There are many approaches to Risk Assessment and Risk Management, but most are an iterative process where risk scenarios are identified, assessed, treated with controls, and the residual risk accepted, transferred or treated to reduce it further.
Some risk management methodologies create exhaustive lists of information assets, the business impact if they are compromised, and the threats and vulnerabilities that may result in a compromise. Other methodologies are more scenario based and lend themselves to a more strategic approach that aligns information risk management to other risk disciplines, such as operational risk or holistic enterprise risk.
My risk management experience includes eleven years in the Global IT Risk Management team of a FTSE 10 pharmaceutical company, four years in the IT Risk Advisory function of a Big Four management consultancy and a year as a contract risk manager providing information assurance to a mutual insurance company.
Examples of my Governance, Risk and Compliance expertise include:
- Information Lifecycle Risk Assessment
- GRC tool selection and procurement
- Information Security Forum’s Information Risk Assessment Methodology (IRAM2)
- Supplier and Third Party Risk Assessment (SOC2, SSAE16)
- Cloud Computing Risk Assessment
- Risk of Mergers, Acquisitions and Divestments
CRISC (retired) I was Certified in Risk and Information System Controls, having scored in the top 5% of the December 2016 exam. I allowed this certification to lapse in 2022 when I retired.