What is the purpose of Risk Management?

Information SecuritySafe & SecurityData Structure

Risk assessments should be conducted by teams that involves both functional managers and information technology administrators. Business operations, workflow, or technologies change, periodic reviews must be conducted to analyze these changes. The result of new threats and vulnerabilities produced by these changes has to be decided. A comprehensive testing of the effectiveness of existing controls also needed.

The objective of a risk assessment is to provide management create appropriate strategies and controls for managing of information assets. The basic goals of risk assessment should always be to deal with those elements of decision making that are uncertain.

If the results of actions or decisions are completely certain in terms of what will appear, when and its extent and nature, then there is less required to assess the risks but just handle them and monitor the results. Decision makers need provide understanding where uncertainty lies and how it is best treated and handled.

Risk Assessment should be multidisciplinary and hence transparent and understood by all involved and interested parties through their inclusion and difficulty in the process. This indicate the need of reflection at the beginning of the risk assessment, on who must be contained in the risk assessment process. Risk assessment is generally not a one man show. There are multiple parties are involved.

For example, the executive party (the team which generally perform the risk assessment), the manager or organization taking decisions depends on the risk assessment and parties affected by these decisions. Good communication between these parties is essential for the risk assessment process.

Moreover, risk assessment exists of multiple assignments for which several types of expertise is essential. Hence, risk assessment required a multidisciplinary involvement and consider on the process.

Appropriate process for peer review and public participation should be used in the procedure of preparing the risk assessment. These process will contribute to scientific objectivity, transparency and acknowledgment of the conclusions.

Peer review can involve such as issuing a draft risk assessment document and considering comments received on this draft such as issuing a “response-tocomment” files that summarizes the essential comments received and the risk assessor’s responses to those comments; and supporting a rationale for why the risk assessor has not external the position recommended by commenter.

Involvement also provides that their views are properly defined and are taken into account. It is especially important that some risk element used adequately reflect the perceptions and views of the relevant interested parties because risk evaluation should determine what level of risk is adequate to them and where and when further treatment is needed.

As expected during risk identification the involvement of a representative group with a high and diverse experience base always provides the most comprehensive of analyses. Lastly, those held accountable for the monitoring of control measure benefit highly from involvement in the risk assessment that lead to those controls.

raja
Updated on 03-Mar-2022 10:28:57

Advertisements