4. PRÁCTICAS DE SEGURIDAD PARA LA ATN SAM
4.4 Seguridad en las Redes
Once the potential significance of risks has been assessed, management con- siders how the risk should be managed. This involves applying judgment based on assumptions about the risk and reasonable analysis of costs associ- ated with reducing the level of risk. The response need not necessarily result
in the least amount of residual risk. But where a risk response would result in residual risk exceeding levels acceptable to management and the board, management revisits and revises the response. Accordingly, the balancing of risk and risk tolerance may be iterative.
Risk responses fall within the following categories:
•
Acceptance—No action is taken to affect risk likelihood or impact.•
Avoidance—Exiting the activities giving rise to risk; may involve exiting aproduct line, declining expansion to a new geographical market, or selling a division.
•
Reduction—Action is taken to reduce risk likelihood or impact, or both; typ-ically involves any of myriad everyday business decisions.
•
Sharing—Reducing risk likelihood or impact by transferring or otherwisesharing a portion of the risk; common techniques include purchasing in- surance products, forming joint ventures, engaging in hedging transac- tions, or outsourcing an activity.
In relation to risk response, management should consider:
•
The potential effect on risk significance and which response options align with the entity’s risk tolerance•
Requisite segregation of duties to enable the response to achieve the inten- ded reduction in significance•
Costs versus benefits of potential responsesEvaluating Risk Response Options
In evaluating response options, management considers significance, including the effect on both likelihood and impact of the risk, recognizing that a re- sponse might affect them differently. For example, consider a company with a data center located in a region with heavy storm activity. It establishes a
business continuity plan, which, while having no effect on the likelihood of a storm occurring, mitigates the impact of building damage or personnel being unable to get to work should a storm occur. On the other hand, the choice to move the computer center to another region will not reduce the impact of a comparable storm, but could reduce the likelihood of a similar storm occur- ring near that new location.
Resources always have constraints, and entities must consider the relative costs and benefits of alternative risk response options. Before installing addi- tional procedures, management should consider carefully whether existing ones may be suitable for addressing identified risks. Because procedures may satisfy multiple objectives, management may discover that additional actions are not warranted or that existing procedures may be sufficient or simply need to be performed to a higher standard.
Selected Responses
There is a distinction between risk assessment, which is part of internal con- trol, and the choice of specific risk responses and the related plans, pro- grams, or other actions, which are part of the management process and not internal controls. Internal control does not encompass ensuring that the op- timal risk response is chosen. For instance, the management of one entity may choose to share technology risk by outsourcing certain aspects of its technology processing with an entity experienced in that field (recognizing that this may also introduce new risks to the organization), while another en- tity may choose to retain its technology processing and develop general con- trols over activities for managing related technology risks. Neither of these choices should be viewed as right or wrong, as both can be effective at man- aging technology risks. But where a risk response would result in the residual risk exceeding risk tolerances for any category of objectives, management revisits and revises the response accordingly.
Once management has chosen to reduce or share a risk, then it can determ- ine actions to respond to the risk and select and develop associated control activities. The nature and extent of the risk response and any associated con- trol activities will depend, at least in part, on the desired level of risk mitiga- tion (which is the focus of Chapter 7). In some instances, management may 149/348
select a response that requires action within another component of internal control—for instance enhancing a part of the control environment. Typically, control activities are not needed when an entity chooses to either accept or avoid a specific risk. For instance, a mining company with signific- ant commodity price risk may decide to accept the risk as it believes that in- vestors are aware of and accept price risk exposure. In this case, manage- ment would not implement control activities relating to commodity price ex- posures, but would likely implement control activities relating to other ex- ternal financial reporting assertions, including completeness and valuation. There may, however, be instances where the organization decides to avoid a risk, and chooses to develop control activities in order to avoid that risk. For instance, to avoid concerns over possible fair trade practices, an organization may implement control activities barring purchasing from certain entities. Management may also need to review the level of risk in light of changes that make it no longer desirable to accept that risk, for instance if the risk ex- ceeds the organization’s risk tolerance. When management chooses not to assess a risk or does not identify a risk, it is tantamount to accepting the risk without considering potential changes in the related level of risk and whether that risk remains within its risk tolerance.
Return to Table of Contents Return to Top
BREAK