An Introduction To
Risk management is a central part of any organisation's strategic management. It is the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.
The focus of good risk management is the identification and treatment of these risks.
Its objective is to add maximum sustainable value to all the activities of the organisation.
Whilst risk is usually thought of in negative or 'Bad' terms ("it would be risky to jump out of a plane without a parachute") it must be understood that risk has a 'Good' side and this is usually called 'an opportunity'
Proper risk management must understand the potential upside and downside of all those factors which can affect the organisation - especially in terms of information security
Managing risk increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organisation's overall objectives. Risk management should be a continuous and developing process which runs throughout the organisation's strategy and the implementation of that strategy. Risk management is not the 'fire and forget' process that many organisations undertake to 'prove' that they are complying with Turnbull and therefore managing risk.
Risk management should methodically quantify and address all the risks surrounding the organisation's activities past, present and in particular, future. It must be integrated into the culture of the organisation with an effective policy and a programme led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organisation with each manager and employee responsible for the management of risk as part of their job description. It supports accountability, performance measurement and reward, thus promoting operational efficiency at all levels.
Risk management is not just something for corporations or public organisations, but for any activity whether short or long term. The benefits and opportunities should be viewed not just in the context of the activity itself but in relation to the many and varied stakeholders who can be affected. There are many ways of achieving the objectives of risk management and it is impossible to cover all approaches in a single document. Typically, one uses one of the following models for risk management:
· The corporate method;
· The process with which the user is familiar;
· The process best fitting the risk type or required outcome.
The risks facing an organisation and its operations can result from factors both external and internal to the organisation.
A sample of some of these risks is given in Appendix B.
The Security Practitioner
An Introduction to Information Security