# Risk Fundamentals*

Anything of value to a company.

ERM includes managing overall risk for the organization, aligned to the organization's governance and risk tolerance. Enterprise risk management includes all areas of risk, not merely those concerned with technology. It is the overall management of risk for an organization.

An instance of compromise.

Natural disasters are a category of risks to cloud deployments that is based solely on geography and location. Regulatory violations are not always based on location. They can also be based on the type of industry.

Reputational risk is the loss of value of a brand or the ability of an organization to persuade.

The risk that exists after controls have been implemented.

Risk appetite is the total risk that the organization can bear in a given risk profile, usually expressed in aggregate. Risk appetite is set by senior management and is the level, amount, or type of risk that the organization finds acceptable.

• Organizations accept a level of risk that allows operations to continue in a successful manner.
• It is legal and defensible to accept risks higher than the norm, or greater than your competitors, except risks to health and human safety; these risks must be addressed to the industry standard or whatever regulator motif to which your organization adheres.

As risk appetite or tolerance increases, so does the willingness to take greater and greater risks.

These are the individuals in the organization who together determine the organization's overall risk profile. For example, while one department may be willing to take moderately high risks in engaging cloud activities, another may have a lower risk tolerance. It is the aggregate of these individual tolerances that determines the organization's overall risk appetite.

The risk profile of the organization is a comprehensive analysis of the possible risks the organization is exposed to. It lists the identified risks and their potential effects.

The risk profile is determined by an organization's willingness to take risks as well as the threats to which it is exposed. The risk profile should identify the level of risk to be accepted, the way risks are taken, and the way risk-based decision making is performed. Additionally, the risk profile should take into account potential costs and disruptions should one or more risks be exploited.

Risk tolerance is the level of risk that an organization can accept per individual risk.

When one risk response triggers another risk event. For example, a fire suppression system that displaces oxygen is a means to mitigate the original risk (fire) but adds a new risk (suffocating people).

Something that could cause loss to all or part of an asset.

Something or someone that carries out the attack. Also known as a threat agent.

Something or someone that carries out the attack. Also known as a threat actor.

The risk that exists &before& any controls are implemented.

• Provider lock-in
• Loss of governance
• Compliance risks
• Provider exit (vendor lock-out)

• Impact of SPOF
• Increased need for technical skills
• Provider assumes more control over technical risks (loss of governance)

• Guest breakout
• Snapshot and image security
• Sprawl

• Management plane breach
• Resource exhaustion
• Isolation control failure
• Insecure or incomplete data deletion
• Control conflict risk
• Software-related risks

• Data protection
• Jurisdiction
• Law enforcement
• Licensing

• Natural disasters
• Unauthorized access
• Social engineering
• Default passwords
• Network attacks