Determining risk is common sense, and risk management is “common sense formalized.” Many times, we subconsciously determine risk to make decisions. The difficulty arises when a group of people must agree on what risk is, perceived or otherwise. To get a group of people to agree on anything, a certain approach is required to reach consensus. In the case of risk, this approach must utilize a risk management framework. To ensure interpretation of the framework is consistent, it is critical to develop a taxonomy.
Taxonomy is important in risk management because many terms associated with risk are defined and categorized differently by different risk professionals. In an organization, it is expected that risk owners make risk-informed decisions, which is only possible if they understand terms related to risk in the same way. This makes taxonomy the most essential part of a risk management framework.
However, while attempting to define the risk management framework taxonomy, I was challenged by 3 terms—risk analysis, risk assessment and risk evaluation—because these terms are often used interchangeably by risk practitioners. This may be because we perform risk analysis, risk assessment and risk evaluation simultaneously in practice. However, when risk owners adhere to different term meanings, the outcome of risk management efforts may differ across risk owners. Although differing understandings of term meanings by different risk practitioners might not affect an organization’s risk management process, especially since these 3 terms are performed simultaneously, we must differentiate them to approach risk management fully.
Since emphasis is placed on ensuring that the interpretation of these terms is consistent, instead of trying to define these terms according to various risk management resources, it may be best to use the clear and comprehensive definitions in ISACA’s CRISC Review Manual. Let us examine risk analysis, assessment and evaluation in this context:
Risk analysis—1. A process by which frequency and magnitude of IT risk scenarios are estimated.
2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats
Scope notes: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event
Risk assessment—A process used to identify and evaluate risk and its potential effects
Scope note: Includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.
Risk evaluation—The process of comparing the estimated risk against given risk criteria to determine the significance of the risk (ISO/IEC Guide 73:2002)
As a risk practitioner, I have found that when the risk owner clearly understands these definitions and underlying activities, they are less confused when performing risk analysis, assessment and evaluation. As a result, risk management efforts are more consistent across the organization and risk is more comprehensively addressed.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.