MCITP MCSE Boot Camp

Risk Management vs. Risk Assessment

As Chapter 2 discussed, the terms risk management and risk assessment are not interchangeable. The Microsoft security risk management process defines risk management as the overall process to manage risk to an acceptable level across the business. Risk assessment is defined as the process to identify and prioritize risks to the business. As outlined in the previous diagram, risk management is comprised of four primary phases: Assessing Risk, Conducting Decision Support, Implementing Controls, and Measuring Program Effectiveness. Risk assessment, in the context of the Microsoft security risk management process, refers only to the Assessing Risk phase within the larger risk management cycle.

Another distinction between risk management and risk assessment is the frequency of initiation of each process. Risk management is defined as an ongoing cycle, but it is typically re-started at regular intervals to refresh the data in each stage of the management process. The risk management process is normally aligned with an organization's fiscal accounting cycle to align budget requests for controls with normal business processes. An annual interval is most common for the risk management process to align new control solutions with annual budgeting cycles.

Although risk assessment is a required, discrete phase of the risk management process, the Information Security Group may conduct multiple risk assessments independent of the current risk management phase or budgeting cycle. The Information Security Group may initiate them anytime a potentially security-related change occurs within the business, such as the introduction of new business practices, or discovered vulnerabilities, changes to the infrastructure. These frequent risk assessments are often referred to as ad-hoc risk assessments, or limited scope risk assessments, and should be viewed as complementary to the formal risk management process. Ad-hoc assessments usually focus on one area of risk within the business and do not require the same amount of resources as the risk management process as a whole. Appendix A, "Ad-Hoc Assessments," outlines and provides an example template of an ad-hoc risk assessment.

Table 3.1   Risk Management vs. Risk Assessment

Communicating Risk

Various people involved in the risk management process often define the term risk differently. In order to ensure consistency across all stages of the risk management cycle, the Microsoft security risk management process requires that everyone involved understand and agree upon a single definition of the term risk. As defined in Chapter 1, "Introduction to the Security Risk Management Guide," risk is the probability of an impact occurring to the business. This definition requires the inclusion of both an impact statement and a prediction of when the impact may occur, or, in other words, probability of impact. When both elements of risk (probability and impact) are included in a risk statement, the process refers to this as a well-formed risk statement. Use the term to help ensure consistent understanding of the compound nature of risk. The following diagram depicts risk at this most basic level.