Tue Mar 10 20:41:42 PDT 2015

Risk Management: Changing systemic risks: How is changing systemic risks managed?


Option 1: The system will use the enterprise risk change management model.
Option 2: The system will not have a change management model unless/until risks justify it.
Option 3: The system will create and operate its own risk change management model.


Risks change over time. As and if significant changes are detected, they should be addressed by revisiting the risk management process. This calls for two independent business processes:

Changes in Business Needs or Duties to Protect.
Board decisions
Auditor feedback
Executive decisions
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Changes in Threats
{Capabilities & Intents}
Changes in Vulnerabilities
{Technical, Human, Organizational, Structural}
Changes in Consequences
{Brand, Value, Time, Cost}
Changes in thresholds for Accept / Transfer / Avoid / Mitigate
Changes in Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Changes in Power and Influence Controlling the Protection Program.
Changes in Organizational Governance
Changes in Business Processes
Changes in Human Actuators & Sensors
Risk management change control in context
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved