ICT-Governance-Framework-Application

Risk Management Approach

Metadata

| Field | Value | |—|—| | Owner | Risk Manager / PM | | Version | 1.0 | | Status | Draft | | Last Updated | 2025-08-08 |

Purpose

Define the comprehensive FAIR-based quantitative risk management approach for all ICT domains, establishing risk governance practices that enable data-driven decision making and business-aligned risk tolerance.

Scope

All technology assets, services, and initiatives across the organization’s six ICT domains:

• 🖥️ Infrastructure: Networks, servers, cloud resources, endpoint devices
• 🔐 Security: Identity management, access controls, threat protection, Zero Trust architecture
• 💻 Applications: Enterprise applications, custom software, SaaS solutions, employee-requested applications
• 📊 Data: Structured and unstructured data, analytics platforms
• 📱 End-user Computing: Productivity tools, collaboration platforms, mobile devices
• 🔄 Integration: APIs, middleware, data exchange mechanisms, security information exchange

Roles & RACI

| Role | R | A | C | I | |—|:–:|:–:|:–:|:–:| | ICT Governance Council | | X | | | | Risk Management Specialist | X | | | | | Domain Owners | | X | X | | | Technology Stewards | X | | X | | | Security Lead | | | X | | | Business Stakeholders | | | X | X |

FAIR-Based Process Overview

1. Risk Identification and Scoping

• Domain-Specific Risk Scenarios: Identify risks specific to each ICT domain
• Asset and Process Inventory: Catalog technology assets and business processes
• Threat Landscape Analysis: Assess current and emerging threats
• Stakeholder Engagement: Involve domain experts and business stakeholders

2. Quantitative Risk Analysis (FAIR Methodology)

• Threat Event Frequency (TEF) Assessment: Quantify likelihood of threat events
• Vulnerability Analysis: Assess probability of successful threat exploitation
• Loss Event Frequency (LEF) Calculation: TEF × Vulnerability
• Primary Loss (PL) Assessment: Direct financial and operational impacts
• Secondary Loss (SL) Assessment: Consequential impacts (reputation, legal, competitive)
• Loss Magnitude (LM) Calculation: PL + SL
• Risk Calculation: LEF × LM = Quantified Risk Exposure

3. Risk Evaluation and Treatment Planning

• Risk Tolerance Comparison: Compare calculated risk to organizational appetite
• Risk Prioritization: Rank risks by exposure and business impact
• Treatment Option Analysis: Evaluate mitigation strategies and cost-effectiveness
• Risk-Adjusted Value Assessment: Integrate with business value quantification

4. Risk Monitoring and Control

• Continuous Risk Monitoring: Track risk indicators and exposure trends
• Control Effectiveness Assessment: Measure performance of implemented controls
• Risk Model Calibration: Update models based on new data and incidents
• Quarterly Risk Reviews: Regular assessment of risk posture and treatment effectiveness

Metrics

Enterprise Risk Metrics

• Total Risk Exposure: Aggregate quantified risk across all ICT domains (<$2M annually)
• Risk Trend Analysis: Month-over-month and year-over-year risk exposure trends
• Risk Concentration: Distribution of risk across domains and business units
• Risk Treatment Effectiveness: Reduction in risk exposure from implemented controls (>80%)

Domain-Specific Risk Metrics

• Infrastructure Risk Exposure: Quantified risk from infrastructure components
• Security Risk Exposure: Quantified cybersecurity and information security risk
• Application Risk Exposure: Quantified risk from application portfolio
• Data Risk Exposure: Quantified risk to data assets and privacy
• End-user Computing Risk: Quantified risk from endpoint and user activities
• Integration Risk Exposure: Quantified risk from system integrations

Process Performance Metrics

• Risk Assessment Coverage: Percentage of assets with completed FAIR assessments (>95%)
• Risk Assessment Timeliness: Average time to complete risk assessments (<21 days)
• Risk Treatment Implementation: Percentage of approved treatments implemented on time (>90%)
• Risk Monitoring Effectiveness: Percentage of risks with current monitoring data (>98%)

Standards Crosswalk

| Standard | Mapping | |—|—| | FAIR | Factor Analysis of Information Risk - Primary methodology | | PMBOK | Risk Management Processes | | ISO 31000 | Principles and framework | | NIST 800-30 | Risk assessment | | COBIT 2019 | Risk management and governance alignment | | ISO/IEC 27001 | Information security risk management |

References

• Risk Register; Security Testing Guidelines

Version History

| Version | Date | Author | Notes | |—|—|—|—| | 1.0 | 2025-08-08 | Risk Manager | Initial draft |

This site is open source. Improve this page.