All right now, we've just responded to our risks. What's left? Remember, we framed our risks. We assess them,
We responded to them. So now what we do is we have to monitor them. We have an ongoing process of monitoring for risks.
The frequency with which we monitor is really going to be driven by the risk of the control, the volatility. You know all those risk factors we talked about, but a good rule of thumb. They don't tell you indifferently and they say, How often should you monitor controls at least once per year
or in the event of a major change? Okay, we're gonna monitor our controls at least once per year
or in the event of a major change, and we're going to get much more in depth into risk monitoring. We have our separate domain domain three,
domain three, domain four.
I mean, three or four is all about risk monitoring that ongoing process where we determine our controls, still meeting their objectives. And that's what I'm looking for. And do we have indications that a risk of it is about to materialize?
Do we have indications that our risk mitigation strategy won't work
has our risk mitigation strategy failed, and then what? Right, we need this information available to us. So when we talk about monitoring how we're going to monitor what tools we're gonna use, um, how we approach monitoring what metrics were looking for.
All of that should have been determined
earlier, Right? You know, if we go back to thinking about things from a project management standpoint, remember, our first project was planned Risk management, where we created a risk management plan.
Every one of the management plans within project are all about dictating. How so The risk management plan is gonna tell us. How do we monitor for risks? What RK our eyes are key risk indicators.
What are key performance indicators? And again, we're gonna talk about those in much more death.
How do we measure? How often do we measure? At what point in time do we need to escalate problems? All that has to be defined ahead itan because when we monitor, we're tracking our information and we're looking to take that information and match it up against a baseline of expected performance.
If it's not meeting, generally we invoke some sort of action.
And if the risk of in his meeting or the risk mitigation is meeting its requirements. Generally, we let
things go right. If it ain't broke, don't fix. It sometimes is right. You know, if it's meeting its objectives, we don't need to change,
Okay, But the thing is, is that
you know, I want to back up on that
meeting. Its objectives
when we're reviewing the control isn't meeting its objectives. Great. But once per year, we also have to come back and look at the context of risk. We have to frame risks on that yearly basis, right? So we have to look at our assets. We have to look at our vulnerabilities and threats
because the control that was deemed effective
and sufficient five years ago probably isn't today. And we can't just look at well, we haven't had any compromises. You know, people are still using Web wired equivalent privacy. Why? Well, I haven't had a compromise. Oh, but you will.
And you may have already and you just weren't aware of right? So once per year, we go back and evaluate with a full risk
management or risk assessment,
threatened vulnerability payers.
What's the potential for loss. What are the countermeasures and how can we implement them in a cost effective manner is what we have. Still, if it is sufficient, or do we need to look at other choices? Okay, so with risk, manage with risk monitoring, we're going to see Are we in compliance?
Are the mitigation strategies being implemented correctly?
How does that impact the function of the environment or of the control? So all of that information and primarily we have two main metrics that we're gonna use here we have kay our eyes and KP eyes k our eyes or key risk indicators.
This is an indication that a risk is about that happen. It's like a trigger,
right? So if I'm worried about rain, I'm gonna look outside and see if it's dark and cloudy.
And that's a key risk indicator.
Key performance indicators.
Our ah, basically set up to two.
How do I want to say this? In a way that's kind of comparable to how you might see it on the test There about operational efficiency
so K R eyes are about is a risk materializing KP I am I going to meet my goals from an operational perspective.
Okay, so I was supposed to mow yards this weekend and I had 10 yards to moat.
Okay, it's Saturday. Have one more weekend. Day one spent.
I got one more. Tomorrow
I'm halfway through,
ma'am on track to meet my goals. Right? So, Mikey performance indicator says I'm probably okay.
now my key risk indicator says it's dark and cloudy.
Well, all of a sudden, now it looks like rain. And if it's gonna rain, I can't mow yards. So that key risk indicator
can kind of come in and say, All right, your key performance indicator right now looks good. But based on this risk, you may not meet your goals as you've expected. You may not perform is expected
again, will go through this in more depth,
right? But I just want to kind of talk to you, because that's an important element of risk. Monitor