Fri Apr 8 06:51:39 PDT 2016
Risk Management: Changing systemic risks: How is changing systemic risks managed?
Options:
Option 1: The system will use the enterprise risk change management model.
Option 2: The system will not have a change management model unless/until risks justify it.
Option 3: The system will create and operate its own risk change management model.
Decision:
IF A risk change management process exists for the enterprise as a whole, THEN Systems should integrate with the enterprise risk change management process gaining from the economy of scale and existing systems and processes.
OTHERWISE IF If risk levels for Systems have been determined to be Low, System risk change management should be limited to detecting changed risk levels for System using the System risk assessment process.
OTHERWISE System should create its own risk change management system using the risk change management model. (Fill in the Risk Change Management Model below identifying specific sources, processes, and conditions for doing change-based updates to risk management decisions.)
Risk Management Changes Detect and respond to Changing Internal and External drivers.
Threats {Capabilities & Intents} Fed by external sources and internal analysis through an intelligence process. |
Vulnerabilities {Technical, Human, Organizational, Structural} Fed by technical, HR, and management team activities. |
Consequences {Brand, Value, Time, Cost} Fed by management team identified duties and ongoing analysis processes. |
Accept / Transfer / Avoid / Mitigate Driven by changes in management tolerance for risks as identified by management. |
Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures Fed by ongoing analysis and detection of changes in all of these areas as generated by business process in each area. |
Matching Surety to Risk Fed by ongoing analysis by risk management. |
|
The Risk Change Management Model - Sources, Processes, and Conditions
Basis:
Risks change over time. As and if significant changes
are detected, they should be addressed by revisiting the risk
management process. This calls for two independent business processes:
- Tracking changes in the business needs or duties that effect risk management.
As changes in any of these areas occur, they should
be detected as such and fed back into the risk management system for
adaptation. Since these are all organizational actions, they should be
tracked as part of normal business processes and the business process
tracking system should trigger notifications to the risk management
team to indicate the nature of those changes.
- Tracking environmental changes that effect risks.
These changes tend to be externally driven. For
example, changing threats may lead to the need to reassess the design
basis threat, changing vulnerabilities may lead to the need to
reassess business processes, and so forth. Since these tend to be
driven by external events, if they are not otherwise tracked and
reported to the risk management function as part of normal business
processes, such processes should be put in place, either within risk
management when not otherwise appropriate, or in the part of the
enterprise appropriate to the specific source of changes (e.g., HR
should handle personnel-related issues and feed the information to
risk management, while technical security specialists should be aware
of changes to vulnerabilities and pass that information to the risk
management team.
Oversight Changes in Business Needs or Duties to Protect.
Laws/Regulations |
Owners/Intent |
Board decisions |
Auditor feedback |
Executive decisions |
|
Risk Management Turns Duties to Protect into What to Protect and How Well.
Changes in Threats {Capabilities & Intents} |
Changes in Vulnerabilities {Technical, Human, Organizational, Structural} |
Changes in Consequences {Brand, Value, Time, Cost} |
Changes in thresholds for Accept / Transfer / Avoid / Mitigate |
Changes in Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures |
Matching Surety to Risk |
|
Security Management Changes in Power and Influence Controlling the Protection Program.
Changes in Organizational Governance |
Changes in Business Processes |
Changes in Human Actuators & Sensors |
|
Risk management change control in context
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|