Risk Management Process
In the last post we saw an Overview of Risk Management. We saw the importance of Business Impact Analysis (BIA) to know the nature and the extent of risks to our organization, without this analysis, and the proper classification of assets, is very difficult to know where we have to invest and spend the money to protect our assets. In this new posts we'll see the five step process of Risk Management.
Definition of Scope: It's basically the first initial process. This is where we establish our global perimeters for the performance of our risk management process. This is going to be to our entire organization of our business. We have to take in account internal factors, external factors, structured factors, which are things like plan the task or structured recognizance from competitors, and unstructured actions, or in other words accidents. Once we have defined the scope we have to perform the Risk Assessment.
Risk Assessment: It's a scientifically based process, it's also going to use technology and it really involves three things or three steps. First of all, we are going to identify risks, second we are going to analyse risks and finally we are going to evaluate risks.
Risk Treatment: In the third process we are going to consider the action plan. We are going to select and implement the measure that we are going to use to modify our risks or mitigate them or countermeasure against these risks. This include things like avoidance, optimization, transfer the risk, for example to insurance, or retain risk. In other words, if our company determines to take and allow a certain amount of risks then retain that risks. For example, accepting a certain amount of denial service attacks against the perimeter of our organization, perhaps adding more bandwidth or putting in quality of service or traffic policing techniques, we are never really going to remove that risk but retaining that risk we can allow in it at certain levels.
Risk Communication: Once we have assessed the risk by identifying, analysing and evaluating it and putting our action plan, which involve one of four things of avoidance, optimising our systems, transferring the risk to insurances or retaining the actual risk, we have to communicate the results and we have to exchange and share the information about these risks between stakeholders, shareholders, decision makers and people inside and outside of our organization like internal departments and outsources.
Monitoring and Review: This process is also referred to as an audit or auditing. It's where we measure the efficiency and the effectiveness of the overall risk management strategy. It's basically establishing an on going perpetual monitoring and review process. Making certain that decided management action plan are going to be relevant and are going to be updated in regular basis. This process also brings into the place control activities and compliance.
Best regards my friend and remember, measure your risks to protect properly your assets.