Standardized Technology and Operations Risk Management (STORM)

摘要

A computer system analyzing a risk by identifying and assessing the risks, determining the disposition of the risks, monitoring and mitigating the risks, and reporting the risk items across an information technology system. A risk assessment tool may map known risk items into a risk framework as well as map risk categories between different risk frameworks. The risk management tool may also identify a root cause through a defined root cause dictionary based on an identified risk or the associated risk category of the identified risk. This capability may enable a user to analyze end-to-end operations, particularly where the main areas of risk are and where new controls or modified existing controls should be implemented. The risk management tool may also provide risk assessment reports that that are expressed in a common risk language with operations associates, with internal auditors, external auditors and regulatory bodies, and with government agencies.

主权项

1. A computer-assisted method comprising:
obtaining, by a risk management computer system, risk information about an organization for an identified risk, the risk information including a first risk framework; mapping, by the risk management computer system, a risk category of the identified risk from the first risk framework to a second risk framework; determining a mitigation plan for the identified risk, wherein the mitigation plan comprises a plurality of mitigation milestones and an order for completing the plurality of mitigation milestones and wherein the plurality of mitigation milestones including a first mitigation milestone and a second mitigation milestone; adjusting a risk score of the identified risk to obtain a residual score based on completing the first mitigation milestone while the second mitigation milestone is pending and in accordance with the order for completing the plurality of mitigation milestones; and tailoring, by the risk management computer system, a risk analysis report from the risk information about the organization based on one risk framework selected from the first risk framework and the second risk framework according to a targeted audience of the risk analysis report, wherein the risk analysis report includes the identified risk and the targeted audience is one of a plurality of targeted audiences and wherein at least one of the targeted audiences is external to the organization.