SCA and Its Place in Risk Management

Risk management comes in many shapes, sizes, frameworks, and implementations. The frequency of the act of performing a risk management assessment is dependent on the cost-benefit of performing the audit. Risk management is an actually simple idea with a complex methodology to achieve the goal: Quantify the vulnerabilities to your business and document the action taken against that vulnerability. This is in close relation to the idea of cost-benefit analysis, wherein all vulnerabilities are not equally likely to happen There are many tools and frameworks that exist to assist with your risk management needs. Some of the more popular ones are NIST Risk Management Framework (RMF), HITRUST, and Standardized Control Assessment (SCA). Each of these risk frameworks is a guide that will assist upper management in deciding on where to allocate resources, purchase additional insurance, or upgrade technology.

There are also two types of risk assessments:

Qualitative Risk Management

A qualitative risk assessment wherein vulnerabilities are assigned a respective value, making the assessment SUBJECTIVE. Typically, values assigned are LOW, MEDIUM, HIGH, and CRITICAL, which are assigned to a risk registry on several criteria including but not limited to the probability of occurrence, vulnerability impact, and mitigating solutions. This type of risk assessment does not include raw data valued numbers and is typically easier to perform, as relative values are assigned to various vulnerabilities.

Quantitative Risk Management

A quantitative risk assessment is an OBJECTIVE and more in-depth risk assessment where historical data and trends are analyzed, resulting in a numerical calculation of cost-benefit analysis. Risk Management project managers may determine via historical trends or current information, the relative costs of a vulnerability that may occur. Performing this type of analysis creates certain key terms explained below:

• ALE: Annualized Loss Expectancy is the annual expected financial loss to an asset resulting from one specific threat.
• SLE: Single Loss Expectancy is the expected financial loss due to the asset value (AV) multiplied by the exposure factor (EF). The SLE is coupled with Annualized Rate of Occurrence (ARO) to produce Annualized Loss Expectancy (ALE).
• ARO: Annualized Rate of Occurrence is the number of times a threat to one single asset is estimated to occur.
• EF: Exposure Factor is the probability that an event will occur and its likely magnitude, and equals the percentage of asset loss caused by the identified threat.
• VaR: Value At Risk is a statistic that quantifies the extent of possible financial losses within a firm, portfolio, or position over a specific time frame.

Shared Assessments Standardized Control Assessment

The Santa Fe Group Standardized Control Assessment is a risk management audit that can be used to plan, scope, and perform third-party risk assessments to verify entities’ congruence with the standard and highlight areas of improvement for continued viability. The standardized control assessment takes industry best practices and applies risk management techniques to suppliers, vendors, and third-party service providers in an attempt to mitigate any threats to continued business. There are currently 18 risk domains that can be scoped into an organization’s individual needs such as: