Views: 20
Risk Management Frameworks
There are several frameworks for risk assessment. Example methodologies are:
- NIST SP 800-30: A risk assessment methodology developed by the National Institute of Standards and Technology (NIST). It involves identifying and evaluating risks, determining the likelihood and impact of each risk, and developing a risk response plan.
- Facilitated Risk Analysis Process (FRAP): A risk assessment methodology that involves a group of stakeholders working together to identify and evaluate risks. It is designed to be a more collaborative and inclusive approach to risk analysis.
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE): A risk assessment methodology that focuses on identifying and prioritising assets based on their criticality to the organisation’s mission and assessing the threats and vulnerabilities that could impact those assets.
- Failure Modes and Effect Analysis (FMEA): A risk assessment methodology commonly used in engineering and manufacturing. It involves identifying potential failure modes for a system or process and then analysing the possible effects of those failures and the likelihood of their occurrence.
NIST SP 800-30
Based on NIST SP 800-30, the risk management process entails four steps:
- Frame risk: First, we must establish the context within which all risk activities occur.
- Assess risk: We must identify, analyse, and evaluate potential risks and their likelihood and impact. This step is crucial to help decide on a proper response later.
- Respond to risk: We need to take the steps necessary to mitigate the likelihood or impact of the risk. The response depends on many factors, and we will cover them separately.
- Monitor risk: Finally, we continue tracking and evaluating the effectiveness of risk responses, identifying new risks, and ensuring that our risk management activities are effective. Monitoring is an ongoing process, as many criteria might change over time.