Risk Management vs. Risk Assessment
As
Chapter 2 discussed, the
terms risk management and risk assessment are not interchangeable.
The Microsoft security risk management process defines risk management as the
overall process to manage risk to an acceptable level across the business. Risk
assessment is defined as the process to identify and prioritize risks to the
business. As outlined in the previous diagram, risk management is comprised of
four primary phases: Assessing Risk, Conducting Decision Support, Implementing
Controls, and Measuring Program Effectiveness. Risk assessment, in the context
of the Microsoft security risk management process, refers only to the Assessing
Risk phase within the larger risk management cycle.
Another distinction between risk management and risk assessment is the
frequency of initiation of each process. Risk management is defined as an
ongoing cycle, but it is typically re-started at regular intervals to refresh
the data in each stage of the management process. The risk management process is
normally aligned with an organization's fiscal accounting cycle to align budget
requests for controls with normal business processes. An annual interval is most
common for the risk management process to align new control solutions with
annual budgeting cycles.
Although risk assessment is a required, discrete phase of the risk management
process, the Information Security Group may conduct multiple risk assessments
independent of the current risk management phase or budgeting cycle. The
Information Security Group may initiate them anytime a potentially
security-related change occurs within the business, such as the introduction of
new business practices, or discovered vulnerabilities, changes to the
infrastructure. These frequent risk assessments are often referred to as
ad-hoc risk assessments, or limited scope risk assessments, and should be
viewed as complementary to the formal risk management process. Ad-hoc
assessments usually focus on one area of risk within the business and do not
require the same amount of resources as the risk management process as a whole.
Appendix A, "Ad-Hoc Assessments," outlines and provides an example template of
an ad-hoc risk assessment.
Table 3.1 Risk Management vs. Risk Assessment
| |
Risk Management |
Risk Assessment |
| Goal |
Manage risks across business to acceptable level |
Identify and prioritize risks |
| Cycle |
Overall program across all four phases |
Single phase of risk management program |
| Schedule |
Ongoing |
As needed |
| Alignment |
Aligned with budgeting cycles |
N/A |
Communicating Risk
Various people involved in the risk management process often define the term
risk differently. In order to ensure consistency across all stages of the
risk management cycle, the Microsoft security risk management process requires
that everyone involved understand and agree upon a single definition of the term
risk. As defined in
Chapter 1, "Introduction
to the Security Risk Management Guide," risk is the probability of an impact
occurring to the business. This definition requires the inclusion of both an
impact statement and a prediction of when the impact may occur, or, in other
words, probability of impact. When both elements of risk (probability and
impact) are included in a risk statement, the process refers to this as a
well-formed risk statement. Use the term to help ensure consistent
understanding of the compound nature of risk. The following diagram depicts risk
at this most basic level.
|
Call Now : 800-519-
2267
|
Testimonials
|
If you're serious about getting certified,
this is the place to go. Definitely worth
their competitive price. Excellent
instructors, making it possible for anyone
to learn no matter what your level of
experience or knowledge.
Michael Doty
|
 |
|
No Prestudy