Skip to main content

2.8 Risk Ranking


2.8 Risk Ranking

 

  • Risk analysis helps to prioritize the risk responses and the allocation of resources.

  • Risk ranking is process of identifying high risk and ranking them so that they can be given priority for risk treatment.

  • Risk can be ranked either on the basis of impact on monetary value. Risk with high monetary impact should be prioritized for risk treatment. Risk can also be ranked on the basis of qualitative parameter such as high risk, medium risk and low risk. High risk should be prioritized for risk treatment.

  • Ranking each risk based on the probability and impact is critical in determining the risk mitigation strategy.

  • For cost effective security arrangement, level of security should be based on criticality of the assets. i.e. critical asset should get enhanced protection as compared to other assets.

 

OCTAVE

 

  • OCTAVE stands for Operationally Critical Threat Asset and Vulnerability Evaluation.

  • OCTAVE is a technique for risk assessment and ranking through a process driven approach. It involves identification, prioritization and management of information security risk.

  • Following are the three phases of OCTAVE process:
  1. Phase 1: In first phase, vulnerabilities and the threat profile for each critical asset is determined.
  2. Phase 2: In second phase, network level vulnerabilities are determined.
  3. Phase 3: In third phase, security strategy and mitigation plans are developed and implemented.

  

Risk Appetite Bands

 

  • Risk appetite is the willingness of the organization to accept the risk.


  • Risk that falls within the risk appetite is “acceptable.” Risk that is outside of the risk appetite but within the risk tolerance is “unacceptable.” Risk that is outside of the risk tolerance is “really unacceptable.”


  • Prioritizing and addressing risk in accordance with the risk ranking helps to respond the risk in a cost-effective manner.

  

Risk Ownership and Accountability


  • The board of directors of the organization has ultimate accountability to all the stakeholders i.e. shareholders, regulators, customers, vendors and employees. Though board is not responsible for execution of risk management program, they are responsible to oversee and monitor risk management strategies of the organization.


  • Similarly, senior management of the organization are ultimately liable for the acceptance and mitigation of all risk.


  • For better accountability, individual should be made owner for a particular risk rather than a department or a function. Each risk must be linked to an individual who accepts ownership of the risk. In most of the cases, asset owner himself is made a risk owner for that asset or function.


  • When it comes to IT risks, it is the responsibility of the business users of IT services to own the - risk related to the use of IT.

Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Most important step in risk mitigation strategy 

Risk ranking (priority to   be given to mitigate top risks)

How to ensure best and optimal return on security investment?

To arrange security as per asset classification (for example, stringent security arrangement for critical assets and minimum or low security for non-critical assets. This will help to ensure best security at low cost)

What is the goal of IT risk analysis?

To prioritize the risk response 

Resource allocation for providing risk response (risk treatment) is based on

Risk Analysis  (priority to   be given to mitigate top risks)

Best method to respond to risk in a cost-effective manner

Prioritization of the risk  (priority to   be given to mitigate top risks)

Accountability for risk ultimately belongs to the

Board of Directors /Sr. Management 

 

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more