This is part 3 of our 5-part series on application-based risk management. In part 1, we learned how to prepare a detailed listing of all applications as preparation for setting the scope of the risk assessment. Part 2 covered prioritizing applications for risk protection and mitigation. Here we will discuss the next step, which is assessing the risks to applications to be able to suggest and evaluate possible mitigations.
Assessing the risks to applications aims at understanding the risks an application is subject to and analyzes the relevant risk’s damage potential to be able to suggest and evaluate possible mitigations.
Risk catalogs support consistent risk assessment by providing sample categories for risks and sample risks in these categories (for example, willful act > manipulation of data or data theft). During the assessment, each risk is assessed as to its probability and damage potential. Inventorying possible mitigations for the risks in the catalog supports the standardization of the mitigation strategy and reduces the effort in risk assessments. When assessing the risk for an application, it is important to document the relevant mitigation and the extent the proposed mitigation will change the risk’s probability and damage values in order to identify the most effective mitigations.
- IT Compliance Manager, CISO
- Catalog risks
- Assess probability
- Assess potential damage
- Suggest mitigation and assess change to risk
- Application risk portfolio
- Use a risk catalog to standardize risks and their mitigations
- Use multiple-choice questions and simple answers for comparability, for example, risk: none, low, medium, high, very high; damage: <$100 trillion, <$500 trillion, <$1 million, >$3 million
Figure 1: Once assessed, the risks can be shown in a portfolio according to damage potential and probability of occurrence.
Figure 2: A filter on the portfolio shows mitigation effects to determine the best potential for reduction of risk. This and the previous chart provide a “before-and-after“ risk portfolio.
Once identified and assessed, risks can be mitigated by initiating a project to support changes, or by implementing a control system to regularly check and ensure all tasks are fulfilled appropriately.
Typically internal control systems are a set of controls implemented to ensure that risk mitigations are performed according to plan. For example, if there is a risk of system failure, a possible mitigation strategy is to provide a backup instance of the system. Controls for this mitigation strategy could regularly check for backups (for example, monthly), if the restore procedure is documented (for example, yearly), and if the restore procedure is tested (for example, bi-annually). Automating such control assessments delivers a substantial savings potential for the enterprise as it makes the process repeatable and provides a basis for external and internal control audits, for example, as required by SOX. And finally, risk mitigation systematically reduces the extent of exposure to a risk and its probability.
- IT Compliance Manager, CISO
- Propose mitigation projects
- Propose controls
- Reduced risk
- Documented controls
- Formulate controls as questions
- Structure controls to address specific compliance topics
- Reuse controls to reduce effort
Figure 3: Here we see an example of a compliance control.
Tune into our next episode on how Alfabet for enterprise architecture and strategic portfolio management can be used to build a sustainable IT risk management program.