by Maureen Cutajar

Created on: January 13, 2010

According to the ISACA CISA Review Manual "Risk Management is the process of identifying vulnerabilities and threats to the information resources used by an organisation in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organisation".

Defining Risk

A risk is defined as an event that can happen at any time. If unexpected this event can have a disastrous effect while if expected the risk can be managed and its impact of risk can be reduced.

Managing Risk

Risk Management includes the risk analysis of any future or impending issues, which means being prepared for threats that are lying ahead. Managing risks includes the classification of risks in an organisation into three distinct categories:

- Risk: the likelihood that something bad will happen that causes harm to an information asset

- Vulnerability: a weakness that could be used to endanger or cause harm to an information asset

- Threat: anything man-made or act of nature that has the potential to cause harm

The likelihood that a threat will use a vulnerability to cause harm creates a risk. The impact of a risk is the loss of integrity, confidentiality, and availability of information.

Effective Risk Management

The process of risk assessment and risk management is an ongoing iterative process which needs to be repeated to address new threats and vulnerabilities. The principal goal of an effective risk management process is to protect the organisation and its ability to perform its mission.

Countermeasures used to manage risks must strike a balance between productivity, cost, and effectiveness of the countermeasure, and the value of the informational asset being protected.

Business Continuity

Business Continuity refers to the protecting, maintaining, and recovering business-critical processes and systems within an established Recovery Time.

All risks can never be fully avoided or mitigated. Business Continuity Planning (BCP) goes beyond Risk Management's pre-emptive approach and moves on from the assumption that the disaster will realise at some point. Business Continuity Planning include assurance mechanisms such as backup routines management and the recovery of services related to core services and data.

Disaster Recovery

Disaster Recovery refers to the process, policies and procedures of restoring operations critical to the resumption of business which include regaining access to IT systems, communications, and other business processes e.g. data backup, offsite data protection, and data replication.

References

ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association, p. 85. 

Learn more about this author, Maureen Cutajar.
Click here to send this author comments or questions.