« آخـــر الـــمـــشـــاركــــات » |
|
أدوات الموضوع | انواع عرض الموضوع |
|
#1
|
|||
|
|||
the Risk Management Process
Besides identifying the risks facing an organization, internal auditors help assess the impact risks can have on companywide performance and processes. Therefore, the role of auditors is not only to evaluate risks, but to determine whether adequate controls are in place to mitigate risks effectively. Becoming familiar with the different elements of an effective risk management process can help beginner internal auditors provide recommendations that address the organization's risk management needs and identify risks before they become a threat to companywide assets and data. What is Risk? Both the U.S. Securities and Exchange Commission (SEC) and the U.S. Federal Financial Institutions Examinations Council (FFIEC) have addressed the need to conduct risk assessments, while frameworks such as Basel II, ISACA's Control Objectives for Information and Related Technology, and the Software Engineering Institute's Octave approach have provided risk assessment guidelines to organizations worldwide. While governance institutions and frameworks continue to expand their discussions on risk, beginner auditors may wonder what risk truly is and why risk assessments are important to the internal audit community. According to The IIA, risk is defined as the possibility that an event will occur, which will impact an organization's achievement of objectives (The Professional Practices Framework 2004). There are many forms of risk in an organization, including IT risk, financial risk, operational risk, network security risk, and personnel risk. To address risks more effectively, organizations may use a risk management approach that identifies, assesses, manages, and controls potential events or situations. Among other things, the goal of effective risk management is to ensure that each risk is identified, documented, prioritized, and mitigated whenever possible. Because all organizations face risk, whether positive (i.e., opportunities) or negative (i.e., events that hinder company processes), the challenge for auditors is to know when risk will occur and the impact it will have on the organization. In addition, auditors need to consider the probability that the risk will occur. For example, it may not be necessary for the organization to worry about a particular IT risk when the likelihood that it will occur is significantly low and its impact is low as well. However, organizations should concentrate on low-probability risks that will have a high-negative impact. As a result, looking at the impact and probability of each risk is important when establishing an effective risk management program that addresses companywide risk. The Risk Management Process When establishing a risk management process or initiative, auditors should recommend that organizations examine best management practices in the area. Typically, risk management plans have the following objectives:
As mentioned in the NIST guide, risk assessments should be the first step in an IT risk management initiative. The end result of the risk assessment is to determine the extent of the potential threat and its associated risk, which is defined as the likelihood that a given threat can exploit or take advantage of a particular vulnerability. For example, if an auditor is evaluating an IT system, the threats to the system should be analyzed in conjunction with potential vulnerabilities and any implemented controls. Identifying Risks The risk assessment process begins with the identification of risk categories. An organization most likely will have several risk categories to analyze and identify risks that are specific to the organization. Examples of risk categories include:
Determining the Risk Likelihood Level Likelihood Level HighLikelihood Definition The threat's source is highly motivated and sufficiently capable, and controls that prevent the vulnerability from being exercised are ineffective. Medium The threat's source is motivated and capable, but controls are in place that may impede a successful exercise of the vulnerability. Low The threat's source lacks motivation or capability, and controls are in place to prevent or significantly impede the vulnerability from being exercised. Table 1: Risk Likelihood Levels (Adapted from NIST's Risk Management Guide for Information Technology Systems) Once risks are identified, the next step is to determine the likelihood that the potential vulnerability can be exploited. Several factors need to be considered when determining this likelihood. First, the auditor needs to consider the source of the threat, the motivation behind the threat, and the capability of the source. Next, auditors need to determine the nature of the vulnerability and, finally, the existence and effectiveness of current controls to deter or mitigate the vulnerability. The likelihood that a potential vulnerability could be exploited can be described as high, medium, or low, as noted in Table 1 at right. Identifying the Risk's Impact The next step is to determine the impact that the threat could have on the organization. It is important for auditors to understand that not all threats will have the same impact. This is because each system in the organization most likely will have a different value (i.e., not all systems in the organization are worth the same or regarded in the same way). For instance, to evaluate the value of a system, auditors should identify the processes performed by the system, the system's importance to the company, and the value or sensitivity of the data in the system. A system that handles the company's payroll will have more value than the system that is used to keep the lunchroom menu database. The impact of a security event can be defined as a breach or loss of confidentiality, integrity, or availability, which may result in an unauthorized disclosure of company information (i.e., loss of confidentiality), the improper modification of the information (i.e., loss of integrity), and a system's unavailability when needed (i.e., loss of availability). The magnitude of impact also can be categorized as high, medium, or low as shown in Table 2 below. Impact HighDefinition High impact risks may result in the highcostly loss of assets; risks thatsignificantly violate, harm, or impede operations; or risks that cause humandeath or serious injury. Medium Medium impact risks may result in the costly loss of assets; risks that violate, harm, or impede operations; or risks that cause human injury. Low Low impact risks may result in the loss of some assets or may noticeably affect operations. Table 2: Risk Impact Levels (Adapted from NIST's Risk Management Guide for Information Technology Systems)In addition, auditors need to measure the risk's actual impact on the organization. This can be done by measuring the risk's impact in a quantitative (e.g., revenue loss or the cost to replace IT equipment) or qualitative manner (e.g., the loss of public confidence when a security breach is announced in the media). There are advantages and disadvantages to both approaches. The quantitative impact analysis approach provides a definite measure of the impact's magnitude, which can be used to calculate a control's cost-benefit analysis. For instance, if an asset's loss of availability impact is defined quantitatively as US $1,000, then a US $10 dollar control to mitigate the threat has a cost-benefit of 100 to 1 ($1,000/$10). A major disadvantage of this quantitative approach is the use of wide numerical ranges that can become quite confusing. For example, a 100 to 1 cost-benefit calculation can be obtained from a $1,000 loss and a $10 mitigating control or from a $500 loss and a $5 mitigating control. Therefore, simply looking at the final 100 to 1 cost benefit does not really give auditors an idea of the actual negative impact or the cost of the mitigating control. All the auditor gets are numbers in the form of ratios. On the other hand, the advantage of qualitative (i.e., high, medium, or low) analysis is that it allows the auditor to prioritize risks and identify improvement areas quickly. However, this approach does not provide the means to calculate the cost-benefit for any of the recommended controls. That is, the auditor can determine that a particular asset has a high risk, but he or she will not know what the impact's cost will be or the mitigating control's effectiveness. Threat Probability High (1.0)Low Impact (1–10) Medium Impact (11–20) High Impact (21–30) Medium Medium (0.5)10 (10 x 1.0) Medium 20 (20 x 1.0) High 30 (30 x 1.0) Low Low (0.1)5 (10 x 0.5) Medium 10 (20 x 0.5) Medium 15 (30 x 0.5) Low Table 3: Threat Probability Table Once a risk's impact is measured, the auditor can identify its probability of occurring and complete an impact assessment for each risk. Table 3 at right can be used when determining the risk's probability or likelihood of occurrence:1 (10 x 0.1) Low 2 (20 x 0.1) Low 3 (30 x 0.1) When using Table 3, the auditor will rate the risk as having a low, medium, or high impact. The table defines the risk's impact scale as:
When addressing risks, many organizations usually start by correcting those risks with a lower impact to the organization and a lower probability because these are easier to fix — and fixing a greater number of open issues in a short amount of time looks better on paper. However, auditors should recommend that organizations start by addressing those risks that will have the highest likelihood of occurring and will have the highest impact. This is because by focusing on the low-impact risks first, the company still remains vulnerable to the high impact risks that can cause irreparable damage. In addition, while high impact/high likelihood risks should be a high priority, low impact/high likelihood risks and high impact/low likelihood risks also may require immediate attention. Therefore, each risk should be carefully evaluated before determining which risk needs to be addressed first. For example, a system that is connected to the Internet may be highly vulnerable because a specific software patch is not installed and any Trojan coming from the Internet can infect the system. As a result, if the system remains unpatched, it could greatly impact the organization's day-to-day operations (i.e., should the system remain unpatched, there is a high likelihood the system will have a high impact on the organization). Now, imagine that the organization uses another system that is not connected to the Internet. In this case, the impact to the organization is still high because the system is not patched and vulnerable to any Trojan that makes its way through the network. However, because the machine is not connected to the Internet, the threat likelihood is low (i.e., this is an example of a high impact/low probability risk). From these two situations, the auditor can determine that the first system poses a higher risk to the organization and should be fixed first. Moving Forward Many organizations are implementing risk management programs that can help them address companywide risks and potential threats. In the area of IT, an effective risk management program relies on the auditor's expertise, thus enabling the organization to apply the necessary risk management controls to a specific area or IT system. To maximize its effectiveness, auditors should recommend that the risk management initiative receives the support and commitment from senior management. This will help to set the proper tone at the top for the program, as well as ensure that controls are managed properly and implemented risk management policies and procedures are adhered to by company staff. In addition, the proper tone at the top will help to establish the organization's attitude toward risk and the kinds of risks that are acceptable. Finally, the audit team needs to have the proper training or expertise in the area of risk management to better identify and rate risk levels as well as evaluate controls to determine if they meet the organization's risk management needs. Besides the NIST guide and the regulations and frameworks mentioned at the beginning of this article, beginner internal auditors can refer to the following two documents for additional information on the risk management process: ساعد في نشر والارتقاء بنا عبر مشاركة رأيك في الفيس بوك |
|
|