Risk Management Model

Risk Management Model ()

SABSA risk management process (RMP). Sub-stages of the SABSA RMP: 
1. Identify Risks. Involves identify specific risk factors that, when combined, create risks and opportunities for the organisation.
2. Assess Risks.  Follows risk identification in the RMP and involves measuring risks to facilitate the placement of controls and enablers. 
3. Evaluate Risks. During the evaluation stage of governance, ISO:38500 states that management must “…make judgement on the current and future use of IT … [by] taking into account both current and future business needs”.
4. Design & Develop Control/Enablement Treatments, Govern & Communicate, and Assure. Provides stakeholders with confidence and trust that architectural artefacts and activities meet their desired levels of quality.

In the Design phase of the RMP, the designer is responsible for deciding on the risk control and enablement treatments to mitigate risks or maximise opportunities. The SABSA Multi-tier Control Strategy is one modelling technique that can support the designer during this sage of process. By modelling the controls strategy against the risk assessment, the designer can choose controls and enablers that are both proportional and appropriate. If desired, the treatments architecture can fully utilise control sets from other common controls frameworks and standards e.g., 27001, CobitT. 

Choosing the right risk control and enablement treatment is a key decision that the designer must make in this stage of the RMP. We have seen in the previous chapter that our emotional attitudes drive our beliefs about risks and benefits: things that we like are perceived to be less risky and present more benefits; things that we dislike are viewed as riskier and present less benefits. Within the SABSA RMP, this bias (known as affect) can negatively influence the design process and interfere with objective controls selection. Nationality can influence people’s preferences for certain types of risks.

Biases during this RMP step can negatively influence both the selection of controls (i.e., type of treatment) and its implementation (i.e., its balance). Choosing the right risk control and enablement treatment is a key decision that the designer must make in this stage of the RMP. We have seen in the previous chapter that our emotional attitudes drive our beliefs about risks and benefits: things that we like are perceived to be less risky and present more benefits; things that we dislike are viewed as riskier and present less benefits. Within the SABSA RMP, this bias (known as affect) can negatively influence the design process and interfere with objective controls selection.



2. Conceptual Architecture Process



		Risk Management Model	Maintain Risk Modelling & Assessment Framework
		Risk Management Model	Risk Assessment
		Risk Management Model	Policy Architecture
		Risk Management Model	Risk Modelling Framework
		Conceptual Security Architecture	Risk Management Model