Risk Management is receiving much more emphasis in security today than ever before. Risk Management certainly is nothing new, and has existed in many different forms over the years. I remember when I was in the Navy around 1997 I was first introduced to Risk Management in the form of ORM - Operational Risk Management. Having recognized this trend, I decided to study and test for the ISACA CRISC certification this December. You can find the basics of Risk Management through my blog, but this is a much deeper subject than what I have posted. To completely understand Risk Management an intense study is required. Just to put that into perspective a little bit, the CRISC manual is ~400 pages.
ERM is probably the most popular form of Risk Management. Various models exist for ERM such as CAS, COSO, and OSI's ISO 31000 and 31010. Tools like OCTAVE, developed by Carnegie Mellon and released in 2001, are also useful in identifying risks as well as the FISMA Risk Management Framework.
ERM is also being imposed upon companies by U.S. law in several cases. Sarbanes Oxley is just one such case and requires risk management in support of identifying fraud and fraudulent transactions. Even setting legal requirements aside however businesses are seeing increased value in earlier identification of risks and implementing risk management frameworks.
Risk can exist on many levels. There is overall risk to an organization as a whole, which may or may not be shared in common with each division, department, or work center. Because of this it is important that all risks are identified, cataloged, and reviewed regularly.
Risks are constantly changing which makes them dynamic and hard to track. Because of this risk must be evaluated regularly. Annual or semi-annual reviews should be conducted. Risks should also be evaluated immediately upon any significant change. This could be changes in market conditions, changes to an IT system or infrastructure, moving offices, and a variety of other possibilities.
Perhaps the most beautiful thing about Risk Management is its versatility. The topic itself is very broad and applies to many things while the principals used are always the same. One visit to RIMS and you will easily see that risks vary broadly from credit ratings, to terrorist threats, to newly identified software threats, and even risks associated to various processes. I think it is safe to say that Risk Management is here to stay, is still in its infancy even though it's been around a while, and represents a promising career for anyone interested.
