Introduction
A risk assessment framework (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.
History
COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their
…show more content…
It was subsequently supplemented in 2004 with the COSO ERM framework (above). The framework is one of the most comprehensive frameworks and is designed to offer organizations a widely accepted model for evaluating their risk management efforts. It is principles based which expands on internal control concepts by providing a more robust focus to ERM by recognizing that an effective ERM process must be applied within the context of strategy setting. It provides guidance to help organizations build effective programs for identifying, measuring, prioritizing and responding to …show more content…
Setting the objectives must be done before management can identify potential events affecting their achievement.
• Event Identification – management identifies potential events that could affect the entity either adversely or presents an opportunity and emanates from internal and external sources.
• Risk Assessment – consideration of the extent to which potential events have an impact on the achievement of the organizations objectives. Evaluate the risks that have been identified in order to form a basis for determining their management.
• Risk Response – after the determination of relevant risk, management determines how it will respond. This may include avoidance, reduction, sharing and acceptance.
• Control Activities – the policies and procedures that help ensure that management’s risk responses are carried out.
• Information & Communication – refers to the proper information being identified, captured and communicated in an adequate format and timeframe to the appropriate individuals.
• Monitoring – assessing the functions and components of risk management over time and making adjustments as