Core Activity D – Evaluate and mitigate risk

Core Activity D – Evaluate and mitigate risk

Core Activity D – Evaluate and mitigate risk

Assessment Outcomes

  • I can evaluate risks and recommend responses and can maintain the corporate risk register.
  • I can identify ethical dilemmas and recommend suitable responses.
  • I can evaluate and mitigate cyber risks.
  • I can recommend internal controls.

Different Categories of Risks

Strategic and Operational Risks:

  • Strategic risks are risks are risks to the strategy such wrong market entered, wrong business model used.
  • Operational risks relate to matters that can go wrong on a day-to-day basis. (3Es)

Entrepreneurial/Competition risk

Product/Market risk

Legal risks

Health and safety risk

Reputation risk

Political risks

Technological risk

Environmental risk

Financial risk:

Credit risk

Liquidity risk

Currency risk

Interest rate risk

Derivative risk

CIMA’s Risk Management Cycle

The framework consists of four key steps:

  • Identify the risks: This involves identifying potential risks that could affect the organization's objectives.
  • Assess the risks: This involves evaluating the likelihood and impact of each identified risk.
  • Manage the risks: This involves developing and implementing strategies to manage the identified risks.
  • Monitor and review: This involves monitoring the effectiveness of the risk management strategies and reviewing them regularly to ensure they remain appropriate and effective.

Risk Identification

Risk identification is the process of identifying potential risks that could impact an organization's objectives. It involves a systematic and structured approach to identifying all possible risks that may occur in a given situation.

Here are some key points to keep in mind about risk identification, including the use of a risk register:

  • A risk register is a tool that is commonly used in risk identification to record and track potential risks.
  • To identify risks, it's important to consider both internal and external factors that could impact the organization.
  • Risks can be categorized into different types such as strategic, operational, financial, or reputational risks.
  • Techniques such as brainstorming, checklists, and SWOT analysis can be used to help identify potential risks.
  • It's important to involve stakeholders and experts in the risk identification process to ensure all perspectives and knowledge are considered.
  • The identified risks should be evaluated in terms of likelihood and potential impact to prioritize which risks should be addressed first.
  • Once identified, risks should be recorded in a risk register, which is a document that provides a comprehensive overview of all identified risks and their associated details.

Risk exposure quantification

  • Expected values
  • Volatility
  • Value at risk (VaR) - For example, based on past experience, 99% chance that business can earn $100 from the investment with 1 % chance to lose $10. In this case, the VaR is $10.

Risk Strategy (TARA Framework)

Risk Transfer

  • Businesses arrange a wide range of insurance policies for protection against possible losses.
  • Setting up a joint venture arrangement/franchise agreement would be a way to transfer risks to 3rd parties.
  • This strategy is used where there is low likelihood that risk will happen and if it happens, then it will have a great impact on the organisation.

Risk Avoidance

  • Totally reject a project if the risk is high and the impact is great. Normally, low risk appetite business will use this strategy.

Risk Reduction

  • This means by using internal control procedure to reduce the risks happening or trying to decrease the adverse effects should that risk actually happen. For example:

Risk Acceptance

  • Accept the risk and not taking any measures to deal with it.
  • This strategy is used where there is low likelihood that risk will happen and if it happens, then it will have a low impact on the organisation.

Principle: ALARP (As Low As Reasonably Practicable)

Implementation and Monitor Risks


  • Identifying the risks that exist within an organisation.
  • Assessing those risks in terms of likelihood of occurrence and impact on the organisation should the risk actually occur.
  • Reviewing the controls that are in place to prevent and/or detect the risk and assessing if they are appropriate.
  • Informing the board (or risk management committee where one exists: whistleblowing) about risks which are outside acceptable levels or where controls over specific risks are ineffective.

Risk Manager/Function Role (FIRST)

The Risk manager may come from the board, such as from the risk committee.

  • Framework - A risk manager is responsible for the establishment of risk management (RM) policies, establishing RM system, i.e., risk identification; risk assessment; risk strategy; risk management implementation.
  • Insurance - The risk manager needs to deal carefully with insurers because of increased premium costs, restrictions in the cover available (will the risks be excluded from cover) and the need for negotiations if claims arise.
  • Reporting - The risk manager is responsible for reporting to management and the risk committee as appropriate, including identification of the risks, assessment of the likelihood and impact of the risk, risk strategy etc.
  • Strict Compliance - Ensuring compliance with relevant codes, regulations, e.g., Sarbanes Oxley Act.
  • Training- This includes training managers and staff to help them develop risk management expertise and helping managers deal with risks they face.

CIMA Code of Ethics

  • Integrity
  • Objectivity
  • Professional competence and due care
  • Confidentiality
  • Professional behaviour


  • Professional, legal and regulatory
  • Work environment
  • Individual’s actions

Managing Reputational Risks

  • Governance
  • Employee relations
  • Environmental awareness
  • External relations
  • CSR
  • Risk professionals
  • Policy framework
  • Risk sensing tools

Types of cyber security risk

  • Application attacks: This involves attackers exploiting vulnerabilities in software applications to gain unauthorized access to sensitive information or to disrupt business operations.
  • Malware: This refers to malicious software that is designed to damage, disrupt or gain unauthorized access to computer systems or networks. Malware can take various forms, such as viruses, worms, and Trojan horses.
  • Hackers: These are individuals or groups who attempt to gain unauthorized access to computer systems or networks with malicious intent. Hackers can use a variety of techniques, such as phishing, social engineering, or brute-force attacks, to infiltrate systems and steal sensitive data.

Social engineering

Social engineering is a technique used by attackers to manipulate individuals into divulging sensitive information or performing actions that may compromise security.

The six principles of influence commonly employed in social engineering are:

  • Reciprocity: This involves the attacker offering something to the target in exchange for information or action.
  • Scarcity: The attacker creates a sense of urgency or scarcity to persuade the target to act quickly.
  • Authority: The attacker may impersonate a person in authority or position of trust to gain the target's confidence.
  • Consistency: The attacker may use the target's previous actions or statements to influence them to comply with the request.
  • Liking: The attacker may try to establish a connection with the target, building rapport and trust.
  • Consensus: The attacker may use the principle of social proof to influence the target, suggesting that others have already complied with the request.

Risk of security vulnerabilities

Security vulnerabilities can pose significant risks to organizations.

These vulnerabilities can be categorized into three types:

  • Technical vulnerabilities: These are weaknesses in software, hardware, or network systems that can be exploited by attackers to gain unauthorized access to sensitive information or disrupt business operations.
  • Procedural vulnerabilities: These are weaknesses in policies, procedures, or practices that can be exploited by attackers to gain access to sensitive information or disrupt business operations.
  • Physical vulnerabilities: These are weaknesses in physical security measures, such as access controls, surveillance systems, and environmental controls, that can be exploited by attackers to gain unauthorized access to facilities or equipment.

The implications of security vulnerabilities can be severe and include:

  • Downtime: Security vulnerabilities can cause system failures, leading to business interruptions and downtime.
  • Reputation: Security incidents can damage an organization's reputation and erode customer trust.
  • Customer loss: Security incidents can result in the loss of customers who no longer trust the organization with their sensitive information.
  • Legal consequences: Organizations can face legal consequences, such as fines and lawsuits, if they fail to adequately protect sensitive information or comply with applicable regulations.

Cyber security processes

Effective cybersecurity practices involve several key processes, including:

  • Governance and objectives: This involves establishing clear policies, procedures, and objectives for cybersecurity across the organization, including defining roles and responsibilities for managing security risks.
  • Roles: It is important to assign specific roles and responsibilities to personnel within the organization to manage security risks effectively. This can include designating a Chief Information Security Officer (CISO) or other security-related roles to oversee cybersecurity processes.
  • Communication: Communication is crucial to ensure that everyone within the organization is aware of the security risks and how to handle them. This includes both internal communication within the organization and external communication with stakeholders.
  • Internal communication: This involves ensuring that all employees are aware of the organization's cybersecurity policies and procedures, and have the necessary training to identify and respond to potential security threats.
  • External communication: It is essential to maintain open communication with external stakeholders, such as customers, vendors, and partners, to ensure that everyone is aware of security risks and can take appropriate measures to protect sensitive information.

Protection of businesses (Cyber Security)

Cybersecurity is crucial for businesses to protect their digital assets and sensitive information.

Some of the things that need to be protected include:

  • Devices: This includes all devices that connect to the organization's network, such as computers, smartphones, and tablets.
  • Servers: These are critical components of the network that store and process sensitive data.
  • Networks: The organization's network infrastructure needs to be secured to prevent unauthorized access and ensure data privacy.

Methods of protection can include:

  • Policies: Clear policies and guidelines need to be established to ensure that all employees are aware of cybersecurity risks and best practices.
  • Configurations: Proper configuration of devices, servers, and network components is essential to reduce the risk of cyber attacks.
  • Software: The use of up-to-date software is essential to protect against known vulnerabilities and exploits.
  • Application controls: These help to prevent unauthorized access to critical applications and data.
  • Security products: A variety of security products, such as firewalls and intrusion detection systems, can be used to protect against cyber threats.

Types of protection can include:

  • Identification: This involves verifying the identity of users and devices before granting access to sensitive information.
  • Authentication: This ensures that only authorized users can access sensitive data and systems.
  • Authorization: This involves granting users specific privileges based on their roles and responsibilities within the organization.
  • Encryption: This is the process of converting data into a secure code to prevent unauthorized access.
  • Certificates: Digital certificates can be used to verify the identity of websites, devices, and users.
  • Physical security: This includes measures such as security cameras, access control systems, and biometric authentication to prevent physical theft or damage of devices.
  • Blockchain: This is a distributed ledger technology that can be used to secure digital transactions and prevent unauthorized changes to data.

Detection - Complete protection/prevention is not possible

  • Application monitoring
  • Continuous monitoring
  • Centralized detection


Structured and quick response required:

  • Designated teams or departments: Companies should have specific teams or departments responsible for responding to cyber security incidents. These teams should be well-trained, and have the necessary resources to identify and mitigate threats quickly.
  • Business Continuity Planning (BCP): BCP involves creating a plan to ensure that essential business functions can continue in the event of a disruption. This can include restoring systems, data, and applications that may have been impacted by a cyber security incident.
  • Disaster Recovery Planning (DRP): DRP focuses on restoring IT infrastructure and systems that may have been impacted by a disaster. This may involve restoring backups, activating disaster recovery sites, and replacing damaged hardware or software.
  • Regular backups: Regular backups are essential for ensuring that data can be restored quickly in the event of a cyber security incident. Backups should be stored offsite, and should be tested regularly to ensure that they are working correctly.

Advanced Processes:

  • Forensic analysis: Forensic analysis involves using specialized tools and techniques to investigate cyber security incidents. This may include analyzing network traffic, examining system logs, and reviewing files and folders to determine the extent of an attack.
  • Penetration testing: Penetration testing involves simulating an attack on a company's systems in order to identify vulnerabilities that could be exploited by an attacker. This testing can be conducted internally or by a third-party service provider.
  • Malware analysis: Malware analysis involves analyzing malicious software in order to identify how it works, what it does, and how it can be removed. This can help companies develop strategies for detecting and removing malware from their systems.
  • Software security testing: Software security testing involves testing applications for security vulnerabilities, such as buffer overflows, SQL injection, and cross-site scripting. This testing can help companies identify vulnerabilities in their applications before they are exploited by attackers.


Digital resilience refers to an organization's ability to withstand, adapt to, and quickly recover from cyber attacks or other digital disruptions.

The following principles can help an organization achieve digital resilience:

  • Issue identification: This involves identifying all potential risks and vulnerabilities to the organization's digital infrastructure, including hardware, software, and data.
  • Well-defined target: The organization should have a clear goal in mind when implementing digital resilience strategies, such as minimizing downtime, protecting sensitive information, or ensuring business continuity.
  • Best delivery method: The organization should consider the most effective and efficient ways to implement new cyber security systems or tools, such as outsourcing to a third-party provider or utilizing cloud-based services.
  • Risk resource trade-offs: Organizations must balance the need for robust security measures with the costs and resources required to implement them. This involves making strategic decisions about how to allocate resources to maximize security while minimizing costs.
  • Alignment of business and technology: The organization's cyber security strategy should be closely aligned with its overall business objectives and technology infrastructure, ensuring that security measures are integrated into all aspects of operations.
  • Sustained business engagement: Digital resilience is an ongoing process that requires ongoing commitment and engagement from all levels of the organization, including management, employees, and external partners.

The AIC Triad

The AIC Triad is a concept in information security that refers to the three core principles of data protection: Availability, Integrity, and Confidentiality.

  • Availability refers to the assurance that data and services are accessible and available to authorized users when needed.
  • Integrity involves the maintenance and assurance of accuracy and completeness of data and information.
  • Confidentiality pertains to the protection of sensitive data from unauthorized access or disclosure.

These three principles are often used as a framework to evaluate and implement security measures to protect data and information systems.


NIST stands for National Institute of Standards and Technology, a cybersecurity framework developed by the US government to improve the country's critical infrastructure cybersecurity. The framework consists of five core functions:

  • Identify: Organizations should develop an understanding of their cybersecurity risks, assets, and vulnerabilities to manage them effectively.
  • Protect: Implement security controls to prevent or reduce the impact of a cybersecurity event.
  • Detect: Establish continuous monitoring and detection processes to identify a cybersecurity event in a timely manner.
  • Respond: Develop and implement an incident response plan to take action promptly and minimize the damage caused by a cybersecurity event.
  • Recover: Have a recovery plan in place to restore the systems and services impacted by a cybersecurity event to normal operations.


ISO 27001 is a framework for implementing an Information Security Management System (ISMS). It consists of several steps:

  • Define a security policy: Establish a set of policies and procedures for managing and protecting sensitive information.
  • Define the scope of the (ISMS): Identify the boundaries and responsibilities of the ISMS within the organization.
  • Conduct a risk assessment: Identify and assess potential risks to the confidentiality, integrity, and availability of the organization's information.
  • Manage identified risks: Develop and implement a plan to address identified risks.
  • Select control objectives and controls: Identify and select appropriate controls to mitigate identified risks.
  • Prepare a statement of applicability: Document the controls selected and their applicability to the organization.

By following these steps, an organization can establish an effective ISMS to protect its information assets.

AICPA cybersecurity risk management reporting framework

The AICPA cybersecurity risk management reporting framework consists of three key components that help organizations to effectively manage and report on their cybersecurity risks.

  • Management’s Description: This component requires management to provide a comprehensive description of their organization's cybersecurity risk management program. It includes information on how risks are identified, assessed, managed, and monitored.
  • Management’s Assertion: This component requires management to provide a written assertion regarding the effectiveness of their organization's cybersecurity risk management program. This assertion provides stakeholders with assurance that the organization is taking necessary steps to manage its cybersecurity risks.
  • The Practitioner’s Opinion: This component requires an independent practitioner to provide an opinion on the effectiveness of the organization's cybersecurity risk management program based on their assessment. This opinion provides stakeholders with an independent assessment of the organization's cybersecurity risk management program.

Fraud Risk Management Strategy

Fraud prevention:

  • Anti-fraud culture: Creating a culture where fraud is not tolerated and ethical behavior is encouraged.
  • Risk awareness: Identifying potential fraud risks and implementing controls to prevent fraud from occurring.
  • Whistleblowing: Encouraging employees to report suspicious activity and protecting them from retaliation.
  • Sound internal control systems: Establishing and enforcing policies and procedures to prevent fraud from occurring.

Fraud detection:

  • Regular checks: Conducting routine reviews and audits to identify any fraudulent activity that may have occurred.
  • Warning signals: Monitoring for red flags and warning signs that may indicate fraudulent activity.
  • Whistleblowers: Encouraging employees to report suspicious activity and protecting them from retaliation.

Dive deeper, conquer those exams, and truly make your mark by grabbing your spot in our CGMA online course today at – let’s crush this together!

Categories: : CIMA/CGMA Strategic Case Study (SCS)