PO09 Process Description

IT risk identification and impact analysis, involving multi-disciplinary functions and taking cost-effective measures to mitigate risks.

Risk Assessment: maintain a general risk assessment approach,
Action Plan: Review risk action plan to ensure that cost-effective controls and security measures mitigate exposure to risks on a continuing basis,
Threat-Risk Assessments: regular assessments of the relevant information risks to the achievement of the business objectives, forming a basis for determining how the risks should be managed to an acceptable level.

Increased degree of awareness of the need for risk assessments
Decreased number of incidents caused by risks identified after the fact
Increased number of identified risks that have been sufficiently mitigated
Increased number of IT processes that have formal documented risk assessments completed
Appropriate percent or number of cost effective risk assessment measures

There are clearly defined roles and responsibilities for risk management ownership and management accountability
A policy is established to define risk limits and risk tolerance
The risk assessment is performed by matching vulnerabilities, threats and the value of data
Structured risk information is maintained, fed by incident reporting
Responsibilities and procedures for defining, agreeing on and funding risk management improvements exist
Focus of the assessment is primarily on real threats and less on theoretical ones
Brainstorming sessions and root cause analyses leading to risk identification and mitigation are routinely performed
A reality check of the strategy is conducted by a third party to increase objectivity and is repeated at appropriate times