What are the seven steps of a standard security risk assessment model?

The selection process necessarily requires the consideration of legal, economic, and behavioral factors.

Risk management is the decision-making process involving considerations of political, social, economic and engineering factors with relevant risk assessments relating to a potential hazard so as to develop, analyze and compare regulatory options and to select the optimal regulatory response for safety from that hazard.

Essentially risk management is the combination of 3 steps:

1. risk evaluation,
2. emission and exposure control,
3. risk monitoring.

A systematic approach used to identify, evaluate, and reduce or eliminate the possibility of an unfavorable deviation from the expected outcome of medical treatment and thus prevent the injury of patients as a result of negligence and the loss of financial assets resulting from such injury.’

Risk Management Definitions

• “Risk management is an integrated process of delineating specific areas of risk, developing a comprehensive plan, integrating the plan, and conducting the ongoing evaluation.”-Dr. P.K. Gupta
• “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”-Wikipedia
• ‘Managing the risk can involve taking out insurance against a loss, hedging a loan against interest-rate rises, and protecting an investment against a fall in interest rates.”
• -Oxford Business Dictionary
• ‘Decisions to accept exposure or to reduce vulnerabilities by either mitigating the risks or replying cost-effective controls’- Anonymous

The future is largely unknown. Most business decision-making takes place on the basis of expectations about the future.

Making a decision on the basis of assumptions, expectations, estimates, and forecasts of future events involves taking risks.

Risk has been described as the “sugar and salt of life”.

This implies that risk can have an upside as well as the downside.

People take a risk in order to achieve some goal they would otherwise not have reached without taking that risk.

On the other hand;

Risk can mean that some danger or loss may be involved in carrying out an activity and therefore, care has to be taken to avoid that loss.

This is where risk management is important, in that it can be used to protect against loss or danger arising from a risky activity.

For proper control and management of risks, as insurers, we should always keep the following in mind with regard to any project or subject-matter of insurance:

• What are the possible sources of loss?
• What is the probable impact of a loss should it at all occur?
• What should be done when a loss takes place? Should the loss be allowed to enhance or something should be done to minimize it? The question of protection of salvage in the best possible way and also the question of checking the future possibility of such events should be considered.
• The probable expenditure or the economy of loss prevention, (it should be remembered that any extra expenditure for loss prevention would be economically justified so long the expenditure made is smaller than or at best equal to the savings made by way of loss reduction.

As already mentioned, in insurance the risk is isolated from the whole business venture and the pure risk portion of it is assumed entirely by a different group of people of an organization (insurer) in a most technical, expert and economic way.

This is possible only through the proper diagnosis of the risk in matters of finding out the possible sources of loss and the impact of loss should it at all occur.

The question of minimizing a loss and preventing future causation of a loss should not also lose sight of.

Keeping these factors in view would come up with the question of properly rating a risk, as this would be the basis of charging a premium or price for running a risk.

In this context of risk management the ‘mathematical valuation of risk’ is indeed important.

7 steps of risk management are;

1. Establish the context,
2. Identification,
3. Assessment,
4. Potential risk treatments,
5. Create the plan,
6. Implementation,
7. Review and evaluation of the plan.

The risk management system has seven(7) steps which are actually is a cycle.

1. Establish the Context

Establishing the context includes planning the remainder of the process and mapping out the scope of the exercise, the identity and objectives of stakeholders, the basis upon which risks will be evaluated and defining a framework for the process, and agenda for identification and analysis.

2. Identification

After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems.

Hence, risk identification can start with the source of problems, or with the problem itself.

Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it does its business, its financial strengths and weaknesses, its vulnerability to unplanned losses, the manufacturing processes, and the management systems and business mechanism by which it operates.

Any failure at this stage to identify risk may cause a major loss for the organization.

Risk identification provides the foundation of risk management.

The identification methods are formed by templates or the development of templates for identifying source, problem or event. The various methods of risk identification methods are.

3. Assessment

Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence.

These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring.

Therefore;

In the assessment process, it is critical to making the best-educated guesses possible in order to properly prioritize the implementation of the risk management plan.

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents.

Furthermore;

Evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed.

Thus, best educated opinions and available statistics are the primary sources of information.

Nevertheless, a risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized.

Thus, there have been several theories and attempts to quantify risks.

Numerous different risk formula exists but perhaps the most widely accepted formula for risk quantification is the rate of occurrence multiplied by the impact of the event.

In business, it is imperative to be it’s to present the findings of risk assessments in financial terms. Robert Courtney Jr. (IBM. 1970) proposed a formula for presenting risks in financial terms.

The Courtney formula was accepted as the official risk analysis method of the US governmental agencies.

The formula proposes the calculation of ALE (Annualized Loss Expectancy) and compares the expected loss value to the security control implementation costs (Cost-Benefit Analysis).

4. Potential Risk Treatments

Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories;

1. Risk Transfer

   Risk Transfer means that the expected party transfers whole or part of the losses consequential o risk exposure to another party for a cost. Insurance contracts fundamentally involve risk transfers.

   Apart from the insurance device, there are certain other techniques by which the risk may be transferred.

2. Risk Avoidance

   Avoid the risk or the circumstances which may lead to losses in another way, Includes not performing an activity that could carry risk.

   Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning the profits.

3. Risk Retention

   Risk-retention implies that the losses arising due to a risk exposure shall be retained or assumed by the party or the organization.

   Risk-retention is generally a deliberate decision for business organizations inherited with the following characteristics. Self-insurance and Captive insurance are the two methods of retention.

4. Risk Control

   Risk can be controlled either by avoidance or by controlling losses. Avoidance implies that either a certain loss exposure is not acquired or an existing one is abandoned. Loss control can be exercised in two ways.

5. Create the Plan

Decide on the combination of methods to be used for each risk. Each risk management decision should be recorded and approved by the appropriate level of management.

For example,

A risk (concerning the image of the organization should have a top management decision behind it whereas IT management would have the authority to decide on computer virus risks.

The risk management plan should propose applicable and effective security controls for managing the risks.

A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.

The risk management concept is old but is still net very effectively measured. Example: An observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software.

6. Implementation

Follow all of the planned methods for mitigating the effect of the risks.

Purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity’s goals, reduce others, and retain the rest.

7. Review and Evaluation of the Plan

Initial risk management plans will never be perfect.

Practice, experience and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. There are two primary reasons for this;

What are the 7 steps of risk management process?

What are the general steps for a security risk assessment?

How many steps are there in a standard risk assessment?

What are the 7 steps of ISO IEC 27005 risk management process?