Risk Management


All of us perform numerous risk assessments in our everyday life, usually without realising it. The classic case is whether or not to cross the road. We weigh up the risks of the possible threats of the traffic and other possible influences, the impacts of those risks crystallising and the cost of taking any precautions, if appropriate, and then make a decision to act or not as the case may be. We make these decisions automatically and instinctively.

Whilst on an individual basis this approach is perfectly acceptable as we are in control of our own lives, it is too subjective for the protection of your corporate information and your other organisational assets. You need a consistent approach to managing these risks so that any competent person undertaking a risk assessment will arrive at similar conclusions by following your chosen methodology for managing risks.

There are two main approaches to risk management, quantitative risk assessment and qualitative risk assessment, or one can use a hybrid approach combining the two. The goal of quantitative risk assessments is to try to calculate objective numeric values for each of the components gathered during the risk assessment and determining a cost benefit analysis. Qualitative risk assessment uses relative values that are pre-defined by the organisation.

Service Offering

A-GRC Consultants have significant experience of delivering information risk management for a variety of organisations.

A-GRC has experience of and worked with the following national and international risk standards :

  • AS / NZS 4360 (Australia / New Zealand)
  • BS 31100 (British);
  • BS 7799 Part 3 (British)
  • ISO 13335 – 3 (International)
  • ISO 27001 (International)
  • ISO 27005 (International)
  • ISO 31000 (International)
  • NIST 800 – 30 (USA).

In addition to these standards, there are numerous risk assessment and management tools available ranging from a simple Excel spreadsheet to a fully integrated risk management system.

A-GRC can:

  • advise on project risk management.
  • assist in defining risk treatment options
  • define appropriate risk assessment and treatment processes for your organisation
  • develop and implement your corporate risk register
  • identify alternate or compensating controls, where necessary
  • implement risk management procedures within your organisation
  • implement your chosen risk treatment options
  • perform risk assessments for you, using your chosen methodology
  • train your staff in the relevant risk management processes and procedures
  • undertake risk assessments of major projects and programmes
  • undertake risk management services for a variety of management System Standards (e.g. ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 45001, etc)
  • undertake strategic risk assessments of ICT infrastructures


A-GRC will help Clients:

  • identify
  • formalise
  • document
  • implement
  • operate
  • train your employees in;

appropriate risk management programs. The A-GRC approach takes into account the complex business, competitive, regulatory and compliance drivers that affect our Client’s businesses and the achievement of their goals.

Different Clients will have and use different approaches and / or tools, and A-GRC has worked with many of the major tools. In essence all risk management approaches are similar and undergo the following steps:

  • identify the scope or context for the risk assessment
  • identify the assets within the scope or context
  • identify the asset owners
  • value the assets
  • identify the threats to those assets and evaluate them
  • identify the vulnerabilities in those assets and likelihood of the identified threats exploiting them
  • identify the impact of that exploitation
  • identify existing controls in palace and their effectiveness
  • identify the organisation’s risk appetite
  • compare the residual risk with the risk appetite
  • take appropriate action if the residual risk exceeds the risk appetite
  • monitor all risks regularly and take action as appropriate. :

Note: Assets can be tangible as well as intangible such as reputation.

There is no ‘one size fits all’ and A-GRC are skilled at building risk management processes appropriate for their Client’s needs.

Selection of controls to address risks can come from a variety of sources, the most common being:

  • ISO 27001
  • CoBIT
  • ITIL / ISO 20000
  • NIST 800-53


A-GRC can help its Clients by providing:

  • advice on implementation of appropriate risk management processes for a variety of Management Standards
  • assurance that you have identified all assets at risk within your scope of risk management
  • evaluate risk treatment options
  • expertise to review past risk assessments
  • independent and unbiased risk management advice
  • train your employees in undertaking risk assessment using a variety of tools and methodologies