2.

2 Risk Management Methodology

As stated earlier, risk management encompasses three processes: risk assessment, risk mitigation, and risk
monitoring (evaluation).

(a) Risk Assessment

Risk assessment is the fi rst process in the risk management methodology. Organizations use risk assessment
to determine the extent of the potential threat and the risk associated with a process or system. The output of
the process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation
process. Major activities in the risk assessment process include vulnerability identification, threat
identification, control analysis, impact analysis, risk determination, and control recommendations.

(b) Risk Mitigation

Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and implementing
appropriate risk-reducing controls recommended from the risk assessment process. Because the elimination
of all risk is usually impractical or close to impossible, it is the responsibility of senior management and
functional and business managers to use the least-cost approach and implement the most appropriate
controls to decrease mission risk to an acceptable level, with minimal adverse impact on the organization’s
resources and mission.

(i) Risk Mitigation Options

Risk mitigation is a systematic methodology used by senior management to reduce organization risks. Risk
mitigation can be achieved through any one or combination of the following risk mitigation options:

 Risk rejection or risk ignorance. This option is not a wise choice; all major risks must be managed.
 Risk assumption (acceptance). This option involves recognizing a risk and its potential consequences
and accepting that risk. This usually occurs when no alternate risk mitigation strategy is more cost
effective or feasible. Risk acceptance is associated with risk tolerance and risk appetite.
To accept the potential risks and continue operating the system or process. At some point,
management needs to decide if the operation, function, or system is acceptable, given the kind and
severity of remaining risks. Risk acceptance is linked to the selection of safeguards since, in some cases,
risk may have to be accepted because safeguards (countermeasures) are too expensive (in either
monetary or nonmonetary terms).
Merely selecting safeguards does not reduce risk; those safeguards need to be implemented
effectively. Moreover, to continue to be effective, risk management needs to be an on-going process.
This process involves a periodic assessment and improvement of safeguards and reanalysis of risks.
 Risk avoidance. This option avoids the risk by eliminating the cause and/or consequence of the risk
(e.g., add controls that prevent the risk from occurring, remove certain system functions, or shut down
the system when risks are identified.) Risk avoidance is appropriate when it is possible to reduce either
the severity or the frequency of a risk.
 Risk reduction (limitation). This option limits the risk by implementing controls that minimize the
adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, and
detective controls) or by authorizing operation for a limited time during which additional risk
mitigation by other means is put into place. This option is also called risk reduction because it affords
an opportunity to decrease the likelihood that a risk will occur.
 Risk transfer. This option transfers the risk by using other ways to compensate for the loss, such as
purchasing insurance or coinsurance, or outsourcing. It is finding another person or organization that
can manage the project risk(s) better. Risk transfer is appropriate for a risk with a low expected
frequency and a high potential severity. Risk protection is insurance against certain events. It involves
 doing something to allow the project to fall back on additional or alternate resources, should the
scheduled resource(s) fail.
 Risk contingency. This option involves proper planning to define the necessary steps needed if an
identified risk event should occur
 Risk compliance. This option involves complying with all applicable laws and regulations in a timely and
proper manner in order to reduce compliance risk.

(ii) Residual Risk

Organizations can analyze the extent of the risk reduction generated by new or enhanced controls in terms of
the reduced threat likelihood or impact. Th e risk remaining after the implementation of new or enhanced
controls is the residual risk. Practically no system or process is risk free, and not all implemented controls can
eliminate the risk they are intended to address or reduce the risk level to zero

Several equations are available to express residual risks:

Residual risks = Total risks − Mitigated risks

Residual risks = Potential risks − Covered risks

Residual risks = Total risks − Control measures applied

Residual risks = Potential risks − Countermeasures applied

Residual risks = Uncovered or Unaddressed risks

Implementation of new or enhanced controls can mitigate risk by:

 Eliminating some of the system’s vulnerabilities (fl aws and weaknesses), thereby reducing the number
of possible threat source/vulnerability pairs.
 Adding a targeted control to reduce the capacity and motivation of a threat source (e.g., if technical
controls are expensive, then consider administrative and physical controls).
 Reducing the magnitude of the adverse impact (e.g., limiting the extent of a vulnerability or modifying
the nature of the relationship between the information technology [IT] system and the organization’s
mission).

If the residual risk has not been reduced to an acceptable level, the risk management cycle must be repeated
to identify a way of lowering the residual risk to an acceptable level.

(c) Risk Monitoring

Risk monitoring or risk evaluation, the third and fi nal process of risk management, is a continual evaluation
process since change is constant in most organizations. Possible changes include:

 New businesses are acquired.

 New products are introduced.
 New services are provided.
 Networks are updated and expanded.
 Network components are added or removed.
 Applications software is replaced or updated with newer versions.
 Personnel changes are made.
 Security policies are updated.
These changes mean that new risks will surface and risks previously mitigated may again become a concern.
Thus, the risk monitoring process is on-going and evolving.