Article Preview
Top2. Overview Of Risk And Risk Management Frameworks And Standards
Gerber in the publication “Management of risk in the information age” (Gerber & von Solms, 2005) explains various aspects of risks and risk management. From the article, one can conclude that the main concepts of risks management can be divided into 2 groups: (i) definition of risk, types of risks and risk management, and (ii) risk management frameworks and standards.
Based on the International standard for Risk Management – ISO31000, risk is defined as: “effect of uncertainty on objectives”(ISO, 2009), where the uncertainties include events (which may or not happen) and uncertainties caused by ambiguity or a lack of information, while the objectives can have different aspects (health and safety, financial, IT, environmental) and can apply at different levels (such as strategic, organizational, project, process). It also includes both negative and positive impacts on objectives. The risk is often expresses as a combination of the consequences of an event and the associated likelihood of occurrence. As we discuss risks management frameworks for IT-centric micro and small companies, the main focus is on the organizational risks. There are various types of organizational risks such as program management risk, investment risk, budgetary risk, legal liability risk, safety risk, inventory risk, supply chain risk, and security risk. (NIST, 2011)
For the needs of the management of the IT-centric micro and small companies, all these risks could not be approached independently, and an integrated approach is necessary. This approach should be focused on the main drivers in the company, like the continual operations thru IT operation and known business processes so that the employees can understand what they should do. The reliance on IT as well puts the information security risks among the top as well. For the purposes of the research questions, we make the assumption that the management of these IT-centric micro and small companies deals with the legal and financial risks intuitively, and that they are not necessary to be included in the integrated risk management framework and approach of the company.