Вы находитесь на странице: 1из 3

2008 ISACA. All rights reserved. www.isaca.org.

Risk Management Standards:

The Bigger Picture
By David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA

isk is one of those words that everyone organization should be the result of a formal comparison and
understands and is used across many different subject to the specific needs and expectations defined by
fields and professions; this allows for a large senior management.
number of interpretations linked to specific situations. As with any standard, the risk management standards
Depending on the profession, there are very particular models, described in this article are intended to provide a general
methods and actions used to understand and manage risk. description of the elements, processes and activities required
Examples in the financial world include Value at Risk (VaR), for risk management; they do not provide a comprehensive
Montecarlo Simulations and complex models; in IT security, view or a one-size-fits-all solution.
models such as Simple to Apply Risk Analysis (SARA), The following is a brief reference to some of the most
Simplified Process for Risk Identification (SPRINT), and widely used risk management standards, including some
Operationally Critical Threat, Asset and Vulnerability references to the topics covered.
Evaluation (OCTAVE) have been applied for some time to
support risk assessments. Other professions have mechanisms AAIRM
to measure and manage risk as well. The AIRMIC, ALARM, IRM (AAIRM) standard1 includes
For information security auditors and other information references to areas such as:
security professionals, there is an opportunity to use a number Terminology definition for risk
of models for risk management, rather than limiting the scope Risk management
to risk assessment tools only. Risk management models Risk assessment
contribute to the bottom line of the organization by ensuring a Risk analysis
more comprehensive framework and increasing visibility of Risk evaluation
the balance between opportunities and risks. This is a complex Risk reporting
issue as it involves interacting with individuals at all levels in Risk treatment
the organization and establishing a common language and Risk monitoring and the review of the risk management
approach to manage risk, without trying to bring all risks process
under the same umbrella. The structure and administration of risk management
There are different standards in use, and others currently in Figure 1 shows the process flow to be followed during the
development, aimed at providing a risk management model that operation of the risk management function, maintaining a
could be deployed by organizations across different industries; cycle that covers the organizations strategic objectives to
these standards are supported by at least three well-established monitoring of the risk management model. The process flow
risk management models that have the benefit of time to reach is supported by formal audits.
maturity. The risk management models are also supported by
the increased adoption of the ISO/IEC 27001 standard from the Figure 1AIRMIC/ALARM/FIRM Risk
International Organization for Standardization (ISO) and the Management Process
International Electrotechnical Commission (IEC). The standard
has increased the number of organizations using an information
security management system (ISMS) supported by a risk
assessment working as a cornerstone. Risk Assessment
Risk Analysis
Risk Identification
Examples of Risk Management Standards Risk Description
Risk Estimation
and Frameworks Risk Evaluation Formal
Over the past two decades, a number of risk management Audit
standards have been developed as a result of demands from Risk Reporting
Threats and Opportunities
different industries, increased maturity of the profession, and
higher expectations from regulators regarding the Decision
understanding and management of risk. Each one of the Risk Treatment
standards has aspects that could benefit particular
deployments; some include more detailed recommendations, Residual Risk Reporting

while others prefer to use a more general approach. The Monitoring

selection of the appropriate risk management standard for an

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 4 , 2 0 0 8 1
The standard also includes an appendix with a useful list of ApproachSpecific elements required to ensure the
risk identification techniques as well as risk analysis methods successful implementation of the risk management model.
and techniques that could be used to learn more about available This would include the definition of elements within the risk
developments that could support the execution of the risk management policy and other key documents.
management functions. The standard provides a good overview ProcessesCritical processes required for risk management,
of the stages and activities required for risk management; including activities involved in ensuring that risks are
however, more details would be required to implement a real- identified, assessed and controlled
life process. Embedding and reviewingEffective mechanisms that
ensure the consistent implementation of principles and
AS/NZ 4360 procedures within the organization; critical to successful
The well-known Australia and New Zealand Standard 4360, implementation of the risk framework.
Risk Management Systems Standard (AS/NZ 4360),2 includes
slightly more detail than the AAIRM standard. AS/NZ 4360 is COSO ERM
the result of a long-term evolution and maturity starting in The Committee of Sponsoring Organizations of the
1995, with a second edition in 1999 and the current version Treadway Commission (COSO) Enterprise Risk Management
published in August 2004. (ERM) framework4 provides very useful information to deploy
AS/NZ 4360:2004 follows a similar baseline as the model and operate the risk management function. Originally formed
recommended by the AAIRM. Although it does add some in 1985, COSO is a voluntary private-sector organization
references to the task of communicating and consulting the dedicated to improving the quality of financial reporting
results, AS/NZ 4360:2004 lacks the specific references to roles through business ethics, effective internal controls and
and responsibilities available in AAIRM. A representation of corporate governance. In 2004, COSO published an updated
the standard is included in figure 2. document, Enterprise Risk ManagementIntegrated
Figure 2AS/NZ 4360:2004 Risk The COSO model includes areas recommended by other
Management Standard risk management models as well as a three-dimensional matrix
matching four objectives categories, eight components and an
Communicate and consult. entitys units. This visualization of risk components provides
significant value, as it can help risk professionals to break the
problem into smaller elements, simplifying the analysis and
Establish Identify Analyze Evaluate Treat
review of solutions. As a result, automated tools could be
the the the the the developed to provide a representation of the risk profile of an
context. risk. risk. risk. risk. organization.
The areas included in COSO in the first dimension are
internal environment, event identification, risk assessment, risk
Monitor and review. response, control activities, information and communication,
and monitoring. These are referenced to the second dimension,
which includes entity level, division, business unit and
The AS/NZ risk management process and the AAIRM subsidiary. Both are then mapped with the third dimension,
standard follow a similar framework and allow risk managers which covers areas including strategic, operations, reporting
to follow an end-to-end process to ascertain the risk levels and compliance.
applicable to the specific context, analyzing and evaluating the This multidimensional view allows risk professionals to
risk, and then treating the specific risk levels and reducing slice the areas and concentrate on smaller domainsall while
exposure. There is a particular focus in the AS/NZ standard to maintaining the global scope.
the context of the process, starting with a phase dedicated to
establishing the contextual information for the risk Interaction
management framework. These examples of risk management models have supported
the maturity of the knowledge and approach to the topic.
M_o_R Currently ISO is working on the development of a standard,
The UK Office of Government Commerce (OGC) has issued Risk ManagementGuidelines on Principles and
a risk management model titled Management of Risk: Implementation of Risk Management, which is being reviewed
Guidance for Practitioners (M_o_R).3 This guide, originally and is planned for publication by the second half of 2009.
written in 2002, with a new version released in 2007, includes The importance of the proposed ISO 31000 (figure 3) is
more detailed guidance than AAIRM and AS/NZ 4360. that it provides a common language and model to be used by
M_o_R covers four main areas: organizations to implement a risk management model that
PrinciplesCritical for the development of good risk would be consistent, replicable and accurate.
management practice. Based on corporate governance,
principles are supported in the concept that risk management
is a key internal control.

2 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 4 , 2 0 0 8
common language that would cover physical, digital, legal,
Figure 3ISO 31000 operational and financial risk, among others.
In the future, more institutions may be able to articulate risk
Communication and and information security standards and provide a single
console to senior management representing a comprehensive
Establishing the context view of riskallowing auditors to concentrate on critical risks
to the business instead of individual interpretations of risk
exposure by each unit.





Ward, Stephen; Risk Management: Organisation and Context,

Witherbys, 2005
Risk Identification Gregg, Michael; CISA Exam Prep; Exam Cram, 2007

Monitoring and Reviewing 1
Association of Insurance and Risk Managers (AIRMIC),
ALARM (National Forum for Risk Management in the Public
Risk Treatment
Sector) and Institute of Risk Management (IRM),
A Risk Management Standard, 2002, London
Australia and New Zealand, AS/NZ 4360:2004, Risk
Conclusion Management Systems Standard, 2004
What is the impact for auditors and information security Office of Government Commerce (OGC), Management of
professionals? Risk: Guidance for Practitioners (M_o_R), UK, 2007
Having a standardized methodology for risk management Committee of Sponsoring Organizations of the Treadway
would allow auditors to simplify their approach by using the Commission, Enterprise Risk ManagementIntegrated
output of the risk management framework. Once the Framework, 2004
organization has implemented a risk management model, many
information security audit and information security functions David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA
would be greatly simplified. Instead of requiring the is a senior manager for the global security consulting practice
deployment of ad hoc risk assessment methods and duplicating at Alcatel-Lucent. He has more than 13 years experience
some risk management functions, auditors and security within information security and IT audit, leading successful
professionals would be able to interact with the risk engagements worldwide. Ramirez has specific experience
management framework directly. working on behalf of the major insurance companies, auditing
This has the added advantage of senior management being banks and financial institutions around the world; this includes
aware of the risk-related decisions, and the board of a number of central banks and dozens of retail
directors being able to officially establish the risk appetite banks. He has published a number of articles and white papers,
and monitor the impact of risk management decisions across the and his second book on security was published by Wiley in
organization. January 2008.
The increased maturity and exposure of risk management
methodologies and similar evolution in information security Editors Note:
methodologies are creating the basis of risk convergence between ISACA and the IT Governance Institute (ITGI) are undertaking
the two professions. Risk management has been managed in silos an initiative to develop the IT Risk Management Framework
within companies as a core management responsibility; each that will allow business managers to assess IT controls for
business area tends to create personalized views and models on deficiencies and business risks. For more information, please
risk management. With the inception of formal risk management read the article New Framework for Enterprise Risk
models supported by information security standards, companies Management in IT in this issue.
can deploy a corporate model for risk management using a

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.

2008 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly


3 I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 4 , 2 0 0 8