1.7 Method of Risk Identification
Risk practitioner can use following source for identification of the risk:
Review of past audit reports
Review of incident reports
Review of public media articles and press releases
Through systematic approaches such as vulnerability assessment, penetration testing, review of BCP and DRP documents, interview with senior management and process owners, scenario analysis etc.
All the identified risks should be captured in the risk register along with details like description, category, probability, impact, risk owner and other details.
Infact, maintenance of the risk register process starts with the risk identification process.
Primary objective of the risk identification process is to recognize the threats, vulnerabilities, assets and controls of the organization.
Risk Identification Process
Following are the steps of risk identification process:
Step 1-Identify Assets
Step 2-Identify Threats
Step 3-Identify existing controls
Step 4-Identify vulnerabilities
Step 5-Identify consequences
Following are some of the good practice for use of interview technique to identify the risk:
Risk practitioners should ensure that staff whose interview is being taken have sufficient authority and knowledge about the process.
To the extent possible, risk practitioners should study the business process in advance of the interview. This will help in smooth conduct of interviews and risk practitioners can concentrate on areas of concern.
Interview questions should be prepared in advance and shared with interviewee so they come prepared and bring any supporting documentation, reports or data that may be necessary.
Risk practitioners should obtain and review relevant documentation like SOPs, reports and other notes which supports the statement of the interviewee.
Risk practitioners should encourage interviewees to be open about various risk scenarios.
Many organizations resort to Delphi technique in which polling or information gathering is done either anonymously or privately between the interviewer and interviewee.
Key aspects from CRISC exam perspective