Gray takes stakeholders through the risks associated with conducting the given type of business using a risk matrix. "We ask them whether a given exposure to risk is acceptable given the likelihood and severity of the risk," says Gray. Then the organization can decide how to address the risk.
According to Gray, at this stage stakeholders decide whether to tolerate, terminate, treat or transfer the risk. If the risk is acceptable, the company will not do anything about it. If the risk has changed or is unacceptable, the company will terminate it by ceasing those operations. Treating the risk means reducing the likelihood or impact of the risk, and transferring the risk means covering it through insurance.
Using Risk Frameworks
Security experts identify risk frameworks and methodologies with applications for ERM and risk appetite, recommended together with the proprietary methodologies that they use or see organizations using.
"About 40 percent of the companies we work with base their ERM on COSO, and another 40 percent base theirs on the ISO 31000. The other 20 percent use an ad-hoc or homegrown approach," says Shinkman. (Also read COSO for CSOs, an interview with framework co-author Richard Steinberg.)
The PricewaterhouseCoopers Americas Risk Transformation Practice uses its own distillation of industry practices rather than frameworks to guide clients to improve operational strategic performance by measuring their operational risk appetite. "Frameworks are not as valuable as our expertise and experience," Faris contends.
"Because we need a global methodology, we have our own standard that we call the Security Risk Assessment Methodology (our proprietary approach), which draws on others," says Gray.
Control Risks' methodology draws on a number of security frameworks from around the world; it is rooted in the ISO 31000 risk management framework (the successor to AS/NZ 4360) and lines up with ISO Guide 73 (vocabulary) and IEC/ISO 31010 (assessment techniques).
The Security Risk Assessment Methodology also uses parts of:
- the API/NPRA Security Vulnerability Assessment [pdf link],
- the US Department of Homeland Security FEMA 452 guide to conducting risk assessments,
- a modified version of the Defense Department's CARVER target analysis methodology,
- business impact analysis from BS 25999-1:2006 clause 6:2,
- and the UK Home Office Scientific Development Branch's guidelines on developing operational requirements for security
Sign up for Computerworld eNewsletters.