ISACA CRISC – IT Risk Response and Mitigation

  1. Module Overview

Welcome to the preparatory course for the Isaca Risk Management Series. This is the fourth module of a total of five modules. So far, we have had an overview of risk management and learned how to identify, access, and classify risks. In this first module, we will learn about risk, risk response, and mitigation. We’ll start with some basics.

Answering the question is not just about eliminating all the identified risks; what are the options for responding to a risk? What are the key techniques for determining the best response to risks? What are the types of risks? The next module is about the continuity of the phases of the risk management life cycle. That is, it will deal with the monitoring and reporting of risk and control. This training was based on the official ISACA material, the Series Review Handbook, Sixth Edition, and is really intended to help you understand risk management in accordance with Isaac’s vision and support them in achieving serious certification.

  1. Is not it just eliminating all the identified risks?

The risk response and mitigation phase focuses on the decisions made about the correct way to respond to risks and answers the question. It is not only about eliminating our identified risks; eliminating risk is not always possible or desirable.

Risk responses are based on the information provided in the previous phases of risk identification and analysis, but this information is balanced with the constraints imposed by the organisation through budget, time, resources, strategic plans, regulations, customer expectations, and other business factors. Let us look at an example of why risk cannot always be eliminated. Every day I drive my vehicle to my workplace. Acquisition risk has been mapped, showing the possible impacts in addition to financial damage to 30 parts, personal injuries, and even death. To completely eliminate the risk, it is necessary not to leave the house. This is not a possible option in my case. To mitigate the risk, I use my seatbelt, drive at a moderate speed, and pay extra attention to the driving process.

You see, there is still a residual risk of collision, but it has been mitigated to a level that I consider acceptable. In companies, it happens the same way. Often, the risk is inherent to the company’s own activity, so it cannot be eliminated. Ways are then sought to mitigate it. Management should be prepared to justify risk response decisions to stakeholders and provide a roadmap for the implementation of agreed-upon changes on a reasonable schedule. In addition, risk response must also be performed in a way that protects business operations without undue harm, so the careful selection of the controls that will be implemented to address risk is a very important part of the response and mitigation process.

  1. What are the options for responding to risks?

Assessing the most appropriate response to each risk is part of the risk management lifecycle, not a one-time effort. The purpose of defining a risk response is to align it with the risk tolerance level defined by the organisation as cost-effectively as possible and not to eliminate or minimise risk at any cost. It is important to observe this very carefully. The role of the risk professional is not simply to identify the best way to resolve the risk. The role is to help business areas choose the best response by balancing all constraints in the company. The best option may be unfeasible from a financial point of view. For example, finding ways to balance our variables means managing risk.

There are four accepted ways to respond to risks, and the first is by accepting the risk. We are consciously meaning something here. The choice to accept the risk is a conscious decision made by senior management that recognises the existence of the risk and consciously decides to accept and allow the risk to remain without further mitigation. Of course, this goal has been met, but the company should only accept risks that are within its risk appetite and risk tolerance. Since the possible impact, if any, will be the responsibility of the same management body, this is not necessarily a bad thing. Accepting a risk often means a more dynamic stance by the company in pursuing both challenges with high earning potential; no choice should be disregarded when it comes to choosing the best risk response strategy.

Accepting a risk that is within the company’s tolerance level often entails not spending resources to mitigate that risk and instead investing those same resources in projects that carry out the company’s strategy. In this way, accepting risk is often the most recommended option. Acceptance of risk must be made by someone empowered to act on behalf of the organisation at a level commensurate with the projected consequences associated with the risk. It is important to emphasise here that risk acceptance is very different from ignorance of risk, and by ignorance I mean not knowing the risk. And finally, organisations should conduct regular reviews of accepted risks to ensure that they remain consistent with the company’s risk tolerance level. The next option is to mitigate the risk, which refers to actions that the organisation takes to reduce the risk. Mitigation is usually achieved through safety controls that affect the frequency or impact of the risk. Some examples of mitigation are implementing operational policies and procedures, installing new access control systems on a particular critical asset, and using clearing controls.

At the end of the day, any action aimed at reducing the likelihood or impact of a risk is a form of mitigation. In some cases, multiple conscious exposures may be needed to reduce a risk to acceptable levels. In this way, the redundancy of conscience is an option since it is applied consciously. There will always be a residual risk that must be documented and reviewed on a regular basis. The residual risk should always be within the company’s risk tolerance level. Implementing too many contractors can be an unwanted expense, so the risk professional must seek this balance between the level of contrast needed and the residual risk. We think acceptable risk transfer is a decision to reduce the loss by having another organisation incur the cost. The most common example of risk transfer is the purchase of insurance, which provides a guarantee of compensation or replacement if a loss occurs. But here it is important to note that even with risk transfer, there are residual risks that need to be mapped and analyzed. Transferred risks should also be reviewed on a regular basis to ensure that they remain appropriate and adequate.

Avoiding risk means engaging in the activities or conditions that give rise to it. Risk prevention is the choice that remains when no other answer is appropriate. which means that all the following are true: One is that the level of exposure is considered unacceptable by the management. It is true that the risk cannot be transferred. And three, the mitigation that would bring the risk to acceptable levels is either impossible or would cost more than the benefits that the organisation derives from the activities. That is, it is clear that avoiding risk is the last option, but it may be the best choice in some cases. The role of the risk professional is to provide timely and accurate assessments to management, as well as such data, so that a conscious decision can be made. Finally, I would just like to make it clear to everyone that, as a cycle, all phases of the process are iterative. Implementing a new or modified control in response to a risk, for example, that provides benefits to the organization can also introduce new vulnerabilities.

  1. What are the key techniques for determining the best response to risks?

Briefly, the selection of the appropriate response is based primarily on the calculation of the value obtained by reason of the costs required. It’s simple, like this value creation based on costs. In other words, does the cost of implementing a specific response to a risk generate enough value for the company to justify itself? Rationally, the key techniques for determining the best response to risks are those with a financial bias. In the end, they serve to create the business case. Yes, a business case is required to respond to risk. Implementing security controls often requires projects with large investment orders, and the rationale for justifying that project can only be achieved through a business case. The first technique is cost-benefit analysis, which is used to justify the expenses associated with implementing controls.

A control’s expense cannot be justified if the benefit obtained from it is less than the cost of implementation. It is important to note that costs must be viewed in a global way. That is, the cost of purchasing, the cost of training staff, and the cost of integrating with other solutions must all be considered. cost of licence cost of maintaining this licence over the time cost of the team to maintain that solution, the possible impact on productivity or performance that the choosing solution can bring, and the cost of removing control when it is no longer needed. The second technique is the return on investment, which calculates the time it takes to recover the cost, true value added, or other savings produced. Some organisations use the term “return on security investment” (ROSI) to refer to the right specifically in relation to the return on security controls.

Calculating the costs associated with implementing a control is always difficult, in part because it depends on predicting the likelihood of an attack being successful. Another complication is that the goal of a control is to reduce the risk to an acceptable level rather than to eliminate it entirely. There are several risk responses that can be considered, and the risk manager plays a consultative role in helping risk owners decide on the correct response to a risk. The final decision on the risk response lies with the risk owner. In general, risk action planning should be run as a project with a start and end date setting.It can be a more informal project if it is just the definition of a new procedure, for example, or a formal project with several stakeholders, such as the implementation of a DLP. What is important is that a consistent methodology be used to guide the execution of activities to achieve the goal. Did.

  1. What are the types of risks?

Some level of risk is inevitable in business and life. On the Internet, danger lurks around every corner. However, some business processes have a higher level of risk than others, and this level of risk varies from one activity, product, or service to another. Professionals must understand the risk and be able to access and respond to any risk that is beyond the organisational appetite for risk in a way that reduces it to an acceptable level. To carry out this activity, you must first understand the various types of risks. The first type is Internet risk, which is the level of risk or exposure without taking into consideration the actions that management has taken or can take.

Recognize the inner risk, also referred to as the native risk or original risk. Residual risk is the remaining risk after management has implemented a risk response, which is usually a mitigation activity but may also include risk transfer. Residual risk is calculated by subtracting the effectiveness of the risk response, typically a control, from the inherent risk that is translated into a mathematical form. Inherent risk less the cumulative effectiveness of our risk response equals residual risk. Finally, the term usage represents the current risk, which takes into account actions that have already been taken but are not yet planned or proposed. It is important to use this term because it is common to use the term “residual risk” in a predicate way, referring to the residual risk that will exist when the selected response is implemented. But this response may be too late because it will depend on the prioritisation made by top management, considering the strategy of the company as a whole.

  1. Key Points

Well, we have finished the first module on risk response and mitigation, where we learned how to respond to risks after they have been properly identified, evaluated, and classified. At the end of the module, we hope that each student is able to answer the questions that have been asked and that they are clear about the reason for each answer. The first question was whether it is not only to eliminate all identified risks, where we have seen that it is not as simple as the risk response should take into account organisational factors such as budget time, resource strategies, regulations, and customer expectations. Furthermore, implemented secure controls must take care not to disrupt business operations. Then we saw what the options are to respond to risks, which are to accept the risk, mitigate the risk, share the risk, transfer the risk, and avoid the risk, and that all of them should be taken seriously by the risk professionals.

Since there is no single answer for our case, not all risks should be mitigated, not all risks can be avoided, and some risks may be accepted. We then look at the key techniques for determining the best response to risks that are purely financial, namely cost-benefit analysis and return on investment. In other words, at the end of the day, all risk management must be financially justifiable, and there must also be a use case that justifies the security investments required to respond to each risk. Only viable risks must be addressed by the company. Finally, we have seen what types of risks are inherent risk, residual risk, and current risk, and that they should not be clear to the company’s key stakeholders when making risk decisions. Sometimes a risk response has been chosen, but it will still take time to implement, so there may be a large current risk even if the residual risk projected for after the response is low.

  1. Thank You!

Well, that’s the end of the third module on risk response and mitigation. It was a small module, but one of fundamental importance to the risk management lifecycle. Responses to risks will ultimately be treated as demands and priorities decided by the organization, along with all other demands, so that it must prove its work to be selected. Next, we go to module five of the training, which is monitoring and reporting risk and control, where we will understand in detail the last process of the risk management lifecycle. In it, we will see that monitoring is essential, but its effectiveness depends largely on its successful integration with reports.

This last process can provide information for all others, especially in the identification of risks. In it, we will discuss the key risk indicators as well as the advantages of this vehicle. What are key performance indicators, what data sources can be used for risk monitoring and reporting, and what are the types of assessments, security controls, and risks? I really hope that you are enjoying it as much as I do, and I look forward to seeing everyone in module five. See you there! You.

img