Education
Planned objective;
“Planned objective could be any aspect of an enterprise’s financial, strategic, operational processes, products etc.”
SOURCES OF RISK
• Sources of risks are basically the areas from where risks can occur.
• Identification of sources of risk is a very important step in risk management process.
• It gives information about possible threats, vulnerabilities and accordingly risk management strategy may be adopted.
Some of the common sources of risk are;
a. Commercial and Legal Relationships,
b. Economic Circumstances,
c. Human Behavior,
d. Natural Events,
e. Political Circumstances,
f. Technology and Technical Issues,
g. Management Activities and Controls, and
h. Individual Activities.
Characteristics of Risk:
Broadly, risk has the following characteristics:
a. Potential loss: Potential loss that exists as the result of threat/vulnerability process.
b. Uncertainty of loss: Uncertainty of loss which is expressed in terms of probability of such loss.
c. Probability/likelihood: Probability that a threat agent mounting a specific attack against a particular system.
Types of Risks
Broad categorization of risks:
A. Business Risks
B. Technology Risk
C. Data related risks
Business Risks:
Businesses face various kinds of risks which may be financial, strategical, and regulatory etc in nature. Various types of business risks are:
I. Strategic Risk
II. Financial Risk
III. Regulatory Risk
IV. Operational Risk
V. Hazard Risk
VI Residual Risk
Sr. No. |
Risk type |
Meaning |
1. |
Strategic Risk |
These are the risks that would prevent an organization from
accomplishing its objectives. Example: Competitive risk: Inability to respond move of
competitor. |
2. |
Financial Risk |
Risk
that could result in a negative financial impact to the organization (waste
or loss of assets). Example:
Liquidity risk, interest rates, credit risk, market risk etc. |
3. |
Regulatory
Risk |
It
is also called as compliance risk. It is risk that could expose the
organization to fines and penalties from government due to non-compliance
with laws and regulations. Example:
GST violation.
|
4. |
Operational
Risk |
Risk
that could prevent the organization from operating in the most effective and
efficient manner or be disruptive to other operations due to inefficiencies
or breakdown in internal processes, people and systems. Example:
Lack of or faulty BCP. |
5. |
Hazard
Risk |
Risks
those are insurable. Example: Natural disasters, Insurable liabilities,
terrorism etc.
|
6. |
Residual
Risk |
It refers to the risk remaining even after the counter measures are analyzed
and implemented. |
Management
of risk focuses on reducing the impact what organization would face otherwise
when safeguard is lacking. An organization’s management of risk should
consider these two areas: a.
Acceptance of residual risk and b.
Selection of safeguards. 100% elimination of risk is not possible and even after
implementation of safeguard some residual risks remain. Here management needs
to have clear focus on keeping residual risk at an acceptable level so to
manage it.
|
Sr. No. |
Risks/Challenges |
Description |
1. |
Downtime due to technology failure |
® In
case any equipment, server, machine etc., fails then information system facilities
become unavailable called as downtime. It’s very important to keep up-time
high and down-time as low as possible.
|
2. |
Frequent changes or obsolescence of technology |
® If
anything that doesn’t change then that is change it-self. ® Technology
is changing continuously and everyday new things are being introduced and
existing is becoming obsolete quickly. ® Ever
changing technology brings in challenge to select technology in a properly
planned way and keeping future in mind so to avoid loss. |
3. |
Multiplicity and complexity of systems |
® Companies
now days are using multiple digital platforms like we see in case of banking
system which makes it quite complex. ® This
requires both personnel and vendors involvement. ® The
personnel should have knowledge about requisite technology skills or the
management of the technology could be outsourced to a company having the
relevant skill set or combination may be used. |
4. |
Different types of controls for different types of
technologies/systems |
® There comes need to apply different types
of controls as per the kind of technology or system deployed. |
5. |
Proper
alignment with business objectives and legal/regulatory requirements |
® A
system is designed, developed and deployed considering objectives to be
achieved but at the same time it should also comply with legal requirements. ® Creating
a proper alignment between business requirements and legal requirements is a
challenge for business. |
6. |
Dependence
on vendors due to outsourcing of IT services |
® In
an automated environment organization needs to highly qualified employees
with specialized domain skills to manage systems and IT resources and the
problem is organization usually lacks it which results into outsourcing it to
vendor. ® Outsourcing
results into over dependence on vendor which gives rise to vendor risk. |
7. |
Vendor
related concentration risk |
® Organization
depends on multiple vendors for different types of services like network,
system software, application software and hardware etc. ® This
results in higher risks due to heavy dependence on vendors.
|
8. |
Segregation
of Duties (SoD) |
® SoD
is basically splitting of tasks with clearly defined roles, authority and
responsibility. ® Like
in case of banking transaction It doesn’t allow a single employee to
initiate, authorize and disburse a loan, the possibility of misuse cannot be
ignored. |
9. |
External
threats leading to cyber frauds/ crime |
® Technology
and online systems has its own disadvantages as well like cyber-crime and
frauds. |
10. |
Higher
impact due to intentional or unintentional acts of internal employees |
® End
users are not very security conscious and employees in a technology
environment are the weakest link in an enterprise. |
11. |
New
social engineering techniques employed to acquire confidential credentials |
® Fraudsters
use new social engineering techniques such as socializing with employees and
extracting information which is used unauthorized to commit frauds. |
12. |
Need
for governance processes to manage technology and information security |
® Security
can’t exists in vacuum and must be part of a larger risk management strategy
driven by company’s goals and vision. ® And
hence we say controls should be implemented from business perspective and not
just from technology and function perspective. ® The
senior management should be involved in directing how technology is deployed
in and approve appropriate policies. |
13. |
Need
to ensure business continuity in the event of major exigencies |
® A
well-documented BCP should be planned, implemented and monitored to ensure
resilience. |
Sr. No. |
Term |
Description |
1. |
Risk
Management |
® It
refers to the process of assessing risk, taking steps to reduce risk to an
acceptable level and maintaining that level of risk. |
2. |
Asset |
® Asset
can be defined as something of value to the organization. ® Assets
may include hardware, software, facilities, employees etc ® Irrespective
the nature of the assets they all have one or more of the following
characteristics; a. Recognized
to be of value to organization. b. Not easily replaceable without cost, skill, time, resources or a combination. c. Form a part of the organization’s corporate identity. d. Their data
classification would normally be Proprietary, Highly confidential or even Top
Secret.
|
3. |
Vulnerability |
®
Vulnerability is the weakness in the system safeguards that renders
the system susceptible to attack. ®
Vulnerabilities potentially “allow” a threat to harm or exploit the
system. ®
Some examples of vulnerabilities are; a. Poor
physical access control. b. Short and weak passwords. r Vulnerability
is a state in a computing system (or set of systems), which must have at
least one condition, out of the following:
a.
Allows an attacker to execute commands as another user or b.
Allows an attacker to access data that is contrary to the specified
access restrictions for that data or c.
Allows an attacker to pose as another entity or d. Allows an attacker to conduct a
denial of service. |
4. |
Threat |
® Threat
can be any entity, circumstances, an action, event or condition which cause
harm or have potential to harm system or it’s components. ® It
effects quality and have ability to inflict harm to the organization. ® Threat
has capability to attack on a system with intent to harm. |
5. |
Exposure |
® An
exposure is the extent of loss the enterprise has to face when a risk
materializes. |
6. |
Likelihood |
® It is the estimation of the
probability that the threat will succeed in achieving an undesirable event. |
7. |
Attack |
®
An attack is an attempt to gain
unauthorized access to the system’s services. ®
It is a set of actions designed to compromise CIA (Confidentiality,
Integrity or Availability), or any other desired feature of an information
system. ®
It is the act of trying to defeat Information Systems safeguards. |
8. |
Counter
Measure |
® An
action, device, procedure, technique or other measure that reduces the
vulnerability of a component or system is referred as Counter Measure. |
|