Call Now

Get The App


Risks & Control

  1. RISKS

Risk is any event that may result in a significant deviation from a planned objective resulting in an unwanted negative consequence.

The planned objective could be any aspect of an enterprises strategic, financial, regulatory and operational processes, products or services.

The degree of risk associated with an event is determined by the

  • likelihood of the event occurring,


  • the consequences (impact) if the event occurs and
  • it’s timing.

Sources of Risk

The most important step in risk management process is to identify the sources of risk, the areas from where risks can occur.

This will give information about the possible threats, vulnerabilitiesand accordingly appropriate risk mitigation strategycan be adapted.


Broadly, risk has the following characteristics:

  • Probability/likelihood of a threat against a system;
    • Potential loss due to threat;
    • Uncertainty of such loss.


Types of Risks

  • Business
  • Technology
  • Data related

Business Risk


  • Strategic

Risk that would prevent an organization from accomplishing its objectives (meeting its goals).


Risk that could result in a negative financial impact to the organization (waste or loss of assets).

•Regulatory (Compliance)

Risk that could expose the organization to fines and penalties from a regulatory agency due to non-compliance with laws and regulations.


Risk that could expose the organization to negative publicity.


Risk that could prevent the organization from operating in the most effective and efficient manner.

•Hazard Risk

Risks that are insurable, such as natural disasters; various insurable liabilities; impairment of physical assets; terrorism etc.

•Residual Risk

Any risk remaining even after the counter measures are analyzed and implemented is called Residual Risk.


Technology Risk:

As Technology is transforming, the business processes and standards adapted by enterprises should consider these new set of IT risks and challenges:


·Frequent changes or obsolescence of technology:

Technology keeps on changing constantly and becomes obsolete very quickly. Hence, there is always a challenge that the investment in technology solutions may result in loss due to obsolescence.

·Multiplicity and complexity of systems:

Technology used today for services is quite complex. Hence, this requires the personnel to have knowledge about requisite technology.

·Different types of controls for different types of technologies:

Deployment of technology gives rise to new types of risks which needs to be mitigated by relevant controls.

·Proper alignment legal/regulatory requirements:

Systems are aligned with business objectives and, in addition comply with legal/regulatory requirements.

·Dependence on vendors due to outsourcing:

System requires staff with specialized domain skills to manage IT deployed. Hence, these services could be outsourced to vendors and this gives rise to vendor risks which should be managed by proper contracts, controls and monitoring.

·Vendor related concentration risk:

There may not be one but multiple vendors providing different services like network, hardware, system software and application software services these situations result in higher risks due to heavy dependence on vendors.

·Segregation of Duties (SoD):

The Segregation of Duties as per organization structure should be clearly mapped.

For example, if a single employee can initiate, authorize and disburse a loan, the possibility of misuse cannot be ignored.

·External threats leading to cyber frauds/ crime:

The system environment provides access to customers anytime, anywhere using internet. Hence, information system is open to be accessed by anyone from anywhere. Leads to risks of increased threats for frauds/crime.

·Higher impact due to intentional or unintentional acts of internal employees:

Employees in a technology environment are the weakest link in an enterprise.

·Social Networking employed to acquire confidential credentials:

Fraudsters use social network to socialize with employees and extract information to commit frauds.

  • Governance processes to adequately manage technology and information security: Controls in system should be implemented from macro and business perspective and not just from function and technology perspective.

Senior management should be involved in directing how technology is deployed in and approve appropriate policies.


·Continuity of business processes in the event of major exigencies:

The high dependence on technology makes it necessary to ensure resilience to ensure that failure does not impact services.

Hence, a documented business continuity plan is required.

Data related risks:

These include Physical access of data and Electronic access of data. (these are discussed in Chapter 3)

Explore All Chapters