The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:
- Exposure Factor = Percentage of asset lost caused by identified risk
- Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
- Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
- Annualized Loss Expectancy (ALE) = SLE X ARO
- Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359
Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.