Fri Apr 8 06:49:41 PDT 2016

Risk Management: Changing systemic risks: How should changing systemic risks be managed?


Options:

Option 1: The system will use the enterprise risk change management model.
Option 2: The system will not have a change management model unless/until risks justify it.
Option 3: The system will create and operate its own risk change management model.


Decision:

IF A risk change management process exists for the enterprise as a whole,
THEN Systems should integrate with the enterprise risk change management process gaining from the economy of scale and existing systems and processes.
OTHERWISE IF If risk levels for Systems have been determined to be Low, System risk change management should be limited to detecting changed risk levels for System using the System risk assessment process.
OTHERWISE System should create its own risk change management system using the risk change management model. (Fill in the Risk Change Management Model below identifying specific sources, processes, and conditions for doing change-based updates to risk management decisions.)


Risk Management Changes
Detect and respond to Changing Internal and External drivers.
Threats
{Capabilities & Intents}
Fed by external sources and internal analysis through an intelligence process.
Vulnerabilities
{Technical, Human, Organizational, Structural}
Fed by technical, HR, and management team activities.
Consequences
{Brand, Value, Time, Cost}
Fed by management team identified duties and ongoing analysis processes.
Accept / Transfer / Avoid / Mitigate
Driven by changes in management tolerance for risks as identified by management.
Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Fed by ongoing analysis and detection of changes in all of these areas as generated by business process in each area.
Matching Surety to Risk
Fed by ongoing analysis by risk management.
The Risk Change Management Model - Sources, Processes, and Conditions

Basis:

Risks change over time. As and if significant changes are detected, they should be addressed by revisiting the risk management process. This calls for two independent business processes:

  • Tracking changes in the business needs or duties that effect risk management.

    As changes in any of these areas occur, they should be detected as such and fed back into the risk management system for adaptation. Since these are all organizational actions, they should be tracked as part of normal business processes and the business process tracking system should trigger notifications to the risk management team to indicate the nature of those changes.

  • Tracking environmental changes that effect risks.

    These changes tend to be externally driven. For example, changing threats may lead to the need to reassess the design basis threat, changing vulnerabilities may lead to the need to reassess business processes, and so forth. Since these tend to be driven by external events, if they are not otherwise tracked and reported to the risk management function as part of normal business processes, such processes should be put in place, either within risk management when not otherwise appropriate, or in the part of the enterprise appropriate to the specific source of changes (e.g., HR should handle personnel-related issues and feed the information to risk management, while technical security specialists should be aware of changes to vulnerabilities and pass that information to the risk management team.

Oversight
Changes in Business Needs or Duties to Protect.
Laws/Regulations
Owners/Intent
Board decisions
Auditor feedback
Executive decisions
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Changes in Threats
{Capabilities & Intents}
Changes in Vulnerabilities
{Technical, Human, Organizational, Structural}
Changes in Consequences
{Brand, Value, Time, Cost}
Changes in thresholds for Accept / Transfer / Avoid / Mitigate
Changes in Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Changes in Power and Influence Controlling the Protection Program.
Changes in Organizational Governance
Changes in Business Processes
Changes in Human Actuators & Sensors
Risk management change control in context
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved