level of predictability on the day to day basis. An a level of assurance or reliability, the threat and attack of our organization and other vulnerabilities are going to bring it down to our needs or impede the operations of our business or organization to a point what substantial of loss as seen.
The process of risk management is often going to be combined with the Business Impact Analysis (BIA). In other words, how can we do a relevant risk management program if we don't really understand the nature and the extent of risks to our information resources, to our data resources, to our physical and logical resources and the individual potential impacts on our activities? Without this impact analysis, we are not going to be able truly manage risks in an effective way.
The Business Impact Analysis (BIA) isn't going to be possible without information asset classification or identify our assets, classify our assets and setting the value of our assets, and that's really the main aspects of risk management and risk assessment. If our company can't do a full BIA, we can do another kind of less desirable option that it's called Business Dependency Evaluation (BDE) which basically determines overall macro criticality and sensitivity of our organization information resources.
The result of this would drive management to weigh the risk exposure with the costs to mitigate those risks as well as all of the financial, personal and time overhead it takes to implement countermeasures and controls in the organization.
Now just other disciplines that relate to information security. They are that risk assessment can be quantitative or qualitative. If it's quantitative basically means we got a mathematical formula involved, for example ALE, which is the Annual Loss Expectancy, that would be the value of an asset multiply by exposure factor multiply by the annualized rate of occurrence. On the other hand, a qualitative risk assessment is going to be a little more hypothetical. This is based on human judgement, intuitions and the experience of the people who assess the risk.
Of course, from all of this, several positive outcomes should result that we'll see in next posts.
Best regards my friend and remember, if you have any question, go ahead!!