Sat Nov 22 06:33:13 PST 2014

Risk Management: Changing systemic risks: How is changing systemic risks managed?


Options:

Option 1: The system will use the enterprise risk change management model.
Option 2: The system will not have a change management model unless/until risks justify it.
Option 3: The system will create and operate its own risk change management model.


Basis:

Risks change over time. As and if significant changes are detected, they should be addressed by revisiting the risk management process. This calls for two independent business processes:

Oversight
Changes in Business Needs or Duties to Protect.
Laws/Regulations
Owners/Intent
Board decisions
Auditor feedback
Executive decisions
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Changes in Threats
{Capabilities & Intents}
Changes in Vulnerabilities
{Technical, Human, Organizational, Structural}
Changes in Consequences
{Brand, Value, Time, Cost}
Changes in thresholds for Accept / Transfer / Avoid / Mitigate
Changes in Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Changes in Power and Influence Controlling the Protection Program.
Changes in Organizational Governance
Changes in Business Processes
Changes in Human Actuators & Sensors
Risk management change control in context
Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved