A further Review of Risk Methods
Il7 Consultants will work with customers to define which methodology they prefer. IL7 consultants will identify salient features and reasons for implementing a framework and discuss these with clients with some assurance.
The purpose of Risk Assessment (Identify, Analysis + Evaluation) is said to be recognition and ranking of risk. This is common to all methods. But each method associates different meanings with the words it uses. The difference between Analysis and Evaluation are clearly defined in ISO 73. In IS1/2 the calculated risk is set against the pre-defined risk appetite. If it is within this risk appetite it can be tolerated (accepted by an Accreditor) rather than escalated to the business risk owner (SIRO). In fact RMADS are rarely signed off by SIROs or IAO’s, although individual risks might be escalated by means of a Risk Balance Case (RBC). IL7 will promote a framework and culture where all calculated (analysed) risks are evaluated within business context and where thought appropriate, promote the escalation of risk “sign off” to the business owner.