Framework for Operational Risk

To be effective, any risk assessment methodology must be part of an overall process to address risk. The Operational Risk Framework is intended to guide information security, business continuity planning and other operational risk officers through the process of identifying and prioritizing risk and maintaining the control environment. It is based on the following components:

More simply stated - An effective Operational Risk program protects information and other assets by ensuring the confidentiality, integrity, and availability of the data through the use of people, processes and technology organized within a process of continuous improvement.

Operational Risk Management Process

The process in the outer ring of the graphic is the foundation for managing Operational Risk and is based on two principles:

  1. Risk management is a sequential process and based on the adage that you can't mange something you can't measure. There is no sense implementing monitoring and reporting processes for controls until you have identified your risks. You cannot effectively respond to a security event unless you have a clear understanding of your controls.
  2. This is a process of continuous improvement. Controls will fail and you will need a process to not only address the reduction of immediate losses from the event, but the adjustment of controls to avoid future failures. Just as the Threats and Vulnerabilities confronting the organization are constantly evolving, the risk management process must continuously improve and adjust to address these changes.

The following pages provide further detail on the Framework. Also, click here for a site map for the IS Framework.


©2009 ISRMC, LLC