 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
|||||||||||||||||
|
|||||||||||||||||
|
|
Information in risk assessment frameworks February, 2007 This article originated as a member question about the treatment of information in risk assessment frameworks. In other words, how does information that is incorrect, inaccessible, unreliable, or misinterpreted affect an organization's risk profile, and how should information requirements be covered in a risk management plan? What seems at first to be a ho-hum topic takes on more significance when you consider that information means one thing for operational risk and another for strategic risk. Comprehensive risk management is a knowledge base publishing issue that requires a cross-functional perspective. The scope of a risk management framework depends partly on the type of risk and the organization's attitude toward it. Operational risk results from inadequate or failed internal processes, people and systems, while strategic risk results from poor business decisions. Ensuring accurate information for operational risk management is traditionally the responsibility of the IT function. The focus is internal, and the primary objectives are compliance and security. Managing strategic risk, including both opportunities and threats, requires not only reliable internal data but also comprehensive and trustworthy external information as well as systems that can handle meaning, significance, and perception. The necessary analytical skills, sources, and tools are typically found outside the IT function. In this month's issue, we look at risk frameworks: what they are, why they are created, what kinds of risks they cover, and the implications for information management. We include a discussion of a specific risk framework available on the public Web along with references to related material. Created on 2/28/2007 l Updated on March 7, 2007 |