Mon Nov 24 05:37:58 PST 2014

Risk Management: Changing systemic risks: How should changing systemic risks be managed?


Options:

Option 1: The system will use the enterprise risk change management model.
Option 2: The system will not have a change management model unless/until risks justify it.
Option 3: The system will create and operate its own risk change management model.


Decision:

IF A risk change management process exists for the enterprise as a whole,
THEN Systems should integrate with the enterprise risk change management process gaining from the economy of scale and existing systems and processes.
OTHERWISE IF If risk levels for Systems have been determined to be Low, System risk change management should be limited to detecting changed risk levels for System using the System risk assessment process.
OTHERWISE System should create its own risk change management system using the risk change management model. (Fill in the Risk Change Management Model below identifying specific sources, processes, and conditions for doing change-based updates to risk management decisions.)


Risk Management Changes
Detect and respond to Changing Internal and External drivers.
Threats
{Capabilities & Intents}
Fed by external sources and internal analysis through an intelligence process.
Vulnerabilities
{Technical, Human, Organizational, Structural}
Fed by technical, HR, and management team activities.
Consequences
{Brand, Value, Time, Cost}
Fed by management team identified duties and ongoing analysis processes.
Accept / Transfer / Avoid / Mitigate
Driven by changes in management tolerance for risks as identified by management.
Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Fed by ongoing analysis and detection of changes in all of these areas as generated by business process in each area.
Matching Surety to Risk
Fed by ongoing analysis by risk management.
The Risk Change Management Model - Sources, Processes, and Conditions

Basis:

Risks change over time. As and if significant changes are detected, they should be addressed by revisiting the risk management process. This calls for two independent business processes:

Oversight
Changes in Business Needs or Duties to Protect.
Laws/Regulations
Owners/Intent
Board decisions
Auditor feedback
Executive decisions
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Changes in Threats
{Capabilities & Intents}
Changes in Vulnerabilities
{Technical, Human, Organizational, Structural}
Changes in Consequences
{Brand, Value, Time, Cost}
Changes in thresholds for Accept / Transfer / Avoid / Mitigate
Changes in Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Changes in Power and Influence Controlling the Protection Program.
Changes in Organizational Governance
Changes in Business Processes
Changes in Human Actuators & Sensors
Risk management change control in context
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved