When a risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives, the element of the risk register that should be updated is the risk likelihood. Here’s why:
Risk Likelihood:
Risk likelihood refers to the probability that a risk event will occur.
Observing an increasing trend of inappropriate behavior (such as copying sensitive information) indicates a higher probability of occurrence, thus increasing the risk likelihood.
Risk Impact:
While the impact of such actions could be significant, the increasing trend specifically affects the likelihood rather than the immediate impact.
The risk impact remains constant unless there is a change in the potential damage caused by the action.
Key Risk Indicator (KRI):
This observation might serve as a KRI, but the immediate action is to update the likelihood in the risk register, reflecting the increased probability.
Risk Appetite:
Risk appetite defines the level of risk an organization is willing to accept. This observation suggests a deviation but does not directly affect the risk appetite itself.
[References:, The CRISC Review Manual emphasizes the importance of regularly updating the risk likelihood based on new observations and trends (CRISC Review Manual, Chapter 2: IT Risk Assessment, Section 2.9.1 Inherent Risk)., , , , , , , , , ]