You are planning for business continuity management and accept the general assumption that risk is never reduced to zero. Which of the following statements is incorrect? (Wentz QOTD)
A. The risk refers to total risk exposure
B. The contingency reserve is a common strategy to mitigate identified risks
C. There always exists unidentified risk or black swan events
D. The outbreak of the pandemic belongs to unknown unknowns
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The outbreak of the pandemic belongs to unknown unknowns.
Pandemic is one of the most typical risks, or known unknowns, identified in the business continuity planning process. For example, Taiwan suffered from the tragedy of SARS in 2003; she improved the incident response system and revised laws and regulations to support the initiative. Most organizations didn’t fail to identify the outbreak of virus or disease but underestimated the pandemic’s likelihood and impact.
Risk is the “effect of uncertainty on objectives.” (ISO 31000) Individual risks are identified and then analyzed for risk exposure, a “product of probability times potential loss for a risk factor” (ISO 24765). Total risk exposure refers to the sum of individual risk exposure.
According to ISO/IEC/IEEE 24765:2017 Systems and software engineering — Vocabulary, risk exposure is commonly defined as the product of a probability and the magnitude of a consequence, that is, an expected value or expected exposure.
- potential loss presented to an individual, project, or organization by a risk. (ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management)
- function of the likelihood that the risk will occur and the magnitude of the consequences of its occurrence. (ISO/IEC 16085:2006)
- product of probability times potential loss for a risk factor.
Contingency Reserves and Management Reserves
There are four common risk response strategies: avoid, transfer, mitigate, and accept. Risk can be mitigated by reducing the uncertainty, effect, or both. Reserves are commonly implemented in risk response initiatives or projects.
Life is like a box of chocolates. You never know what you’re gonna get.
~ Forrest Gump
There are many things we don’t become aware of or understand.
System approaches for risk identification can identify or discover most risks but may not completely address unknown unknowns or the so-called black swan events. The following diagram demonstrates common risk identification techniques:
- Contingency Reserve vs Management Reserve
- Black swan theory
- 5th Edition PMBOK® GUIDE—Chapter 7: Contingency Reserves and Management Reserves
- Contingency Reserve and Management Reserve
- A model to develop and use risk contingency reserve
- Addressing Trump’s “Known Unknowns”
- Uncovering the hidden data: the unknown, knowns
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您正在計劃進行業務連續性管理(BCM)，並接受風險永遠不會降為零的一般假設。 下列哪種說法是不正確的？(Wentz QOTD)
A. 風險是指總風險敞口(total risk exposure)
B. 應變儲備金(contingent reserve)是緩解已知風險的常用戰略