rm 7 Flashcards
(31 cards)
Effect of uncertainty on objectives. Can be positive, negative, or both. It may address, create, or result in opportunities and threats.
Risk
International standard providing a framework and principles for managing any type of risk, applicable to any organization regardless of size or industry.
ISO 31000
Year when the initial version of ISO 31000 was released.
2009
Year when ISO 31000 was first revised; emphasized senior management involvement, integration into structure, strategy, and value creation as key principles.
2018
Year when ISO 31000 was reviewed and approved without any changes.
2023
May impact the achievement of organizational goals and objectives. Automatically applies to the whole organization. Top Management, supported by the ERM team, oversees its handling.
Strategic Risk
Risk of loss due to ineffective or failed internal processes, people, systems, or disruptions to business operations. May be common across departments or specific to one. Process Owners, governed by the ERM team, are responsible for identifying, mitigating, and monitoring.
Operational Risk
Integration of ISO 31000:2018 with ISO 9001:2015 and enterprise-wide Change Management ensures risk management is aligned with organizational structures, processes, and goals.
Integration with QMS
Used by middle to top management as a prioritization criterion for decision-making; also used to justify and secure approval for initiatives by demonstrating reduced impact and likelihood of risks.
Risk Analysis
Internal control effectiveness and relevance of risk identification are assessed through four levels: Self-assessment (Level 1), ERM/Quality audit (Level 2), Internal Audit (Level 3), and External Audit (Level 4).
Levels of Risk Review
Results from reviews/audits feed into defining improvement opportunities and are integrated into the next cycle of annual planning—a practice of continuous improvement.
Continuous Improvement Cycle
ERM team uses models like the Risk Maturity Model to assess current risk management maturity and identify areas for enterprise-level improvement.
Risk Maturity Model
Potential for technology failures, breaches, or misuse to negatively impact an organization. Technology is vital in operations, finance, compliance, and strategic decisions.
IT Risks
Involves cyberattacks (e.g., ransomware, phishing), malware infections, unauthorized access, and insider threats.
Security Risks
Arises from system outages due to hardware failures, software bugs, human error, or poor IT maintenance.
Operational Risks
Related to violations of data privacy laws or failing to comply with industry-specific IT regulations.
Compliance Risks
Occurs when IT strategies misalign with business goals, involve failed projects, or the use of outdated technologies.
Strategic IT Risks
Includes unauthorized transactions or fraud caused by compromised systems.
Financial Risks
Occurs when brand reputation is harmed due to data breaches, service outages, or high-profile cyber incidents.
Reputational Risks
Includes financial losses (e.g., fraud, penalties), reputational harm, loss of customer trust, legal liabilities, and operational disruptions.
Impact of IT Risks
Involves identifying potential internal and external IT threats using tools like threat modeling, vulnerability scanning, and security assessments.
Risk Identification
Entails evaluating how likely each IT risk is and what impact it may have, then prioritizing based on severity.
Risk Assessment
Implementation of controls such as firewalls, encryption, MFA, and setting clear IT security policies and procedures.
Risk Management
Continuous observation of IT risks via intrusion detection, audits, compliance checks, and adjusting strategies as needed.
Risk Monitoring
