now I, Sacha, provides us with some guidance on how to incorporate risk management into the world of technology, and they do so through the risk I t framework. And then also we can apply the risk management lifecycle as we move forward.
So the risk anti framework, first of all,
is of course, geared towards I t. Specifically, and the idea is that we should be able to take a look at where we are currently. Take a look where we want to be an ultimately be able to close the gap.
So this is a document you can download for my Saca's website has a lot of good information.
May not be a bad idea to read through I. Saca's Risk I t framework before taking the sea risk exam. If you look it up on Google, you'll definitely be able to find that. And it's certainly worth going through and looking at some of the strategies that are mentioned.
that we evaluate our environment based on governance, how we analyze risks or evaluate risks, and then how we respond to risk. So we have risked governance risk evaluation risk response are G R e R R
So where organization is, we could be at RG one for governance. RG two or where we wanna be is RG three.
So, ultimately, within the framework, you'll find descriptors of each level, and it's up to you to determine where we are versus where we want to be. Obviously, we want to be in the three column because with risk evaluation,
we collect that at Ari one. Well, that doesn't help us. We're gonna be ableto analyze the risk from the data.
And then we want to make sure that we can control our risk profile.
So that's just a little bit. You may see question on what RG two of the risk manager of the
I t risk framework Risk I t. Framework
Governance Evaluation. In response
Now I Saca's life cycle for risk management.
And this is how the domains of sea risk are organized. They're organized by lifecycle stage, So we have I t risk identification.
We identify risks specifically by looking at our assets are threats and vulnerabilities. Okay, that's risk identification risk assessment. We want a sign of value to the risk events. Value could be qualitative. Using words like high medium low or can be quantitative
numeric data. Empirical data,
then, based on the value of the potential risk we mitigate the degree of mitigation we need is dependent on the mount of risk and making sure that we have a cost effective solution
after we implement our response. Then, of course, we go forward and we continue to monitor and control. There's risk responses until we find that it's time to go back and revisit risks and identify from scratch. Usually we go back and revisit this once per year or in the event of a major change.