Risk Management: Is it just another set of business buzzwords? – Part IV
Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management Information System, Operating Style, Risk Management, Threat Management
The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:
- Exposure Factor = Percentage of asset lost caused by identified risk
- Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
- Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
- Annualized Loss Expectancy (ALE) = SLE X ARO
- Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
Source
Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359
Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.
Comment
RSS Feed
Email a friend
