Build an IT Risk Management Program Research & Tools1. Build an IT Risk Management Program – A holistic approach to managing IT risks within your organization and involving key business stakeholders.Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks. Show
2. Risk Management Program Manual – A single source of truth for the risk management program to exist and be updated to reflect changes.Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved. 3. Risk Register & Risk Costing Tool – A set of tools to document identified risk events. Assess each risk event and consider the appropriate response based on your organization’s threshold for risk.Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered. 4. Risk Event Action Plan and Risk Report – A template to document the chosen risk responses and ensure accountable owners agree on selected response method.Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response. Member TestimonialsAfter each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say. Johnson County Library Guided Implementation 9/10 $2,519 5 MassMutual Guided Implementation 10/10 $69,299 16 Fernco Inc Workshop 9/10 N/A 10 Best parts since this was an update from previous years, Sumit provided pre-work prior to the workshop so that more discussion time could be spent on the roadmap. Worst parts trying figure out a way to respond to the question "...estimate the financia... "Hope" is not a risk management strategy. Now Playing: Academy: Risk Management | Executive Brief An active membership is required to access Info-Tech Academy
Workshop: Build an IT Risk Management ProgramWorkshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully. Module 1: Review IT Risk Fundamentals and GovernanceThe Purpose
Key Benefits Achieved
ActivitiesOutputs1.1 Assess current program maturity
1.3 Create the IT risk council 1.4 Identify and engage key stakeholders 1.5 Add organization-specific risk scenarios
Module 2: Identify IT RisksThe Purpose
Key Benefits Achieved
ActivitiesOutputs2.1 Identify risk events (continued)
2.2 Augment risk event list using COBIT 5 processes
2.3 Determine the threshold for (un)acceptable risk
2.4 Create impact and probability scales 2.5 Select a technique to measure reputational cost 2.6 Conduct risk severity level assessment Module 3: Identify IT Risks (continued)The Purpose
Key Benefits Achieved
ActivitiesOutputs3.1 Conduct risk severity level assessment
3.2 Document the proximity of the risk event
3.3 Conduct expected cost assessment 3.4 Develop key risk indicators (KRIs) and escalation protocols 3.6 Identify and assess risk responses
Module 4: Monitor, Report, and Respond to IT RiskThe Purpose
Key Benefits Achieved
ActivitiesOutputs4.1 Identify and assess risk responses
4.2 Risk response cost-benefit analysis 4.3 Create multi-year cost projections 4.4 Review techniques for embedding risk management in IT
4.5 Finalize the Risk Report and Risk Management Program Manual 4.6 Transfer ownership of risk responses to project managers 3 Executive Brief 4 Analyst Perspective 5 Executive Summary 19 Phase 1: Review IT Risk Fundamentals & Governance 43 Phase 2: Identify and Assess IT Risk 74 Phase 3: Monitor, Communicate, and Respond to IT Risk 102 Appendix 108 Bibliography Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology. Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it
easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events. This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization. IT has several challenges when it comes to
addressing risk management: Many IT organizations realize these obstacles: IT risk is business risk. Every IT risk has business implications. Create an IT risk
management program that shares accountability with the business. 58% of organizations still lack a systematic and robust method to actually
report on risks (Source: AICPA, 2021) By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem. Only 12% of organizations are using risk as a strategic tool most or all
of the time (Source: AICPA, 2021) Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions. Governance and related decision making is optimized with integrated and aligned risk data. ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach. Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals: Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk. Assess the organization's current maturity and readiness for integrated risk management (IRM). The repository for all the risks that have been identified within your environment. A potential cost-benefit analysis of possible risk responses to determine a good method to move forward. A method to report risk severity and hold risk owners accountable for chosen method of responding. As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk. This research covers the following IT risk fundamentals: A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is 6 to 8 calls over the course of 3 to 6 months. What does a typical GI on this topic look like? Contact your account representative for more information. 1.1 Assess current program maturity 1.2 Complete RACI chart 1.3 Create the IT risk council 1.4 Identify and engage key stakeholders 1.5 Add organization-specific risk scenarios 1.6 Identify risk events 2.1 Identify risk events (continued) 2.2 Augment risk event list using COBIT5 processes 2.3 Determine the threshold for (un)acceptable risk 2.4 Create impact and probability scales 2.5 Select a technique to measure reputational cost 2.6 Conduct risk severity level assessment 3.1 Conduct risk severity level assessment 3.2 Document the proximity of the risk event 3.3 Conduct expected cost assessment 3.4 Develop key risk indicators (KRIs) and escalation protocols 3.5 Perform root cause analysis 3.6 Identify and assess risk responses 4.1 Identify and assess risk responses 4.2 Risk response cost-benefit analysis 4.3 Create multi-year cost projections 4.4 Review techniques for embedding risk management in IT 4.5 Finalize the Risk Report and Risk Management Program Manual 4.6 Transfer ownership of risk responses to project managers 5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps Most IT departments find themselves in one of these two organizational frameworks for
managing IT risk: Input: List of IT personnel and business stakeholders Output: Buy-in from senior leadership for an IT risk management program Materials: Risk Management Program Manual Participants: IT executive leadership, Business executive leadership The resource demands of IT risk management will vary
from organization to organization. Here are typical requirements: Record the results in the
Risk Management Program Manual. Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program
can be adopted by your organization. Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations. Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data. 1-4 hours Input: List of IT personnel and business stakeholders Output: Maturity scores across four key risk categories Materials: Integrated Risk Maturity Assessment Tool Participants: IT executive leadership, Business executive leadership This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis. How to Use This Assessment: Record the results in the Integrated Risk Maturity Assessment. Review IT Risk Fundamentals and Governance Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses. IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative. Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership. A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk. An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization. Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities. Smaller organizations can often institute a mature risk management program much more quickly than larger organizations. It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management. Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for
various risk management responsibilities. 1-4 hours Input: Integrated Risk Maturity Assessment Output: Obstacles and pain points identified Materials: IT Risk Management Success Factors Participants: IT executive leadership, Business executive leadership Anticipate potential challenges and “blind spots” by determining which success factors are
missing from your current situation. Instructions: Replace the example pain points and opportunities with real
scenarios in your organization. Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks. Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk. Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks. Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere. Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making. 1-4 hours Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities Output: Goals for the IT risk management program Materials: Risk Management Program Manual Participants: IT executive leadership, Business executive leadership Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and
success factors to develop goals for your IT risk management program. Instructions: Record the results
in the Risk Management Program Manual. Replace the example metrics with accurate KPIs or metrics for your organization. Must be on the ITRC: 1-4 hours Input: List of IT personnel and business stakeholders Output: Goals for the IT risk management program Materials: Risk Management Program Manual Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations Identify the essential individuals from both the IT department and the
business to create a permanent committee that meets regularly and carries out IT risk management activities. Instructions: Record the results in the Risk Management Program Manual. What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks. Executive Participation: While IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk.
Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process. Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting. A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these
categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks. Input: IT risk categories Output: Risk events identified and categorized Materials: Risk Register Tool Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable) Use Info-Tech’s IT risk categories and scenarios to
brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization. Instructions: Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process. Record
the results in the Risk Register Tool. Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises. Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified. The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation. Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise. Identify and Assess IT Risk Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be. In this section, you will be prioritizing your IT risks according to their
risk severity, which is a reflection of their expected cost. Likelihood of Risk Impact Likelihood of Risk Occurrence Risk Severity Risk Tolerance Asking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO). Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk. If IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores. While verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding. Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders. If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information. Review the two levels of risk
assessment offered in this blueprint. Number of risks: Assess all risk events identified in Phase 1. Negligible Negligible Moderate Number of risks: Only assess high-priority risks revealed by severity-level assessment. Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business. For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers. Use this tool to:
2.2.1 Determine the threshold for (un)acceptable risk1-4 hoursInput: Risk events, Risk appetite Output: Threshold for risk identified Materials: Risk Register Tool, Risk Management Program Manual Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner Instructions: There are times when the business needs to know about IT risks with high expected costs.
This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk. If your organization has ERM, adopt the existing acceptability threshold. Record this threshold in section 5.3 of the Risk Management Program Manual 2.2.2 Create a financial impact assessment scale1-4 hours Input: Risk events, Risk threshold Output: Financial impact scale created Materials: Risk Register Tool, Risk Management Program Manual Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual Convert project overruns and service outages into costsUse the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.
2.2.3 Select a technique to measure reputational cost (1 of 3)1-3 hoursRealized risk events may have profound reputational costs that do not immediately impact your bottom line.
2.2.3 Select a technique to measure reputational cost (2 of 3)1-3 hours
2.2.3 Select a technique to measure reputational cost (3 of 3)1-3 hoursIf you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.
2.2.4 Create a likelihood scale1-3 hours
Info-Tech InsightNote: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement. 2.2.5 Risk severity level assessment6-10 hours Input: Risk events identified Output: Assessed the likelihood of occurrence and impact for all identified risk events Materials: Risk Register Tool Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner Instructions:
Record results in the Risk Register Tool 2.2.5 Risk severity level assessment (continued)
Identify current risk controlsConsider how IT is already addressing key risks. Types of current risk control
Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool. Info-Tech InsightIdentifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds. Assign a risk owner for each risk eventDesignate a member of the IT risk council to be responsible for each risk event.
Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s high-priority risks (optional)Use this tool to:
2.2.6 Expected cost assessment (optional)Assign likelihood and financial impact values to high-priority risks.
2.2.6 Expected cost assessment (continued)Assign likelihood and financial impact values to high-priority risks.
Evaluate likelihood and impactRefine your risk assessment process by developing more accurate measurements of likelihood and impact.
Build an IT Risk Management ProgramPhase 3Monitor, Respond, and Report on IT Risk
This phase will walk you through the following activities:
This phase involves the following participants:
Step 3.1Monitor IT Risks and Develop Risk ResponsesActivities
This step involves the following participants:
Outcomes of this step
Monitor, Respond, and Report on IT Risk Use Info-Tech’s Risk Event Action Plan to manage high-priority risksManage risks in between risk assessments and create a paper trail for key risks that exceed the unacceptable risk threshold. Use a new form for every high-priority risk that requires tracking.Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported. Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks. 3.1.1 Develop key risk indicators (KRIs) and escalation protocols
Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan. Developing KRIs for successExamples of KRIs
3.1.2 Establish the reporting scheduleFor each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event Action Plan.
Use Info-Tech’s tools to identify, analyze, and select risk responses
Identify factors that contribute to the severity of the riskEnvironmental factors interact with the root cause to increase the likelihood or impact of the risk event.
3.1.3 Identify and assess risk responses
Record the results in the Risk Event Action Plan. Take actions to avoid the risk entirely
Pursue projects that reduce the likelihood or impact of the risk eventRisk Mitigation
Pursue projects that reduce the likelihood or impact of the risk event (continued)Use the following IT functions to guide your selection of risk mitigation actions:
Transfer risks to a third partyRisk transfer: the exchange of uncertain future costs for fixed present costs.
Accept risks that fall below established thresholdsRisk AcceptanceAccepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat. You may choose to accept a risk event for one of the following three reasons:
Info-Tech InsightConstant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management. 3.1.4 Risk response cost-benefit analysis (optional)The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.
3.1.4 Risk response cost-benefit analysis (continued)The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.Instructions:
Note: See Activity 3.1.5 to build multi-year cost projections for risk responses. 3.1.5 Create multi-year cost projections (optional)Select between risk response options by projecting their costs and benefits over multiple years.
Step 3.2Report IT Risk PrioritiesActivities
This step involves the following participants:
Outcomes of this step
Monitor, Respond, and Report on IT Risk Effectively deliver IT risk expertise to the business
3.2.1 Obtain executive approval for risk action plansBest Practices and Key Benefits
Task:
3.2.2 Socialize the risk reportCreate a succinct, impactful document that summarizes the outcomes of risk assessment and highlights the IT risk council’s top recommendations to the senior leadership team.
Pursue projects that reduce the likelihood or impact of the risk eventEncourage risk awareness to extend the benefits of risk management to every aspect of IT.Benefits of risk awareness:
Consequences of low risk awareness:
Embedding risk management in the IT department is a full-time jobTake concrete steps to increase risk-aware decision making in IT.The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.
Embedding risk management in the IT department is a full-time job (continued)Encourage risk awareness by adjusting performance metrics and job titles.Performance metrics:Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.
Info-Tech InsightIf risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department. Job descriptions:Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.
3.2.3 Transfer ownership of risk responses to project managersOnce risk responses have obtained approval and funding, it is time to transform them into fully-fledged projects.
3.2.4 Finalize the Risk Management Program ManualGo back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward. Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events. The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions. “Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company) Don’t allow your risk management program to flatline54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021) Don’t be lulled into a false sense of security. It might be your greatest risk.So you’ve identified the most important IT risks and implemented projects to protect IT and the business. Unfortunately, your risk assessment is already outdated. Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation. To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”: Revive Your Risk Management Program With a Regular Health Check
Appendix I: Familiarize yourself with key risk terminologyReview important risk management terms and definitions.
Appendix II: Likelihood vs. FrequencyWhy we measure likelihood, not frequency:The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood. Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).
Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year). False Objectivity While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it. Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year. Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000. Appendix III: Should max impacts sway decision making?
Leverage Info-Tech’s research on security and compliance risk to identify additional risk events
Research Contributors and Experts
Research Contributors and Experts
*Plus 10 additional interviewees who wish to remain anonymous. Bibliography“2021 State of the CIO.” IDG, 28 January 2021. Web. “4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web. Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web. COBIT 2019. ISACA, 2019. Web. “Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web. Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web. Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web. “Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web. Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web. Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998. “Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web. Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web. “Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web. “Guidance on Enterprise Risk Management.” COSO, 2022. Web. Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web. Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web. Bibliography“Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web. “ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web. ISO 31000 Risk Management. ISO, 2018. Web. Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web. Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web. Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web. “Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021. Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web. “Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web. Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web. “Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web. “Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web. Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web. Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web. Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web. “What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web. Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web. When an approver accepts the exception requested by a respondent the flag risk stage is moved to?Approving the risk will move the risk to the Monitoring stage. Sending the plan back to the risk owner will reset the treatment status to In Progress. The risk approver has granted the exception requested by the risk owner. The risk is closed in the chosen state and will not be mitigated further.
What is a risk assessment report?Definition(s): The report which contains the results of performing a risk assessment or the formal output from the process of assessing risk. Source(s): CNSSI 4009-2015 from NIST SP 800-30 Rev.
What is risk management Why is the identification of risks and vulnerabilities to assets so important in risk management?Why is identification of risks, through a listing of assets and their vulnerabilities, so important to the risk management process? Answer: It is important because management needs to know the value of each company asset and what losses will be incurred if an asset is compromised.
Why is it important for companies to use risk management as a security plan?A successful risk management program helps an organization consider the full range of risks it faces. Risk management also examines the relationship between risks and the cascading impact they could have on an organization's strategic goals.
|