Skip to main content

2.6 Risk and Control Analysis

2.6 Risk and Control Analysis

Risk Assessment

  • Risk assessment is conducted by evaluating the current state of risk as against the desired level. It also takes into consideration the effectiveness of existing control.

  • Main objective of risk assessment is to identify all the areas where current level of risk exceeds the acceptable risk level and use this information for deciding the risk response.

Risk Appetite

  • Risk appetite is the level of risk that an organization is willing to take to achieve the business objectives. Risk appetite of the organization will help to determine the desired state of IT risk.

  • Two important factors for determining the risk appetite is: the management culture and the predisposition toward risk taking.

  • When risk appetite is aligned with business objective, organization can allot more resource to the areas where risk tolerance is low. For example, for one business objective risk appetite is low while for other business objective risk appetite is high. In this case, risk practitioner will allot more resources to monitor business objective where risk appetite is low. 

  • If residual risk is within the acceptable risk, it provides comfort for management. If residual risk is higher than acceptable risk, management can decide whether to accept the risk or apply more controls to bring down the residual risk.

Risk Analysis

  • Risk analysis is ranking of risk on the basis of its impact on business process. Risk with high impact is ranked higher and given priority to address the same. More resources are allocated to high risk area. 

  • Risk analysis results helps for prioritization of risk responses and the allocation of resources.

Data Analysis

  • Most important concern with data analysis is to ensure completeness and trustworthiness of the data. 

  • Below table indicates some of the methods for data analysis:

Cause and Effect Analysis
·         Cause-and-effect analysis is used for both prediction as well as diagnostic analysis.
·         It is used to identify the root cause for outcome and thus helps to determine the potential risk.
·         A typical form is the Ishikawa diagram or fishbone diagram is one of the examples of cause and effect analysis.
Fault tree analysis
·         Fault tree is the analysis of all possible events that can make the project a failure.
·         Most serious event is considered as top-level event.
Sensitivity analysis
·         Sensitivity analysis is quantitative risk analysis method to evaluate the impact of each risk event.
·         Results are displayed in form of a tornado diagram.

·         Risk practitioner should be careful to understand any emerging trend from the data analytics. This can be done only when normal trends are available and documented. 

Threat and Misuse Case Modelling

·         In threat modelling, a risk practitioner uses the same methods and techniques used by a hacker or intruder to perpetrate an attack. These techniques include both technical as well as non-technical. An example of this is the “ping of death” attack.

·         Purpose of threat modelling is to design adequate controls to address all the possible threats. 

·        Objective of threat modelling is to build defense in depth system controls to prevent system from being compromised.

·         In misuse case modelling, analysis is done for major errors, mistakes and events that can impact the functionality of the system. Objective of misuse case modelling is to ensure that a system is resilient enough to withstand the errors and misuse.

·       Attacker can misuse the functionality of internet control message protocol (ICMP) or network time protocol (NTP) or Domain Name System (DNS) services to attack and take control of the system. For example, an attacker can change the size of ICMP packet to disable the target system.  

Root Cause Analysis

  • It is important to conduct a root cause to determine the factors leading to the event rather than just addressing the symptoms of the problem.

  • Pre-mortem is a type or root cause analysis in which it is pretended that a project has failed and group is asked to deliberate and discuss why it has failed. It then provides significant insight and perspectives on risk.

  • The risk practitioner can use root cause analysis as a means of identifying related event which have significant impact on business processes and which cannot be traced to a single common cause. In such case it is important to address all the events or problems.

Gap Analysis

  • Objective of a gap analysis is to identify the gap between current level of control as against desired level of control. This gap is also known as control deficiencies. 

  • Risk practitioner first analyze the desired state of risk management requirement of the organization and then determine the current condition of risk management affairs. This helps him to identify the gaps. He should recommend the actions to close the gaps. 

  • Gap analysis is used in iteration to monitor the project deliverables and milestone. Key performance goals are considered as desired level and this is compared with actual level. This helps to execute projects in a timely and logical manner.

Predicting Risk

  • Risk practitioner should use tools and techniques to predict the risk events. He should look for risk factors which do not have much impact if occurred individually but can lead to major outage if they occur simultaneously.

  • Also, risks have cascading effect where a minor issue may indicate a serious event if future.

  • A risk practitioner should able to evaluate and determine the possibility of re-occurrence of past incidents. It is very important to learn from the past incidents.

Key aspects from CRISC exam perspective

CRISC Question

Possible Answer

Advantage of alignment of risk appetite with business objective 

To monitor the area with low risk tolerance 

Compliance with risk appetite is determined by

Residual risk and acceptable risk

Level of risk appetite is best determined by

Culture and predisposition toward risk taking

Best way to determine control deficiencies

Gap Analysis (Gap analysis is used to determine the gap between desired level of control and actual level of control)

Objective of risk analysis

To prioritize risk response 

Resources for risk response should be allotted on the basis of

Risk analysis results

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates