College Finder
English flagItalian flagKorean flagChinese (Simplified) flagGerman flagFrench flagSpanish flagJapanese flagArabic flagRussian flagGreek flagDutch flagBulgarian flagCzech flagCroat flagDanish flagFinnish flagHindi flagPolish flagRumanian flagSwedish flagNorwegian flag
By N2H




Risk management

June 24, 2008

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting and have a nice day!

Provide Information Systems audit services in occurrence with IS audit standards guidelines and best processes to assist organization to know that their IT and business systems are protected and controlled.

Risk Management

A risk can be said to be the potential a given threat will exploit vulnerabilities of a given asset to cause loss or damage. It can also be said to be “uncertainty that surrounds future events and outcomes ”. Risk is anything that can impact on interest of stakeholders or achievement of organization’s objectives. The impact of risk is based on probabilities of threats (likelihood and frequency e.g occurrence). Threats can be in form of errors, malicious damage, malicious attack, fraud, theft, equipment failure, software failure.

Vulnerabilities can be lack of user knowledge, use of untested technology, weak passwords, transmission over unprotected communication.

Risk management therefore entails identifying risks to information resources and deciding on appropriate controls to reduce risk to an acceptable level based on the value of Information resources to the organization. There is also the management problem i.e. that of achieving effective balance between risks and controls.

Risk management process involves three steps i.e. identify risks, evaluate controls, and managing risks i.e. reduce likelihood/impact of risk, transfer risk, avoid risk or accept to live with it. Risk management is a systematic, logical process that allows the organization to take advantage of opportunities and minimize losses.

The steps involved in the risk management process include:

  • Identifying information resources.

  • Identify threats.

  • Evaluate vulnerabilities.

  • Identify consequential impacts.

  • Identify controls to Prevent or reduce likelihood problems, Detect problem and report occurrence or Minimize impact.

  • Evaluate controls.

  • Determine and evaluate new or additional controls to further minimize risk.

  • Prioritize risks.

  • Identify and implement controls that are most effective and efficient.


 

When doing risk management one should also check on risk in the audit process thus one should have a planning guide that makes an assessment of the risk so as to:

  • Provide reasonable assurance that material items will be adequately covered during the audit work.

  • Identify areas with relative high risk of existence of material problems.

Components of an enterprise risk management:

  • Internal Environment i.e. the tone, philosophy and risk appetite of the organization i.e. the risk they are willing to accept to live with.

  • Objective setting i.e. the objective of the ERM

  • Event identification i.e. internal and external

  • Risk assessment i.e. the likelihood and the impact of the risk.

  • Risk response i.e. reduce likelihood, transfer, avoid, treat.

  • Control activities i.e. policies and procedures to carry out risk responses.

  • Information and communication: Identifying the flow of information downwards and upwards and across.

  • Monitoring: ongoing management activities, modifications.


Page copy protected against web site content infringement by Copyscape

Written by admin · Filed Under IT Audit 

Comments

Got something to say?





FireStats icon Powered by FireStats