Risk Management System
Risk identification involves finding and describing the risk events that could affect the achievement of an organization’s objectives. It also includes the identification of
possible causes and potential consequences.
Risk identification is one of the first steps of the risk management process which is a coordinated set of activities that an organization uses to control the many risks that can affect its ability to achieve objectives. It is a continuous and systematic process to understand, manage and communicate risk from an organization-wide perspective.
Risk management standards (such as ISO 31000) and frameworks (such as COSO ERM) address the need to manage the effect of uncertainty on business objectives.
Other standards such as ISO 27001 state that information security risks are to be managed by identifying information assets of the organization and the loss that these assets may incur as a result of threats and vulnerabilities associated with them.
Having identified your information security risks there is a significant ongoing task to understand, quantify, prioritize, mitigate, assess, manage, monitor and review them.
No two organizations are the same. You need to define the scope and boundaries of the risk management activities and tailor the risk assessment approach to reflect your objectives, work culture, customer requirements, risk appetite and the regulations with which you must adhere.
Good communication channels are essential so that your workforce is risk aware.
It is also important that you have management oversight in place to ensure that you can identify where and when further action is required.
It is crucial to implement a robust risk management framework that demonstrates the meeting of the organization’s needs and those of the customers and regulators.
ISO 31000 requires the establishment of a risk management framework, which is a set of components that support and sustain risk management throughout an organization.
There are two types of components: “foundations’
and “organizational arrangements”. Foundations include a risk management policy, objectives, mandate, and commitment.
Organizational arrangements include the plans, relationships,
accountabilities, resources, processes, and activities used to manage the organization’s risk.