2.6 Risk and Control Analysis
- Risk assessment is conducted by evaluating the current state of risk as against the desired level. It also takes into consideration the effectiveness of existing control.
- Main objective of risk assessment is to identify all the areas where current level of risk exceeds the acceptable risk level and use this information for deciding the risk response.
- Risk appetite is the level of risk that an organization is willing to take to achieve the business objectives. Risk appetite of the organization will help to determine the desired state of IT risk.
- Two important factors for determining the risk appetite is: the management culture and the predisposition toward risk taking.
- When risk appetite is aligned with business objective, organization can allot more resource to the areas where risk tolerance is low. For example, for one business objective risk appetite is low while for other business objective risk appetite is high. In this case, risk practitioner will allot more resources to monitor business objective where risk appetite is low.
- If residual risk is within the acceptable risk, it provides comfort for management. If residual risk is higher than acceptable risk, management can decide whether to accept the risk or apply more controls to bring down the residual risk.
- Risk analysis is ranking of risk on the basis of its impact on business process. Risk with high impact is ranked higher and given priority to address the same. More resources are allocated to high risk area.
- Risk analysis results helps for prioritization of risk responses and the allocation of resources.
- Most important concern with data analysis is to ensure completeness and trustworthiness of the data.
- Below table indicates some of the methods for data analysis:
and Effect Analysis
· Cause-and-effect analysis is used for both prediction as well as diagnostic analysis.
· It is used to identify the root cause for outcome and thus helps to determine the potential risk.
· A typical form is the Ishikawa diagram or fishbone diagram is one of the examples of cause and effect analysis.
· Fault tree is the analysis of all possible events that can make the project a failure.
· Most serious event is considered as top-level event.
· Sensitivity analysis is quantitative risk analysis method to evaluate the impact of each risk event.
· Results are displayed in form of a tornado diagram.
Threat and Misuse Case Modelling
Root Cause Analysis
- It is important to conduct a root cause to determine the factors leading to the event rather than just addressing the symptoms of the problem.
- Pre-mortem is a type or root cause analysis in which it is pretended that a project has failed and group is asked to deliberate and discuss why it has failed. It then provides significant insight and perspectives on risk.
- The risk practitioner can use root cause analysis as a means of identifying related event which have significant impact on business processes and which cannot be traced to a single common cause. In such case it is important to address all the events or problems.
- Objective of a gap analysis is to identify the gap between current level of control as against desired level of control. This gap is also known as control deficiencies.
- Risk practitioner first analyze the desired state of risk management requirement of the organization and then determine the current condition of risk management affairs. This helps him to identify the gaps. He should recommend the actions to close the gaps.
- Gap analysis is used in iteration to monitor the project deliverables and milestone. Key performance goals are considered as desired level and this is compared with actual level. This helps to execute projects in a timely and logical manner.
- Risk practitioner should use tools and techniques to predict the risk events. He should look for risk factors which do not have much impact if occurred individually but can lead to major outage if they occur simultaneously.
- Also, risks have cascading effect where a minor issue may indicate a serious event if future.
- A risk practitioner should able to evaluate and determine the possibility of re-occurrence of past incidents. It is very important to learn from the past incidents.
Key aspects from CRISC exam perspective
of alignment of risk appetite with business objective
monitor the area with low risk tolerance
with risk appetite is determined by
risk and acceptable risk
of risk appetite is best determined by
Culture and predisposition toward risk taking
way to determine control deficiencies
Analysis (Gap analysis is used to determine the gap between desired level of
control and actual level of control)
of risk analysis
prioritize risk response
Resources for risk response should be
allotted on the basis of