Risk Management

Risk Management

Governance is at the centre of effective technology risk management. Those charged with governance should work with the management team to develop and oversee the firm’s technology strategy and risk management program.

Diagram

Risk Assessment within The Risk Management Process

Risk Management Hierarchy

Process of Manging Risk (Technology)

Generally, firms should consider developing a process to manage risk:

This process can also be used to manage all other types of risks at the firm.

1 Identify critical technology and vendors

The first step is to itemize a list of all the technology being used at the firm, who and which business area uses it, and for what purpose. This will help determine the critical technology that the firm uses and relies on, which is a key first step. The following are potential areas for firms to consider:

a. The list should be filled out by the business line staff and technology staff to inventory alltechnology being used at the firm. Refer to Appendix B for a high-level summary of areas wheretechnology is generally used in the investment industry.

b. In order to effectively manage the risk, the identification should also incorporate

i. How the firm is accessing the technology. For example, is the firm developing it, is itwhite-labeled/licensed directly, or does the firm access it through a vendor, and

ii. What the underlying technology is.

2 Identify risk events

The next step is to identify the high risk events, i.e. things that could go wrong, and how they could go wrong by listing threats and threat vectors (refer to section 5)

a.What could go wrong (i.e., identify threats) – This is a list of the potential incidents that couldmake the technology, the vendor or its output unreliable, unavailable, unsecure or ineffective.

b. How could it go wrong (i.e., identify threat vectors and actors) – This a list of the ways in whichthe potential incidents could occur. It may be helpful to categorize them based on whether they are internal and external threats, and further by accidental or intentional. Any controls designed will then depend on the source of the threat.

Firms that are starting out with this process may find it helpful to brainstorm a list of possible threats with the business line users and technology staff. This may help to identify those risk events that have a higher impact and likelihood.

3 Assess the risk of the event

Firms should consider assessing the seriousness of risk events based on a combination of its likelihood and impact. This helps identify those risk events that need the most urgent attention. Note that this assessment will differ for each firm based on how they are structured, their business model, their stakeholders and their strategic goals.

3.1 Likelihood

When assessing the likelihood of an event occurring, it helps to base the assessment on the range of probable outcomes. For example, the likelihood of the event occurring could be:

Rare,

Unlikely,

Possible,

Likely, or

Very Likely.

3.2 Impact

When assessing the impact of an event occurring, it is again helpful to base the assessment on the range of significance. For example, if the event were to occur, its impact could be:

Insignificant,

Minor,

Moderate,

Major, or

Significant or Material.

Accordingly, the firm should consider who will be impacted and the nature and amount of impact:

•Who would be impacted? Who are the stakeholders that rely on the technology or its output – for example, which staff, departments or business functions, clients, regulators, service relationships, etc. would be impacted if the risk event were to occur?

•What would be the business impact?

9What would the risk event cost the firm if it were to occur? Some examples include:

oLost revenues / customers

oBusiness downtime

oFinancial costs to recover / respond / replace / remediate / redress

oLost reputation

oLegal or contractual liability (e.g., because of missed deadlines or inability to meet service delivery obligations)

oCompliance and regulatory liability

4 Design and implement controls to manage risk events

Once the likelihood and impact of a risk event have been determined, the next step would be to sort them in descending order, from those events that have the highest likelihood and highest impact to those assessed as having the lowest likelihood and lowest impact. Accordingly, controls to manage the risk events would be prioritized such that:

a.Risk events with a combined assessment of high likelihood and high impact, which are the high technology risks to the firm, would be the key area of focus to design and implement sufficient and appropriate controls to manage these risk events.

b.Those risk events with a combined assessment of low likelihood and low impact are given the least attention and resources. There may be no need to focus on controls other than to ensure that their assessment of likelihood and impact is accurate and does not increase.

For each of these events, the general technique that firms should consider applying to manage risks is to avoid, accept, transfer or mitigate risk.

Avoid This technique advocates avoiding or getting rid of the technology if the likelihood of an event is high or possible and its impact is significant or material. Keep in mind that eliminating technology that has been fully implemented or has been in use for a while may be difficult and expensive. In such cases, “Accept” may be a better alternative..

Accept This technique advises firms to leave it alone or do nothing. This is a viable option where the firm’s assessment of the risk of the event is determined to be rare or unlikely to occur, and of insignificant or minor impact.

Transfer This technique involves sharing, transferring or offsetting the risk to another party. Examples of methods used to transfer risk are through insurance and outsourcing relationships. Note that

10

there are costs associated with transferring the risk and which, by itself, may not be sufficient. Certain risks like regulatory, compliance, legal and reputational risk may not be transferrable.

Mitigate This technique involves the firm designing and implementing general and specific controls to reduce the likelihood and impact of a risk event occurring. For areas where acceptance, avoidance and transference of risks is not sufficient or possible, controls need to be implemented to manage the specific higher risk event.

4.1 Risk Management Matrix

While there are several methods available depending on the size of the organization and number of business lines, in general, the following matrix demonstrates how a specific risk event can be managed.

5 Review and update the risk register

Firms should consider compiling the list of all risk events, the risk assessment, and the controls in a document or a “risk register” and making sure that the risk register is regularly reviewed and updated. The frequency of the review would depend on the firm’s business model, characteristics and whether significant changes to IT have been introduced.

Principles of Technology Risk

When implementing a technology risk management plan and thinking about risk events, it is important to understand the principles of technology risk.

Accordingly, the four pillars of technology risk to consider are confidentiality and security, integrity and accuracy, availability and sustainability, and efficiency and effectiveness.

Risk Assessment

Risk Assessment Process

References

• NIST’s Guide for Conducting Risk Assessments - Publication 800-30
• • • Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View;11
  • • Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach;
  • • Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations; and
  • • Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans.
• NIST Cybersecurity Framework,
• Fundamentals of Technology Risk Management (pdf) 

via Blogger http://blog.51sec.org/2023/01/risk-management.html
January 24, 2023 at 09:00PM Architecture