When applying Enterprise Risk Management (ERM), as in much else in life, the devil is in the details.  The details are especially critical when attempting to apply standards such as ISO 31000 to software and IT intensive systems.  ISO 31000 describes principles, a framework, and a high level process for ERM.  ISO 31000 clause 5 identifies process steps – in this article I will focus on risk assessment and risk treatment as it applies to software and IT intensive contexts.

• 5.2 Communication and consultation
• 5.3 Establishing the Context
• 5.4 Risk assessment
  • 5.4.2 Risk Identification
  • 5.4.3 Risk Analysis
  • 5.4.4 Risk Evaluation
  • 5.5 Risk Treatment Continue reading →