Fri Apr 8 06:47:17 PDT 2016

Risk Management: Changing systemic risks: How is changing systemic risks managed?


Option 1: The system will use the enterprise risk change management model.
Option 2: The system will not have a change management model unless/until risks justify it.
Option 3: The system will create and operate its own risk change management model.


Risks change over time. As and if significant changes are detected, they should be addressed by revisiting the risk management process. This calls for two independent business processes:

  • Tracking changes in the business needs or duties that effect risk management.

    As changes in any of these areas occur, they should be detected as such and fed back into the risk management system for adaptation. Since these are all organizational actions, they should be tracked as part of normal business processes and the business process tracking system should trigger notifications to the risk management team to indicate the nature of those changes.

  • Tracking environmental changes that effect risks.

    These changes tend to be externally driven. For example, changing threats may lead to the need to reassess the design basis threat, changing vulnerabilities may lead to the need to reassess business processes, and so forth. Since these tend to be driven by external events, if they are not otherwise tracked and reported to the risk management function as part of normal business processes, such processes should be put in place, either within risk management when not otherwise appropriate, or in the part of the enterprise appropriate to the specific source of changes (e.g., HR should handle personnel-related issues and feed the information to risk management, while technical security specialists should be aware of changes to vulnerabilities and pass that information to the risk management team.

Changes in Business Needs or Duties to Protect.
Board decisions
Auditor feedback
Executive decisions
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Changes in Threats
{Capabilities & Intents}
Changes in Vulnerabilities
{Technical, Human, Organizational, Structural}
Changes in Consequences
{Brand, Value, Time, Cost}
Changes in thresholds for Accept / Transfer / Avoid / Mitigate
Changes in Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Changes in Power and Influence Controlling the Protection Program.
Changes in Organizational Governance
Changes in Business Processes
Changes in Human Actuators & Sensors
Risk management change control in context
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved