7 hours 52 minutes
Lesson 4.8 Risk evaluation.
In this video, we will cover how to evaluate risks.
Now if you remember back to the previous lesson where we use the A wasp risk framework as a reference point,
this is what you will use to guide your risk level determination or something that looks very similar. If you have an enterprise risk management process in place. Radios organization
This would probably look very familiar, or you would have something very similar to this.
Please feel free to leverage off your existing enterprise risk management framework
for a risk evaluation matrix.
So the overall risk evaluation formula is risk is made up of the likelihood multiplied by the impact
your organization needs to have risk Acceptance criteria
risk acceptance criteria
pertains to the risk tolerance of your organization.
And when we get to the risk treatment process determines what treatment method should be adopted for a specific risk.
Your organization's risk, tolerance, level and context must be understood.
Some organizations arm or open to taking on more risk, while other organizations are a lot more risk averse,
so they would need to invest a lot more time, energy and money into treating risks.
Once we have determined the levels of likelihood and impact,
we are able to evaluate the risks and come up with risk ratings.
Risk ratings helped to prioritize risks.
These risk levels need to be compared to your organization's defined risk acceptance criteria,
where risks are not outright accepted,
meaning where a risk does not fall within your acceptable risk
a risk treatment must be before.
Please note that risk acceptance is a method of risk treatment,
but we'll get into the different types of risk treatments
in the coming up lessons.
The context in which the risk could occur must also be taken into consideration.
For example, a high level risk
e a critical risk
on a low level or low valued information asset
might not be as important to immediately address
as a medium risk
on a high priority or high valued asset.
So going back
when a risk is not accepted,
your your organization would have levels defined where it can accept all risks are rating two or lower, for example,
or based on specific context or an exceptions.
Sometimes a risk might exceed the level of risk steps and criteria,
but later, it is discovered that the treatment cost and if it far outweighs the consequences off the risk materializing.
That risk would then also be accepted
when abnormally accepted risks
done, and management has taken a decision to accept the risk outside of the normal risk acceptance parameters.
This must be formally documented and noted
as the decisions infected. As to why the risk was accepted
must be formally noted and approved by the authorized stakeholders.
It must be evident that the appropriate decision makers within the organization
were made aware of the risk the treatment factors and why accepting the risk was the best option.
As mentioned before, where a risk is not accepted, the risk must be treated.
Risk treatment options will be covered in more detail in the next section.
in this lesson recovered the basics of scoring a risk based on the simple formula of likelihood. Times impact
risks are prioritized based on their school and your organization's acceptance and risk tolerance criteria