Risk management:

It encompasses three processes: Risk assessment, risk mitigation , evaluation and

assessment.

Risk is a function of the likelihood of a given threat source exercising a particular

potential vulnerability and the resulting impact of that adverse event on the
organization.

Risk=f ( L x V x I )

Definition of Risk Assessment

 Risk Assessment: The process of identifying, analyzing, and evaluating risks that
could potentially hinder the achievement of an organization’s objectives.

Importance in Internal Control

 Foundation for Controls: Risk assessment helps organizations prioritize risks and
develop effective internal controls to mitigate them.
 Dynamic Process: It’s not a one-time activity; risks must be continuously monitored
and reassessed.

Steps in Risk Assessment

1.
1.System Characterization

In assessing risks for an IT system, the first step is to define the scope of the effort. In this
step, the boundaries of the IT system are identified, along with the resources and the
information that constitute the system. Characterizing an IT system establishes the scope of
the risk assessment effort, delineates the operational authorization (or accreditation)
boundaries, and provides information (e.g., hardware, software, system connectivity, and
responsible division or support personnel) essential to defining the risk.

Step 2: Threat Identification

A threat is the potential for a particular threat-source to successfully exercise a particular

vulnerability. A vulnerability is a weakness that can be accidentally triggered or intentionally
exploited. A threat-source does not present a risk when there is no vulnerability that can be
exercised. In determining the likelihood of a threat , one must consider threat-sources,
potential vulnerabilities, and existing controls.

Step 3: Vulnerability Identification

The analysis of the threat to an IT system must include an analysis of the vulnerabilities
associated with the system environment. The goal of this step is to develop a list of system
vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat-sources .

Step 4: Control Analysis

The goal of this step is to analyze the controls that have been implemented, or are planned for
implementation, by the organization to minimize or eliminate the likelihood (or probability)
of a threat’s exercising a system vulnerability

Control Methods

Security controls encompass the use of technical and nontechnical methods.

Technical controls are safeguards that are incorporated into computer hardware, software, or
firmware (e.g., access control mechanisms, identification and authentication mechanisms,
encryption methods, intrusion detection software).

Nontechnical controls are management and operational controls, such as security policies;
operational procedures; and personnel, physical, and environmental security.

Control Categories The control categories for both technical and nontechnical control
methods can be further classified as either preventive or detective.
Preventive controls inhibit attempts to violate security policy and include such controls as
access control enforcement, encryption, and authentication.

Step 5:Likelihood Determination

To derive an overall likelihood rating that indicates the probability that a potential
vulnerability may be exercised within the construct of the associated threat environment, the
following governing factors must be considered:

• Threat-source motivation and capability

• Nature of the vulnerability

• Existence and effectiveness of current controls.

• Detective controls warn of violations or attempted violations of security policy and include
such controls as audit trails, intrusion detection methods, and checksums.

Step 6: Impact Analysis

The next major step in measuring level of risk is to determine the adverse impact resulting
from a successful threat exercise of a vulnerability. Before beginning the impact analysis, it is
necessary to obtain the following necessary information

• System mission (e.g., the processes performed by the IT system)

• System and data criticality (e.g., the system’s value or importance to an organization)

• System and data sensitivity.

Step 7:Risk Determination

The purpose of this step is to assess the level of risk to the IT system. The determination of
risk for a particular threat/vulnerability pair can be expressed as a function of • The
likelihood of a given threat-source’s attempting to exercise a given vulnerability • The
magnitude of the impact should a threat-source successfully exercise the vulnerability • The
adequacy of planned or existing security controls for reducing or eliminating.

Step 8:Control Recommendations

During this step of the process, controls that could mitigate or eliminate the identified risks,
as appropriate to the organization’s operations, are provided. The goal of the recommended
controls is to reduce the level of risk to the IT system and its data to an acceptable level. The
following factors should be considered in recommending controls and alternative solutions to
minimize or eliminate identified risks: • Effectiveness of recommended options (e.g., system
compatibility) • Legislation and regulation • Organizational policy • Operational impact •
Safety and reliability.

Step 9: Results Documentation

Once the risk assessment has been completed (threat-sources and vulnerabilities identified,
risks assessed, and recommended controls provided), the results should be documented in an
official report or briefing. A risk assessment report is a management report that helps senior
management, the mission owners, make decisions on policy, procedural, budget, and system
operational and management changes. Unlike an audit or investigation report, which looks for
wrongdoing, a risk assessment report should not be presented in an accusatory manner but as
a systematic and analytical approach to assessing risk so that senior management will
understand the risks and allocate resources to reduce and correct potential losses. For this
reason, some people prefer to address the threat/vulnerability pairs as observations instead of
findings in the risk assessment report. Appendix B provides a suggested outline for the risk
assessment report.

Methods of Risk Assessment

 Qualitative Methods: Use of expert judgment, surveys, and brainstorming sessions to

assess risks based on non-numeric data.
 Quantitative Methods: Employ statistical models and data analysis to assess risks
using numerical data.

Integration with Internal Controls

 Control Activities: Based on risk assessment, develop specific control activities to

mitigate identified risks (e.g., segregation of duties, authorization processes).
 Monitoring: Regularly review and update the risk assessment and internal controls to
adapt to changing environments and emerging risks.
 Documentation: Maintain thorough documentation of the risk assessment process
and control measures for accountability and compliance.

Benefits of Effective Risk Assessment

 Informed Decision-Making: Provides management with insights needed to make

strategic decisions.
 Resource Allocation: Helps allocate resources efficiently by focusing on high-risk
areas.
 Regulatory Compliance: Assists in meeting regulatory requirements by identifying
and managing compliance risks.

Challenges in Risk Assessment

 Subjectivity: Risks can be perceived differently by individuals, leading to

inconsistent assessments.
  Dynamic Environment: Rapid changes in the business environment can alter risk
profiles, making it essential to stay proactive.
 Resource Constraints: Limited resources can hinder thorough risk assessment and
control implementation.

Conclusion

Risk assessment is a critical component of an effective internal control system. By

systematically identifying and managing risks, organizations can enhance their ability to
achieve objectives, comply with regulations, and protect assets. Regular reviews and updates
to the risk assessment process are essential for adapting to changes in the risk landscape.