Point | ISMI SRA | Warwickshire Risk Management Template |
| | |
| | |
3 | ISMI states that, one of the key requirements for a successful security risk analysis (and by extension security risk management) programme is the consistent involvement of line management and asset custodians. (U, p12) | Compare/Contrast: The Warwickshire risk management template states Effective communication and consultation is critical to the successful management of risk. These are not one-off standalone events but important factors at every point of the process. (WRMT, P6) Observation: As you can see both the ISMI and WRMT understand that constant communications at all levels at the beginning is critical for successful risk management to take place. Analysis: |
4 | ISMI states that Line department risk registers are locally maintained analysis tools that feed into the security risk analysis process. (U1, p30) | Compare/Contrast: Risk registers are created and maintained on the Council's risk management software 'Magique'. (WRMT, p9) Observation: Both methodologies of risk registers are similar in ISMI and WRMT, ISMI seems to favour using hands on approach with front line workers giving input, where the WRMT seems to be more IT led at corporate level. Analysis: |
5. | ISMI states that not all risks can be identified, but security managers may be judged negatively after the event if there should occur a reasonably foreseeable undesirable event, which should have been anticipated and mitigated. (U1, p18) | Compare/Contrast: The Warwickshire risk management template states not all risks can be managed all the time, so having assessed, and prioritised the identified risks, cost effective action needs to be taken to manage those that pose the most significant threat. (WRMT, p8) Observation: Both statements are similar in context where they accept that you can't always identify every risk but the upmost must be done to mitigate the foreseeable significant threats. Analysis: |
6 | ISMI states the second task of the security risk analysis process is to characterise the threats. This is a difficult process which requires an understanding of the environment and context in which the enterprise exists. (U1, p14) | Compare/Contrast: whereas the Warwickshire risk management template focuses on risk characterisation. There are a number of different types of risks that an organisation may face including financial loss, failure of service delivery, physical risks to people, and damage to the organisation's reputation. (WRMT, p6) Observation: ISMI approaches this with a more in-depth analysis into how the threat can be carried out and by who, and the WRMT focusing more on a simpler methos of a check list on the risk categories. Analysis: |
7 | ISMI states that Security risk can be mitigated by different means, in isolation or in combination. The most common risk mitigation options can be summed up with the acronym TEAR. (U1, p26) | Compare/Contrast: Risk may be managed in one, or a combination of ways. (WRMT, p 8) Observation: Both methodologies are similar in the fact they have used almost identical ways of mitigating/managing risks. WRMT has in this case identified that they can also exploit an opportunity to the benefit of the council whilst conducting risk mitigation. Analysis: |
8 | ISMI states the Likelihood is an assessment of how likely an adverse event is expected to occur (U1, p19) and the Impact is the amount of harm the enterprise is likely to sustain if a threat materialises into an event. (U1, p21) | Compare/Contrast: The Warwickshire risk management template states the Council's approach to risk management is to assess the risks identified in terms of both the potential likelihood and impact so that actions can be prioritised. (WRMT, p7) Observation: Both methodologies accept that that likelihood and risk should be measured in a scale, however a more in-depth analysis is used in the ISMI as they use a multitude of methods to determine the true level of risk exposure, Whereas the WRMT only uses the one matrix. Analysis: |
