Risk Assessment Frequency
- The regularity with which risk assessments are conducted within an organization
- There are four main types…
- Ad-Hoc
- Recurring
- One-Time
- Continuous
Ad-Hoc Risk Assessments
Conducted as and when needed, often in response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks
Recurring Risk Assessment
- Conducted at regular intervals, such as annually, quarterly, or monthly
EXAMPLE: Regularlly scheduled Pen Tests
One-Time Risk Assessment
- Conducted for a specific purpose and not repeated
EXAMPLE: Often associated with a project or initiative
What is the different between One-Time and Ad-Hoc risk assessments?
One-Time: Specific project or initiative and are not repeated
Ad-Hoc: Specific events or situations and may not be repeated
Continuous Risk Assessments
- Ongoing monitoring and evaluation of risks
Risk Identification
- Recognizing potential risks that could negatively impact an organization’s ability to operate or achieve its objectives
Business Impact Analysis
- Process that involves evaluating the potential effects of disruption to an organization’s business functions and processes
Recovery Time Objective (RTO)
- It represents the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization
Recovery Point Objective (RPO)
- It represents the maximum acceptable amount of data loss measured in time
EXAMPLE: If an organization has an RPO of 4 hours, it means the business can tolerate a data loss of up to four hours
Mean Time to Repair (MTTR)
- It represents the average time require to repair a failed component or system
EXAMPLE: Machine breaks down and takes on average 4 hours to repair
Mean Time Between Failures (MTBF)
- It represents the average time between failures
EXAMPLE: 5 times in a year means that it has a MTBF of 2.4 Months, or roughly 72 days
Risk Register (Risk Log)
- A document detailing identified risks, including their description, impact likelihood, and mitigation strategies
- This includes…
Description - ID’s risk and describes on high level
Impact - Potential consequences if the risk materializes
Likelihood - Chance of a particular risk occurring
Outcome - Result of risk, linked to its impact and likelihood
Level/Threshold - Determined by combining the impact and likelihood
Cost - Financial impact it could have to project
Risk Tolerance/Risk Acceptance
- Refers to an organization or individual’s willingness to deal with uncertainty in pursuit of their goals
Risk Appetite
- Signifies an organization’s willingness to embrace or retain specific types of levels of risk to fulfill its strategic goals
What are the three main types of risk appetites?
Expansionary - Organization is open to taking more risk in the hope of greater return
Conservative - Implies organization favors less risk
Neutral - Balance between risk and return
Key Risk Indicators (KRIs)
- Essential predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise
EXAMPLE: Number of loan defaults by a bank
What is the main difference between Qualitative and Quantitative risk analysis
- Qualitative is subjective with a high-level view of risks
- Quantitative is objective with a numerical evaluation of risks
Qualitative Risk Analysis
- A method of assessing risks based on the potential impacts and the likelihood of their occurrence
Quantitative Risk Analysis
- Method of evaluating risk that uses numerical measurements… Also for more precise understanding on impacts.
Exposure Factor (EF)
- Proportion of an asset that is lost in an event
- Expressed as a percentage
EXAMPLE: Flood happens and we evaluate if there is 0 - 100% loss of assets
Single Loss Expectancy (SLE)
- Monetary value expected to be lost in a single event
- Calculated by multiplying the value of the asset by the exposure factor
Annualized Rate of Occurrence (ARO)
- Estimated frequency with which a threat is expected to occur within a year
Annualized Loss Expectancy (ALE)
- Expected annual loss from a risk (SLE X ARO)
