Risk Management Methods and Frameworks Part III

The Risk Management as a continuous process

Risk management is a continuous process. That is, identifying risks only once during a project is insufficient. The idea of "crossing off" a particular stage once it has been executed and never doing those activities again is incorrect. Though the five stages are represented in a particular serial order, they may need to be applied over and over again throughout a project, and their particular ordering may be interleaved in many different ways.

Risk management should be a continuous and developing process which runs throughout the organization’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organization’s activities past, present and in particular, future.

It must be integrated into the culture of the organization with an effective policy and a program led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organization with each manager and employee responsible for the management of risk as part of their job description. It supports accountability, performance measurement and reward, thus promoting operational efficiency at all levels.

The Risk Management Frameworks

Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge. Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:

  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
  • Factor Analysis of Information Risk (FAIR)
  • The National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)
  • Threat Agent Risk Assessment (TARA)
  • ISO/IEC 27005
  • CCTA Risk Analysis Management & Methodology (CRAMM)
Here's a look at these key frameworks and some of their strengths and weaknesses, with emphasis on input from those who have used them in real-world settings. The information in clearly indicative and does not suggest that these frameworks are the only and best ones. In many cases people have also used hybrid of two and sometimes three of these frameworks to manage their risks. What makes that a valuable technique is the simultaneous use of qualitative and quantitative frameworks to leverage results to the best possible outcome.

0 Response to "Risk Management Methods and Frameworks Part III"

Post a Comment