logo1
   
logo2
    Home 
logo3
IS Audit
IS Consulting
About Richard Chichakli
Contact Us
Search
nav bottom

"While enterprise risk management provides important benefits, limitations exist. ... limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having absolute assurance as to achievement of the entity’s objectives."

COSO

 

Information Systems Risk Management
Information Systems Consulting
Process ReEngineering | Risk Management | Internal Control System

Risk Management

What is Risk and Risk Management?

Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

Virtually, there is no risk-free system or risk-free process. Risk is inherited into the system and the purpose of risk management is to mitigate the risk in a cost-effective way where the cost of measures deployed to avoid or mitigate risk should not exceed the benefits of the protected process. In certain cases, and for mission critical systems, the cost-benefits argument is usually discarded and risk management will be then defined as the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions.

The objective of Risk management

The objective of performing risk management is to enable the organization to accomplish its mission by:

  1. better securing the IT systems that store, process, or transmit organizational information;

  2. enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and

  3. assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management

Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.  The following mitigation diagram is suggested by the US Dept. of Commerce.

 

Risk Mitigation Action Points

 
     
© Richard Chichakli 1998-2009, for information contact webmaster.