Date of submission
Crouhy, Galai & Mark (2000) defined risk assessment as the systematic examination of a job, task or process carried out at work for several purposes. One of the purposes is to identify the present hazard of the process, task or job. Another purpose is to decide the appropriate step to take so reduce the risk identified and also to decide the full control measure to be employed so that the risk can be reduced.
Utilization of the risk assessment takes place in four phases. The initial step is to identify the threat. In this phase, all the relevant threats are identified. After that phase, the next phase is to determine the characteristic of the threat identified in the previous phase. In the second phase, the impact and likelihood of the occurrence of the risk is determined. The third step is to assess the exposure of the identified risk. This is done by identifying the assets that are likely to be affected once the risk has occurred, both directly and indirectly. The final step is the risk characterization, which is determining the impact of the risk on the organization (Crouhy Galai & Mark,2000).
There are several steps in the process of risk management. First, the risk should be identified in the selected zone of interest. Next, the remainder of the step should be planned. After that, the risk management social scope, objectives of the stakeholders and the basis of the risk should be mapped out (Crouhy Galai & Mark,2000). Furthermore, the framework of the activity and agendas should be identified. The analysis of the involved risk should be developed and lastly, solutions of containing the risk using available resources, such as human, technology and organizational resources.
(Crouhy Galai & Mark,2000) asserts that in the identification of the risk is the first step in risk assessment and management. Therefore, the identification of the source of the risk can be the problem of the firm, of the competitor firms, which is a benefit, or the problem itself. The source of the risk can either be internal or external. Problem analysis focuses on the threat of the risk. The threat can come from the shareholders, customers or legislative bodies like the government. When the source of the problem is identified, then investigation of the problem can commence.
Whitman & Mattord (2014) state that one of the best methodologies that are used in risk management is Operationally Critically Threat, Asset and Vulnerability Evaluation (OCTAVE). This methodology is structured in such a way that the risk evaluated in terms of its operation, security practices and the technology used in mitigating the risk.
The OCTAVE approach manages risks by utilizing the essential requirements such as the principles, attributes, and outputs. However, the principles are the main concepts that drive the OCTAVE process. The attributes are the tangible elements, and the outputs are the results that should be achieved (Whitman & Mattord, 2014).
The OCTAVE approach is governed by a small team that is in the IT department of a firm. The analysis team first identify the critical information assets and then focus the risk analysis on the identified critical assets. Next, the team identifies the relationship between the assets, the threats to the assets and the organizational and technological vulnerabilities. After that, the operational context of the risks is evaluated. Lastly, the team will create a strategy that will be practiced based on the organization so that the risk to the assets of the organization that are critical can be reduced (Whitman & Mattord, 2014).
Whitman, M. E., & Mattord, H. J. (2014). Management of information security.
Crouhy, M., Galai, D., & Mark, R. (2000). Risk management. New York: McGraw Hill.