Risk Management: Some Principles and Procedures
Risk Management: Some Principles and Procedures
Risk management is increasingly important in today's highly regulated workplace. Although viewed by many as a complex art, in fact it is based on a few common-sense principles.
Risk management is a key business process nowadays, when regulatory requirements place major compliance burdens on many business sectors, and when directors must be able to show that they have undertaken due diligence as regards all business risks.
Many people view risk management as a complex and confusing specialism. However, the management of risk is based on a few common-sense principles that are quite straightforward. To begin with, managing risks constitutes the final stage of a risk-based methodology, as follows:
Identify all relevant assets and their values.
Conduct a risk assessment for the assets, in terms of their vulnerabilities, the potential threats (with probabilities), and the impact on the business if the threats were to materialise.
The result will be a risk matrix, with each risk quantified, and its probability estimated.
Decide on the organisation's risk appetite. The risk management phase then follows.
When deciding how to manage the risks identified, the first decision is a very basic one. There are four possible types of risk management, as follows:
Ignore the risk: If the risk is within the organisation's risk appetite, then nothing needs to be done. This may not appear to be "managing" the risk, but in fact the manager will make a note of the risk, and will periodically revisit it as part of the ongoing security improvement cycle, so that it may be upgraded if necessary.
Transfer the risk: If the risk is above the threshold of the organisation's security appetite, but is readily insurable, then the easiest treatment might be to insure against the risk with an appropriate company. However, this solution has the downside that, if a threat materialises, the organisation may still have to spend time and money dealing with the situation and restoring its business systems.
Avoid the risk: It may be possible to amend the organisation's business processes and/or equipment so that the risk no longer exists. This, however, is the least likely outcome.
Treat the risk: This is the most common type of risk management, adopting various security measures such as application and penetration testing.
The purpose of risk treatment is to accomplish one or more of the following risk management goals:
Prevent the threat from materialising in the first place, or at least decrease the probability.
If nevertheless the threat occurs, then mitigate the impact of that threat on the business.
If the threat occurs and has a large impact, then minimise the resources needed to recover from the situation.
If a risk is to be treated, then the security controls can take many forms, involving one or more of the following:
People: Staff need to be trained in their security-related duties.
Processes: Security procedures need to be created and communicated to staff.
Technology: Necessary equipment and software should be installed in advance of any adverse event.
The above principles of risk management and risk treatment are not particularly complex. It is the process of implementing these principles that can cause difficulties. However, in essence, the art of risk management is nothing more than codified common sense.
About Project Management Training Courses and The Need For Project Managers Negative Review Management Improving Management Skills: Management Training Courses and a Management Certificate Document Management And Its Systems Stress Management in the Workplace Career Management: What Do You Want To Be When You Grow Up? Time Management Program (TMP) – Part I Use Asset Management Services for Tracking Company's Assets Time Management Program Simple Recommendations For Weight Management All About Investment Management And Opportunities Planning Your Succession Management Management Administered a Questionnaire