Business Risk Management

Why conduct Business Risk Management?

All Business solutions have some elements of risk. 30% of projects that consider Risk Management Planning and stakeholder engagement processes are more likely to be successful. Conversely 70% of project failure is due largely in part to risks from unplanned employee resistance and lack of change management support.

Project Managers and Change Agents who cultivate the ability to apply a systematic risk management process, will find their solutions run more smoothly creating deliverable and process clarity as well as a more positive experience for everyone involved.

Where to Apply Business Risk Management

It is impossible to manage all business risk. It is also unwise to spend so much time in analysis that you fail to delivery. The right size of businss risk management discipline, largely depends upon your industry governance, corporate culture, and the level of risk management required.

Lines of Business Units will often have standard Business Risk Management Cases to consider. Business Process and Governance Groups may have Risk Management Best Practices, and Enterprise Change Management might have risk management best practices. Business Risk Management helps to document risks and view them from various best practices level to help onboard new vendors, team members, and project champions for successful change and business transformation project management.

Some examples that come to mind include:

What are the Risk Management Steps

  1. IDENTIFY RISK MANAGEMENT level of risk you’re dealing with.
  2. UNDERSTAND RISK TOLERANCE: What risk is unacceptable to your business. Present standard format: what could happen, how it could happen, and why your organization should care.
  3. PLAN RISK ACTION PLAN: Impact affects, risk assessment and response review. Agree how to handle the actual risks. Gauge the severity and likelihood of it happening to prioritize remediation. Develop—and maintain decisions on how deal with risks developing with chain of command risk recognition and resolution.
  4. PRIORITIZE, MANAGE, MITIGATE: controls—specific implementations to detect and/or preventing risks.
  5. MONITOR SCORE AND ADVANCE Current Capabilities to ensure we are capturing and managing all risk related data.


High Risk Peer Review Checklist

Having a peer subject matter expert review a high risked implementation can reduce faults in process, code, or risk mitigation. Here is a sample Peer Review Checklist:

Conducted by:   [WHO – list names]                Date of review:  [DATE]

Summarize Readiness:  
  • What issues, concerns, or risks were identified? What counterbalance measures will be taken?
Complete CR:
  • Who in the business has reviewed and confirmed readiness for the Implementation window?
  • General Communications: How will this be communicated with major stakeholder groups?
  • What are the Change Freeze Terms needed for a successful implementation (start time, end time, controlled “frozen” change types, exceptions process for P1s.
  • ServiceDesk notification/readiness/awareness of change and impacts
  • Define plan sufficiency:  Is validation sequencing accurate and test readiness complete?
  • What must the change plan consider to address environmental impacts and risks?
  • Has an end to end Peer Review, walked through the risk, timing, technical steps, with owners?
  • Does the change window give ample time for Implementation, Technical & Business Validation?
  • If a change fails, did we allow enough time for repair or recovery to last working state?
  1. Agenda with dialup moderator resource/contact list for Implementation day: Addresses and who needs to be onsite- Data Center Required. Who needs to be at GAP presence, or just on the bridge?   All attendee contact and mobile numbers required for checkout. All tasks included.
  2. Final plan includes a schedule per step, who is performing that step, and expected results/validation criteria
  3. Is the Implementation Plan complete and valid?

Back out or Recovery Activity:

  • What are our recovery plans for a failed step or implementation?
  • If a step fails and needs additional work, what steps would trigger a rollback to restore service?
  • Are recovery plans clearly defined and with enough time to manage our worst case scenarios?
  • Is the Back out Plan complete and valid?
  • What issues, concerns, or risks remain?  What counterbalance measures must be taken?
Validation Activity:
  • What evidence will we provide that technical and business implementation was successful?

Acronyms of Business Risk Management

Assessment Finding: Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition. [NIST SP 800-53A]

Assessment Method: A focused activity or action employed by an assessor for evaluating a particular attribute of a security control. [NIST SP 800-53]

Assigned Risk: (AR)

Business Risk Management Framework: (BRMF)

Chief Risk Officer: (CRO)

Certified Risk Manager: (CRM)

Enterprise Risk Management: (ERM)

Incident Handling: Mitigation of violations of security policies and recommended practices. [NIST SP 800-61]

Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
[44 USC Sec. 3542]

Information Security Testing: The process of validating the effective implementation of security controls for information systems and networks, based on the organization’s security requirements. [NIST SP 800-115]

Inherent Risk Likelihood: The likelihood of the event occurring if there were no controls in place. There are currently 5 severities of likelihood which are: L1 – Extremely Likely, L2 – Likely, L3 – Neutral, L2 – Unlikely and L1 –  Extremely Unlikely.

Inherent Risk Severity of Impact: The impact that the event would have on the organization if it occurred and there were no controls in place.  There are currently 5 Inherent Severities of Impact which are: S1 – Very High, S2 – High, S3 – Moderate, S4 – Low and S5 – Very Low.

Inherent Risk: The probability of loss arising out of circumstance where controls do not exist to mitigate the risk.

Mitigation Category: Can be either an administrative control, physical or technical control.

Risk Register: The Risk Register contains information about identified risks, analysis of risk severity and evaluations of the possible mitigations that can be applied to cure or lower the risk.

Risk Source: The source of the identified risk which is either Internal Audit, External Audit, Customer Audit, Reported, Security Incident and Planned Risk Assessment.

Risk Treatment Plan (RTP): A comprehensive document that includes range of options for mitigating the risk, assessing those options, and then preparing and implementing follow-up actions.

Risk Treatment Evidence: Evidential matter which supports the Risk Treatment Plan which will be reviewed by DocuSign’s Risk Management Team as evidence to close out the risk treatment workflow.

Risk Type: The following risks types can be entered Compliance Risk, Financial Risk, Geographic Risk, Information Security Risk, Physical Security Risk and Supplier Risk.

Treatment Option: Are option that can be taken for risk such as: Mitigate, Accept, Avoid or Transfer.

Association of Artificial Intelligence (AI)|Cyber Fraud Prevention |Education & Study Abroad Employment Taskforce Executive Womens Net|itSMFSFJobs N Careers {FB  |LI } |  NIST  |  Project Management Institute | Recruiting  Network | SANS|

Dawn C Simmons LinkedIn | Facebook | Twitter |Pinterest-  IT and SecOps


Leave a comment