Chapter 1: Risk Introduction and Overview
Change Risk
A change in technology, regulations, business processes, functionality, architecture, users and other variables that affect the enterprise business and technical environments and the levels of risk associated with the systems in the operations.
Vulnerability
A control condition that is deemed to be deficient relative to requirements of the threat levels being faced by the enterprise. This concept represents a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
Policy
A document that records a high-level principle or decided course of action, used to influence and guide decision making to align with management's philosophy, objectives, and plans. This document also empowers risk management and clearly states the position of senior management towards the protection of information.
Probability
A mathematical-driven measure of the possibility of a specific outcome as a ration of all possible outcomes. This concept represents the extent to which an event is likely to occur, measured by the ratio of the studied cases or cases in question to the whole number of cases.
Controls
A means of managing risk and are normally composed of policies, procedures, and standards.
Magnitude
A measure of the potential severity of loss or the potential gain from realized events/scenarios.
Frequency
A measure of the rate by which events occur over a certain period of time.
Business Continuity
A process that is concerned with the preservation of critical business functions which aims to ensure that the enterprise is able to survive an adverse event that could impact an enterprise's ability to meet their stated mission and goals. This process also attempts to reduce all I&T-related risk to an acceptable level and works along side incident management to identify possible threats, and implement mechanisms to detect, contain, and recover from a possible adverse event.
Audit
A process that provides management with assurance regarding the effectiveness of the control framework, risk management program and compliance efforts. This function is conducted by objective, skilled, and independent personnel whose goal is to assess risk, identify vulnerabilities, document findings, and provide recommendations to address issues.
Technical Controls
Also known as "logical" controls which are provided through the use of technology, piece of equipment or device. Examples include firewalls, network, or host-based intrusion detection systems, passwords, and anti-virus software. These controls require proper managerial controls to operate correctly.
Attack
An attempt to gain unauthorized access or make use of an asset.
Exploit
An event where the attacker takes advantage of a vulnerability.
Incident
Any event that is not part of the ordinary operation of a service and that causes, or may cause, an interruption to, or reduction in, the quality of that service.
Threat
Anything that is capable of acting against an asset in a manner that can result in harm. This concept is typically aimed at exploiting enterprise vulnerabilities.
Strategic Risk
Associated with an enterprise's potential business plans and strategies which can include: planning for expansion, entering new markets, and enhancing the business infrastructure.
Processing Controls
Controls and procedures used to ensure the reliability of application program processing. These controls are meant to ensure the completeness and accuracy of accumulated data. They ensure that data in a file/database remain complete and accurate until changed as a result of authorized processing or modification routines.
Corrective Controls
Controls that are used to remediate impact
Preventative Controls
Controls that directly address risk.
Detective Controls
Controls that warn of violations or attempted violations.
Standard
Defined as a mandatory requirement, code of practice, or specification that is implemented to comply with the requirements and direction of policy to limit risk and support efficient operations.
Risk
Defined as the combination of the likelihood of an event and it's impact. This concept is most associated with uncertainties and deviations from expected results causing harm to the enterprise and considers the likelihood and impact that exists from a combination of assets, threats, and control conditions.
Likelihood
Described as the potential risk of an event and the probability of something happening.
Procedure
Documentation that details and describes the steps necessary to perform specific operations in conformance with applicable standards.
Compensating Controls
Internal controls that reduce the risk of an existing or potential control weakness, resulting in errors or omissions.
Physical Controls
Locks, fences, closed-circuit TV (CCTV) and devices that are installed to restrict access to a facility or hardware.
Value Impediment
Refers to IT-enabled business projects or investments which fail to deliver expected results and value and the failure of the enterprise to identify or capture opportunities for new business initiatives arising from new technology.
I&T Program and Project Delivery Risk
Refers to the contribution of IT to new or improved business solutions.
Value Enabler
Refers to the enablement of successful I&T related projects, continuous support of new initiatives, application of new technology in innovative ways, and the protection of assets and resources from threats to the delivery of product or services.
I&T Benefit/Value Enablement Risk
Refers to the opportunities to use technology to improve the efficiency or effectiveness of business processes or as an enabler for new business initiatives. This concept also includes the risk of missing new business opportunities because of inadequate I&T capabilities.
Information Security
Refers to the type of controls that are almost certain to be incorrectly designed, poorly implemented and improperly operated in the event when I&T risks are improperly managed.
Managerial Controls
Related to the oversight, reporting, procedures, and operations of a process. These include controls such as policy, procedures, balancing, employee development and compliance reporting.
Market Risk
Represents pressures on an asset class such as currency which can result in a recession, depression, inflation, and war. This type of risk can be further broken down into sub-categories by the type of pressured asset: Currency Risk, Interest Rate Risk, Equity Risk, Property Risk, Foreign Exchange Risk, and Commodity Risk.
Environmental Risk
Represents threats to natural resources, wildlife, and human health.
I&T Operations and Service Delivery Risk
Risk associated with the performance of IT systems and services which can bring destruction or reduction of value to the enterprise. This can include: Technology, Regulations, Processes, Functionality, Architecture, and Users.
I&T Risk
Risk that is associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise.
Project Risk
Risk that the projection will fail to meet its intended objectives and deliver results according to the project charter.
Input Controls
Techniques and procedures used to verify, validate and edit data to ensure that only correct data are entered into the computer. These procedures must ensure that every transaction to be processed is entered, processed, and recorded accurately and completely. These controls should also ensure that only valid and authorized information is input and these transactions are processed only once.
Cyber and Information Security Risk
The danger, harm, or loss related to the use of, or dependence on, information and communications technology, electronic data and digital or electronic communications. This risk often pertains to the unauthorized access and/or use of information technology and is commonly associated with the critical nodes between or among interconnected environments including points of access to the internet.
Strategic Level
The level of risk where choices are made about risk in relation to innovation and plans for delivering the business strategy. At this risk level it needs to be understood that accepting risk is an essential element of business today and success comes to those enterprises that detect, identify, and manage risk most effectively.
Impact
The magnitude of loss resulting from a threat or exploiting a vulnerability.
Application Controls
The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved. These controls help ensure data accuracy, completeness, validity, verifiability and consistency, thus achieving data integrity and data reliability.
Business Risk
The probability a situation with uncertain frequency and magnitude could prevent the enterprise from meeting its business objectives.
Compliance Risk
The probability and consequences of failing to comply with laws, regulations, or ethical standards/codes of conduct applicable to the enterprise's industry. Additionally, this risk type is associated with the potential for financial loss, sanctions, or damage to reputation and brand value caused by failure to comply with legal or regulatory requirements.
Project Level
The risk level focused around medium-term goals in order to deliver enterprise strategic objectives. This risk level deals with issues that require a program risk policy or strategic-level risk policy to give overall guidance and direction on how risk should be managed.
Program Level
The risk level focused around medium-term goals in order to deliver enterprise strategic objectives. This risk level deals with the potential circumstances or situations that can cause detrimental impact to its function within the business.
Operational Level
The risk level focused around short-term goals to ensure ongoing continuity of business services. At this level, risk management involves responding to the potential impact on the business, identifying the issues and making sure that the risk that has the highest likelihood and impact of occurring is being addressed.
Operational Risk
The risk type associated with the potential for losses caused by inadequate systems or controls, human error, or mismanagement and natural disaster. Examples include: Employee Errors, System Failures, Fires, Floods, or other physical losses.
Credit Risk
The risk type associated with the potential that a creditor or borrower will fail to meet financial obligations. Examples include: Poor or falling cash flows from operations, Rising interest rates, Callable loans.
I&T Benefit/Value Enablement Risk, IT Program and Project Delivery Risk, IT Operations and Service Delivery Risk, Cyber and Information Security Risk
What are the I&T Related Risk Types?
IT Department, Independent Oversight, Internal Audit
What are the components that make up the three lines of defense?
Input, Processing, Output, Application
What are the four classifications of I&T controls?
Preventative, Detective, Corrective, Compensating
What are the four control varieties?
Strategic Level, Program Level, Project Level, Operational Level
What are the four levels of risk that can exist within an enterprise? (List in descending order)
Business Continuity, Audit, Information Security
What are the other processes that exist within an enterprise that involve risk management?
Strategic, Environmental, Market, Operational, Credit, Compliance
What are the six business risk types?
Assets, Threats, Control Conditions
What are the three components for which enterprise risk considers in terms of the likelihood of an event and its impact?
Managerial (Administrative), Technical, Physical
What are the three control types?
Value Enabler, Value Impediment
What are the two concepts that relate to the risk-opportunity relationship within I&T Benefit/Value Enablement Risk?
Strategic Level
Which level(s) of risk pertain to the following statement? "Decisions on business strategy"
Project Level, Program Level
Which level(s) of risk pertain to the following statement? "Decisions required to enable implementation of actions"
Operational Level
Which level(s) of risk pertain to the following statement? "Decisions transforming strategy into action"