Risk Management Framework

#1 Objective or Goal – Determine what needs to be done

#2: Identify Risks – What can go wrong (e.g. Trending crimes, Circulate questionnaire, Access complaints, Claims, Cases)

#3 Prioritize Risks – Order of urgency (i.e. likelihood of it occurring and impact) to evaluate the controls in place and to recommend how to mitigate those risks. Then the organization can focus its resources on 

#4 Control Activities- Actions, Policies and Procedures must be formulated. (i.e. communication of policies and standards, Training, Preventative, Corrective, Effective, Efficient and Detective Controls, Accountability and assignment of responsibility) 

#5 Monitor – Test controls – Assess 

#6 Information – Communication

Report; Risk Appetite; Management Directives

Risks are everywhere in our personal and business worlds and they are inherent or residual, yet we cannot operate as we do without them. There are also so many risk management frameworks, assessments based on each industry. This is a general platform with IT base to get things started.

The types of risk events that could occur are endless and thus having an effective risk management plan that is assessed annually (at minimum) is what allows for the success of an organization – no matter how small. The reality is that the more prepared and organized an organization is for events the faster the recovery and some industries are required by certain regulatory authority agencies to have a risk management plan as part of their Compliance programs.

 

 

CONTROL CLASSIFICATION

Preventative – Prevent loss or harm from occurring; Provides for Checks and balances with Segregation of Responsibilities

Corrective -  Restoring the system or process back to prior the event

Detective - Identify instances where controls were not followed (after the fact)

***The Following two control tools used to assess controls actual success/usefulness***

Effective – Measures whether a control will provide an acceptable level of risk mitigation

(i.e. policies for door badging – not holding a secured entry door open for fellow employees; password resets – not resetting passwords as required)  

Efficient – Measures the cost of a controls maintenance compared to the potential loss

Cost/Benefit Analysis and Controls are structured to yield a positive return

 

 
 THREE MAIN TYPES OF CONTROLS


 Administrative
• Laws
• Regulations
• Policies
• practices
• Guidelines
Logical
• Virtual
• Application
• Technical controls
 System & software
• Firewalls
• anti-virus software
• Encryption
Physical
• Keyed access
• video surveillance
• Barricades
• Guards
• monitoring

Vulnerabilities are simply defects measured by the identification of control deficiencie


• Human Error
• Black Swan
• Operational Target
o Industry Leaders, Specialized, Large Data Centers, Governmental Agencies, Defense systems
• Global Market
• Terrorists
• Crime

By Lisa Marie Waugh, MJ Corporate Intelligence Consultant. Please visit: lisamariewaugh.com