How does Risk Management process are different from FMEA?
Define the business context and scope of the risk assessment domains
Risk Assessment / Analysis
Managing third party risk is a critical challenge facing Information Security leaders today. High-profile data breaches are reported regularly in the media. Regulators are increasing the focus on requirements for identifying and managing risk for third parties, particularly for financial services and retail corporations. In line with added scrutiny on cybersecurity and data breach practices, boards of directors are more frequently raising questions about the state of controls for critical third parties.
Establishing a third party risk management program means tackling several problems, such as the sheer number of third parties to assess. Using a disciplined approach and best practices such as third party tiering can help to reduce the problem to a more manageable size.
What is third party tiering?
Any project has a mandate to do program level risk management, which handles risks like delays, efforts, coding, dependencies, client enviornement and so on. Project appoints security manager becuase ISO 27001 certification is required and he comes up immediately with an additional task- Please perform security risk management and here is the IRM methodology you need to understand and then assess informtion security risks based on same.
Response from project management....Am too tied up with project delierables...don't have time to understand one more methodology...Already doing CRM...Why don't you do it for our project...Take a trainee if required...
Security Manager: Hey...IRM is not an trainees job..we require someone who understand the project...
and the argument goes on....or Security Manager bows down. IRM remains more of a compliance issue rather than a tool to manage real security risks.