IDENTIFYING AND IMPLEMENTING AN EFFECTIVE RISK MANAGEMENT PROGRAMME

Risk is the combination of the probability of an event and its consequence. ISO 31000:2009 – Risk Management Principles and Guidelines calls risk “the effect of uncertainty on objectives. An effect is a deviation from the expected—positive and/or negative”.

Risk is viewed as a challenge to achieving business objectives, and risk management as a process undertaken to predict challenges and lower their chances of occurring and their impact. Effective risk management can also assist in maximising enterprise opportunities.

Risk management – context

Risk management begins with understanding the organisation, its environment and the context in which it operates. Assessing an organisation’s context includes evaluating the intent and capability of threats, the relative value of assets or resources and the trust that must be placed in them, and the presence and extent of vulnerabilities that might be exploited to intercept, interrupt, modify or fabricate data in information assets.

Other notable factors include: (i) the dependency of the organisation on a supply chain, especially one based in another geographic region of the world or reliant upon just-in-time delivery; (ii) the influences of financing, debt and partners or substantial stakeholders; (iii) vulnerability to changes in economic or political conditions; (iv) changes to market trends and patterns; (v) the emergence of new competition; (vi) the impact of new legislation; (vii) the existence of potential natural disasters; (viii) constraints caused by legacy systems and antiquated technology; and (ix) strained labour relations and inflexible management.

Jan-Mar 2022 Issue

ISACA

Join our free mailing list to read the full article