4 hours 7 minutes
Welcome to. Less than three point to govern risk management strategy.
So in this video we will cover the governed function risk management strategy and learn what our risk tolerances.
So here in this governed function category for risk management strategy, uh It's the organization's priorities, constraints. Risk tolerances and assumptions are established and used to support operational risk decisions. So really you have three subcategories here and this is really focused on an organization, um determining what their risk tolerances are
and making sure that the risk tolerance is informed by its role within the data processing ecosystem.
So under the nist definition for risk tolerance, it's really the level of risk and entity is willing to assume in order to achieve a potential desired result or it's the degree of risk or uncertainty that is acceptable to an organization. Um So there's
a couple of different ways in which you can look at risk tolerances and we're going to get into that on the other slide.
Um but really um really understanding that this particular category of the government function is really focused on those risk tolerances and really determining what they are because that's going to speak to when you're looking at your privacy risks and you've determined a severity level where that falls and helping you figure out what to do in regards to that particular risk,
Whether it's a low severity all the way to a catastrophic or critical, depending on how you're defining that and sort of what that impact would mean for the company, a low impact, maybe a, a low financial impact to accompany, whereas critical or high could possibly be at the level of bankruptcy.
So it's really sort of determining what those levels are um, from a severity perspective and whether or not that's something,
uh, that the company is willing to accept or they need to mitigate that risk.
So in this example, this is just one example of a particular risk tolerance matrix that I did find a line. So how do you read this is really um they give you the instructions at the top is that you're really selecting the severity box from looking at columns 12 or three. So human health impact,
fire and explosion, direct costs in dollars
and chemical impact. So you're going to read the category in safety severity level from the same row
and then you're going to select the likelihood from columns four through seven which show likely unlikely improbable, improbable but not impossible. So that's the likelihood of the risk actually occurring. So the way you would do this is to take, we'll look at category one here, the human health impact and look down at
the employee fatality
is possible and there's a major injury is likely.
So if we're saying that this is unlikely, looking at column five, it's expected to happen possibly once um over the life of the plan. So this is a risk level B.
So what that tells you is that you would have to come down here to read what risk level B is. So it's undeserved, it's an undesirable risk and it means that additional safeguards must be implemented within three months. So once what this does is once you've actually determine what your risk are, is being able to look at it on this risk tolerance matrix, um
really to help you determine kind of what your response would be to the privacy risk. At this point,
you almost know that anything that's possibly a likely um to happen, that you're really looking to hopefully mitigate those risks or seeing how you can avoid it. Um Where is something that maybe improbable but not impossible you possibly may look to accept because it's so low.
So it's just going to help you determine what your thought process is gonna be on, how you're going to handle
um these various privacy risks.
So let's take a look at another example. This is actually an example of a risk tolerance that I put together for a company that I worked for. And so um it's a bit easier to understand and that it gives you the severity um in the light blue column for minor, low, moderate high and critical. And then we have the different types of impacts at the top. So you're looking at financial impact, reputational impact,
operational impact recovery ability and compliance. And really if you determine that a privacy risk based on your assessment is a moderate and we want to know what the reputational impact is. You're looking at the intersection of moderate and reputational impact, which would mean that there's limited damage to the company's reputation.
Um there's limited damage to the company's reputation and is somewhat likely uh for local media coverage to be sustained and short term reduction in stakeholder confidence. So this is something um that you can kind of create
uh using different stakeholders within your enterprise or even just within your department,
um depending on if you're doing risk tolerances at a department level or at an enterprise level to really determine what your risk tolerances are going to be.
So, possibly if you're looking at it from a financial impact, that may be something that your finance department um may help determine if this is at an enterprise risk level. If it's not and it's at a uh business function or department level, then maybe it's the management team, let's say at your information services or
IT department level that would need determine
based on their budget, what would be a minor impact to the financial budget for the I. T. Department? What would be a critical. So it's really you're going to look at different components to help you compile this. There really is no right or wrong answer. You're really tailoring this to figure enterprise to determine
what would be a minor impact versus a critical
in various categories.
So let's take a quiz before we move on to the next video. So a risk tolerance measures the level of risk or the degree of certainty that is one risky to acceptable or three moderate.
So the answer here is number two acceptable. Those risk colleges are really trying to help you, what is the level of risk that your enterprise or business function is willing to accept? Um It's going to help you determine whether at risk needs to be mitigated um and really what your response is going to be to that risk. So always keep that in remembrance when you are developing the risk tolerances
for your business function or enterprise.
So in this video we covered the government risk management strategy subcategories and we reviewed a sample risk tolerance matrix. There are also provided in the resources section for this course.
I hope you'll join me as we move into the next video in this lesson.
NIST 800-53: Introduction to Security and Privacy Controls
This course will provide Executives, Assessors, Analysts, System Administrators and students with the foundational knowledge ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
CIS Top 20 Critical Security Controls
CIS Controls are a prioritized set of actions that protect your organization and data from ...
4 CEU/CPE Hours Available
Certificate of Completion Offered