Risk Assessment And Mitigation Strategies For ACORN's Community Development Program (CDP) Essay.

Carry out an extensive review of risks on the company’s IS/IT/Information security management practices by:

Identifying and detailing all key components of risk, vulnerabilities, threat as well as their impact to the company.

The risk assessment needs to be conducted in accordance to the best practice prescribed by one (or a hybrid) of the leading standards, guidelines, or framework pertaining IS/IT/Information security.

A coherent IS/IT/Information security risk mitigation strategy that provides proactive solutions for the risks identified in the Risk Assessment stage

Identify further opportunities of risk management activities within the company.

Produce a risk analysis report of the company to be submitted to the company’s senior executive (remember: the audience of your report is going to be the senior executives – the C-level individuals of the organisation)

Your task is to produce a report addressing the above requirements. It is important to note that the use of established standards, frameworks and best practice in the process is highly valued and sought after by the senior executives.

Risk Mitigation Framework of ISO/IEC 27001

Background of the Organization

ACORN or Young Acorn Foundation is a tier 2 NFP organization. They are focused on the community development within marginalized areas. ACORN is mainly operating in the Asia and Pacific regions and has a presence in every major city of Australia, Asia and Pacific countries for successful coordination of community development activities or CDA and fund-raising campaigns. ACORN even launched a new CDP or community development program for encouraging the under developed communities in working altogether within a cooperative model and producing products like natural produce or crafts. They have been operating in multiple countries, however is following Australian laws. It often becomes difficult when the employees operating in the host country are needed to divulge confidential information to the respective authority of the host country, which might be deemed as incorrect under the laws of Australia.

Risk management can be referred to as the procedure to identify, assess as well as control different types of threats to the earnings and capital of an organization (Lam 2014). These distinctive threats and risks can easily and promptly stem from a wider variety of different sources like financial uncertainties, errors in strategic management, natural disasters, legal liabilities and many more. A successful risk management plan can easily save the consideration of several potential risks and threats as well as protection of the future of that particular company (Hopkin 2018). The reason is that a robust risk management plan is considered as quite helpful for the organization in establishment of processes and avoiding potential threats to reduce the impacts efficiently.

It is required to maintain risk management plan for all types of IT or IS assets and resources in a company. ACORN is a tier 2 not for profit organization and they have included new aspects and features for their business. This report will be outlining a brief discussion on the case study of ACORN that will discuss in details about the project that ACORN is taking up as the CDP. The potential risks according to the Risk Mitigation Framework of ISO/IEC 27001 would be considered in this cane along with the segregation of the risks according to the technical, operational and managerial aspects. The risk mitigation strategies would also be identified along with the recommendations that the organizations would most likely be taking up for having a solution to all the impending risks.  

Risk Assessment

Threat and Vulnerability Identification

The primary problem that has been concerning ACORN has been the new Community Development Program or CDP that ACORN is trying to achieve. This is going to aim at the encouragement of the under-developed communities such that they can come forward and work together for achieving a cooperative model. This was also because, with this collaboration, the organization wanted to enable the manufacturing of certain products as well as put forward the encouragement of the under-developed people. The program was unique and it was operating for multiple countries. Therefore, as per the countries where the project and the organization would operate in, there would be legislative variances for the operations as well. The market is competitive enough in this particular area where NFPs are trying to innovate strategies to bring forth the people who are less privileged in the society.

This particular Risk Mitigation framework has several features that is used for developing the risk mitigation strategies for the Information Security Management System or ISMS that involves the procedures to analyse the legal, technical and physical controls during the risk management process for an organization (Sweeting 2017). In the case for the ACORN organization as well, there are several forms of the framework that would be followed for the identification and the approach towards the risk mitigation plan, beginning with the following:

• Providing the definition for a security policy
• Defining the scope for the ISMS utility in the CDP project
• Conducting the risk assessment and the management of the identified risks
• Selection of the Control Objectives that need to be implemented
• Preparation of the statement of applicability

There are several features of the framework that need to be addressed in this case as well, continuing with the sections including the following features:

• Assessing the risk
• Maintaining the security policy
• IS for the organization
• Management of asset
• Securing the Human Resource
• Ensuring the physical and environmental security during the CDP
• Access Control
• Acquisition of the information security
• Business Continuity Management
• Compliance

The threat and vulnerability identification would follow through several aspects of ACRON and its business operation to fully understand the project, its operation and the impact it would have on the business to identify the required risks for the CDP project on the organization. Therefore, it is important to identify the following business aspects to clearly identify the risks associated with the project for the business:

1. i) Identification of Threats: This is yet another vital and significant stage in the respective information security risk management for any particular organization (Webb et al. 2014). The potential causes of information and assets would be identified and hence it would be much easier for the company to identify their potential threats, related to information security as well as information technology. It is also effective in reducing the impacts of hacking and similar threats (Brustbauer 2016). The treats that have been identified in this aspect for the ACORN organization lies as pointed out in the table as below:

Possible Threats	Threat Assessment
1. Electronic Threats	There might be electronic devices used for the implementation of the project procedures, that might have threats regarding the information storage, capturing and retrieval within the devices.
2. Physical Threats	The occurrence of accidents due to the less considerations of security during the project might result into physical or mental harm to the employees.
3. Employee Compliance Threats	There might be occurrences that the people involved in the project might not find it difficult to or may be have misinterpreted information about the legal compliances, resulting into not following them altogether.
4. Human Errors	General human errors also have a threat of making several problematic situations that might lead to immense risk in respecting the integrity of the project information.
5. Managerial Threats	The management threats might be mismanagement of the people associated with the project leading to further errors in the overall management of the project including all the information associated with it.

Table 1: Threat Analysis Table

(Source: Created by the Author)

1. ii) Identification of Vulnerabilities: The system level as well as software vulnerabilities are eventually putting the availability, integrity or confidentiality of each and every identified asset at risk. It is required for successful identification of the deficiencies and weaknesses in the organizational processes effectively and without much complexity. Moreover, information compromising would be lowered and the organization would be benefitted (Teller, Kock and Gemünden 2014). The information vulnerabilities that lie in this regard for the business of ACORN related to the CDP project is the primary vulnerability of the business.

1. iv) Identification of Controls: The final stage in this process of information security risk management would be successful identification of controls (Fenz et al. 2014). This type of control directly addresses the identified threat and provides ways for mitigating it successfully. It is generally done after reviewing each and every risk and also after cross referencing the user directory of that specific company.

ACORN, being one of the most significant and popular charity organizations, is required to maintain their information security and information technological management practices properly, so that any threat or risk does not become vulnerable for them (Pritchard and PMP 2014). These risks and threats comprise of a major negative impact on the organizational customer base, specifically, when the risk has impacted the sensitive data. The customers of the organization might be losing confidence and would not feel that the data is safe and secured, which is quite vulnerable for the organization of ACORN as it is concerned with charity services (Glendon and Clarke 2015). The impact of this risk is even tied to the kind of data involved. Following would be a probable control the threats identified:

Threats Identified	Control Measures
1. Electronic Threats	Management of the monitoring of the working for the devices
2. Physical Threats	Monitoring the factors under which the people have been working on and if they are suitable according to the required project works for ensuring the safety of the people.
3. Employee Compliance Threats	Communicating feasibly to find out all the business compliance information are understood well by the employees.
4. Human Errors	Monitor the work for the people according to the set standardized plan for the project.
5. Managerial Threats	Management monitoring to be done at set intervals.

Risk Mitigation Strategies

Table 2: Control Analysis Table

(Source: Created by the Author)

Identified Threats	Control Assessment	Likelihood Analysis
Electronic Threats	The issue related to electronic threats could be effectively resolved by implementation of security measures within these devices. The easiest mode of security is standardization of software, using network protection measures, keeping software up graded and updated and also bolstering access control (Lavell and Maskrey 2014). Furthermore, employees should also be trained properly so that they are able to use the electronic devices in a better manner.	Somewhat Likely
Physical Threats	The respective physical threats of the organization of ACORN are extremely vulnerable for their IT IS or confidential data (Gatzert and Martin 2015). These should be eradicated effectively for ensuring that security is being maintained under every circumstance. One of the most efficient solution for physical threat would be locking the server rooms and placing server room under surveillance. The workstations should be secured properly and a specific layer of security to the portable devices should be added so that there exists no scope for such threats (Pulwarty and Sivakumar 2014). Moreover, ACORN should improve their defence against the physical security threats. Technical threats are extremely common for the organization and since they are dealing in several countries, technical failure could be quite common for dealing with these issues, it is vital to ensure that each and every system is upgraded on a periodical basis and the respective contingencies are being well monitored and evaluated under every circumstance (Lundqvist 2015). Furthermore, they would be able to deal with these issues in future as well.	Very Likely
Compliance Violations	The solution for any type of compliance violation in the organization of ACRON would be establishment of a stronger foundation for the business. After getting proper training, the employees would be able to build a culture of integrity and revaluation of the strategies (Teller, Kock and Gemünden 2014). Thus, it would be easier for them to reduce compliance violations effectively in ACRON.	Somewhat Likely
Failure in Infrastructures	Infrastructure failure issues can be resolved by involving cloud storage in the business. It is required to ensure that the data or other organizational information is not dependent on the systems and servers and should be kept on virtual platform for better file syncing and sharing of services so that these are securely connected to the distributed data sources (Meyer and Reniers 2016). Implementation of an IT disaster recovery planning is yet another important solution for this issue.	Less Likely
Human Errors	The issue of human error could be resolved by providing periodical training to the staffs. Access to the sensitive systems should be limited and a strong DR plan should be developed to ensure that better accessibility of data is possible without getting indulged into such threats or risks (Hayne and Free 2014). Identification of the primary sources of inaccuracy is the second significant and important solution of various human errors. It could even be resolved by involving special working force.	Very Likely
Unified business policy for multi-nation operation	This threat may lead to the failure of the CDP project completely in one part of the country and success of the project for ACORN in another. A unified success can never be achieved for ACORN.	Very Likely

Table 3: Likelihood Analysis Table

(Source: Created by the Author)

Information security risk management is considered as one of the most important and significant requirements in any business, even for the CDP project for ACORN. It helps in successful management of risks and threats related to the confidential information or data as well as the resources or assets that help in initiating the risk impact to a high level (Van Staveren 2018). The 6 identified threats of ACORN are needed to be treated with the help of proper standards, guidelines and frameworks. Following would be the analysis of the impact of the identified threat with the help of the qualitative methods about the information gathered regarding the project:

Identified threats	Impact analysis
Electronic Threats	The information storage and management system would be hampered on the basis of the threats that might be implemented to the project and the organization (Iqbal et al. 2015). Failure or risk in the electronics used in the project would mean jeopardizing the project information related to the employees and the under privileged people.
Physical Threats	The physical threats would impact on the device management that would result into the threats related to the project information related to the employees and the under privileged people
Compliance Violations	The information security management within an organization works under several compliances that need to be maintained related to the information security systems (Grote 2015). Not abiding by the compliances might bring about legal complications in ACORN.
Failure in Infrastructures	The failure in the infrastructure may eventually bring about downfall of the entire project.
Human Errors	The human errors in management of project information related to the employees and the under privileged people might bring about several problems about violation of confidential information regulations.
Unified business policy for multi-nation operation	The compliance of the information security legislation in one country for CDP project might be non-compliance of another country (Lundqvist 2014). This may result into the failure of the project in one country even if it is successful in others. An overall success of the business project cannot be attained.

Table 4: Impact Analysis

(Source: Created by the Author)

Risk Level Matrix

Identified Risks	Risk Level
Electronic Risk regarding the devices used for the project implementation	Low
Physical Risks related to the accidents causing physical and mental harm to the employees	High
Compliance Violations causing employees to not follow the usual rules and regulations of the business and the general legislative measures for the information capture, storage and retrieval	Medium
Failure in Infrastructures causing the failure to gather information	Medium
Human Errors	High
Failure in having a Unified business policy for multi-nation operation	High

Table 5: Risk Level Matrix

(Source: Created by the Author)

Description of Risks

Following would the description of the risks according to the identified risks in the ACORN CDP project:

Risk Criteria	Risk Identification	Risk Association	Risk Owner	Analysis of Risk
a. Technical Risk	Electronic Risk regarding the devices used for the project implementation	Integrity of the information in the project	System Administrator	The second important and significant type of risk or threat that could be extremely vulnerable for the security of IT IS within ACORN is electronic threat (Rampini, Sufi and Viswanathan 2014). This type of threat in the organization would aim at the compromising of the business-related information, such as hacker getting full access of the system, the various IT systems getting infected by computer viruses as well as the staffs of ACORN falling as victims to any type of fraudulent web site or email. The organization deals with the information of the employees in the business as well as the information related to the under-privileged people, this is why it would be more relatable to the situation about the information security. These types of threats are mainly conducted by hackers and respective products of the Community Development Program or CDP would be highly vulnerable to such threats (Bromiley et al. 2015). The impact of these threats could even be responsible for affecting the networks of the company and hence facilitation of sales in the business would be affected. Another distinctive and noteworthy type of threat, which might be quite problematic for the IT and IS security of ACORN would be technical threat. It is yet another popular and significant risk type, in which the technical difficulties are extremely high and could lead to complete failure of the system (Sadgrove 2016). The most important examples of these technical threats include software bugs, crash of the system or complete failure of the organizational network. This type of technical failure could be highly catastrophic when the staff of this organization cannot retrieve the data within a failed hard drive and there is absolutely no scope for backup copy (McNeil, Frey and Embrechts 2015). Although, ACORN has included a proper backup strategy in their business that provides backup in every month. The backup of their corporate data like operational data from several countries, relevant transactional data from the partners, which are sales data of CDP, transactional data from the donor, list and information of the donors, project information or data on a monthly basis (Drennan, McConnell and Stark 2014).
b. Operational	Physical Risks related to the accidents causing physical and mental harm to the employees	Loss of information because of the unavailability of the employees to their respective tasks	Trainers of the system to the employees before the work is contemplated to the project	This type of threat eventually results from the physical accessibility as well as damages to the information technology resources like the servers. As they are serving in different countries, it is extremely vital for them to ensure that the physical devices are absolutely safe and secured from the threats (Aven 2016). However, it is being observed that different countries have their own distinctive methods to protect the physical servers. The physical threats mainly involve theft or damages from flood or fire and even any kind of unauthorized accessibility to the confidential data through the outsider or employee (Chance and Brooks 2015). It is considered as one of the most common types of risk that can increase chances of loss of data or information to a high level.
	Compliance Violations causing employees to not follow the usual rules and regulations of the business and the general legislative measures for the information capture, storage and retrieval	Loss of confidentiality, integrity and availability for information	Employees working for the project	As they are doing their business in multiple countries, each of these countries comprise of their own unique rules and standards, there can be a high chance of compliance violation. It is the major potential that the company might violate regulations and laws (Bowers and Khorakian 2014). These compliance violations could be also termed as responsible for increasing sensitivity issues for both data storage and source.
c. Managerial	Failure in Infrastructures causing the failure to gather information	Loss of confidentiality, integrity and availability for information	Managerial body in responsibility of the system administration	This is yet another popular type of risk that is possible for the IT/ IS of ACORN (Marcelino-Sádaba et al. 2014). The failure in infrastructure like the loss of their Internet connectivity and systems could substantially interrupt on the business and hence they would not be able to deal with the issues in infrastructure successfully and they would be in huge financial losses. The main issue that is common for this type of risk is that since they are highly dependent on the funds or resources, it eventually becomes vital for them to ensure that any type of issue is not occurring for their fund collection (Aven and Zio 2014). The impact of infrastructure failure results in the temporary loss of all essential functionalities as well as services and it could be extremely catastrophic for the entire business.
	Human Errors	Loss of confidentiality, integrity and availability for information	Employees related to the project	Another vital and noteworthy type of risk that can bring vulnerability to the IS/ IT of ACORN is human errors. There is always a high chance that the staffs or employees of the organization might bring out vulnerability to the systems or data and the confidential data would be lost forever (Weingarten et al. 2016). Human errors are often considered as the major threats and these could occur either intentionally or unintentionally and they could become a failure in following the major security processes properly.
	Failure in having a Unified business policy for multi-nation operation	Loss of confidentiality and integrity	Decision making body	Since ACORN is trying to operate in different countries all around the world, there would be several risks regarding the security and legal policies within the organization. This would be an impending problem as the business policy would require the embellishment in such a way that there would be a unified company policy that would be complying with all the legal structures in different countries. Without any proper strategy, the business would face several risks regarding the entire business policy setup as the conduct in one country might not be acceptable at another.

Table 6: Identification and Analysis of Risk according to ISO/IEC 27001 Standard

(Source: Created by the Author)

 The control recommendations would be suggested as per the following table:

Threats Identified	Control Recommendations
1. Electronic Threats	Monitoring the working of all the electronic devices and discarding out any faulty device.
2. Physical Threats	Enlisting a policy for the Workers Health and Safety according to the country designated legislative measures.
3. Employee Compliance Threats	Making a policy and communicating them verbally, electronically and practically to all the employees.
4. Human Errors	Monitor the work for the people according to the set standardized plan for the project.
5. Managerial Threats	Management monitoring to be done at set intervals.

Table 7: Risk Control Recommendation

(Created by the Author)

Although, the six identified risks and threats are extremely vulnerable for the organization, it is evident that these are needed to be eradicated on time (Stulz 2015). The most effective and efficient solutions to the identified risks would be mitigated considering the country legislations and also following the ISO/IEC 270001 standardized laws and regulations that fall for the mitigation of the risks.

Risk mitigation is one of the major methodologies or mechanism that is being carried out in the entire process of development for successful identification, management and controlling of risks that are evolved before and during this development process (Cole, Giné and Vickery 2017). There are three types of risk management activities, which are as follows:

1. i) Risk Identification: This is the first and the most important step in risk management procedure that involves proper recognition of all types of potential risks, impacting the products and services of ACORN and also documenting these services with the characteristics (Bowers and Khorakian 2014). In this particular stage, the stakeholders and clients collaborate as well as participate in the small sessions or brainstorming sessions for making out of the probable set of threats that are related to the services of ACORN. Risks identified are all specified as Electronic Threats, Physical Threats, Compliance Violations, Failure in Infrastructures, Human Errors and failure to attain a Unified business policy for multi-nation operation.
2. ii) Risk Analysis: The second step is risk analysis that helps in better assessment of risks as well as prioritization of risks. Prioritization is done after assigning the high risks as top most priority, however the low impacted risks are considered as the bottom most priority (McNeil, Frey and Embrechts 2015). ACORN can easily prioritize their risks after understanding the top priority and bottom priority risks related to their information security and information technology. The feasible risk analysis is done by ISO/IEC 27001 standardizations for the project of CDP for ACORN.

iii) Risk Control: The final step is risk control, in which risks are managed and controlled, on the basis of their priorities and achieving expected outcomes. The three sub activities of risk control include risk management planning, risk resolution and risk monitoring. An effective plan for dealing with the five types of risks in ACORN is required to properly execute the plans and finally deploying appropriate actions, when necessary. Thus, regular monitoring or tracking of the risks would be much easier for them.

Recommendations for ACORN

The major opportunities of risk management activities in ACORN are as follows:

1. i) Risk Avoidance: One of the major opportunity of risk management activities in ACORN would be risk avoidance. A proper avoidance of risks that could be avoided can reduce huge utilization of resources and assets to a high level. As a result, there would be a major scope for removing all types of unattended and low priority risks efficiently.
2. ii) Upgrading Information Technology: Another important opportunity of risk management activities for this charity organization is up gradation of IT (Glendon and Clarke 2015). Since they are considering a larger scale of IT products and services, up gradation of information technology would majorly lower the impacts of such risks to a high level.

iii) Industry Strategies: The third vital opportunity of risk management activities for ACORN is implementation of certain industry strategies. They would be able to investigate the feasibility of their products and services to a high level and hence risks would be easily identified without much complexity.

1. iv) Risk Mitigation Strategy: ACORN should include a proper risk management strategy and hence the identified risks like technical risks, infrastructure failure and many more would be effectively eradicated successfully (Bromiley et al. 2015). Moreover, the organizational IT resources and assets would also be secured from any type of risk.

The security or data related risks of information technology as well as strategies of risk management are often termed as the top priorities for all digital organizations. The entire plan of risk management involves the major procedures of the organizations to successfully identify and control the threats to the digitalized assets like personally identifiable information or PII information, corporate data as well as intellectual properties in ACORN. All the organizations and businesses eventually face the subsequent risk of harmful and unexpected events, which could cost the organization money or could even cause it to permanent shutting down (Aven and Zio 2014). This type of risk management even allows the companies in attempting to prepare for the most unexpected events after reducing the impacts of these risks and any type of extra cost, even before they are happening.

It is quite vital for ACORN to eventually ensure that high effectiveness and efficiency and also creating a safe and secured work environment for the customers and employees. It even increments the overall stability of different business operations during decreasing the legal liabilities (Bowers and Khorakian 2014). Risk management plan also provides high protection from the events, which are detrimental to both the environment and company and also protects every involved asset or people from any type of potential harm. The organizational risk analysis report should be submitted to the organizational senior executive.

The main purpose of this report is to identify every possible risk or threat, associated to information security, IT and IS of the organization and to ensure that these are absolutely safe and secured from these threats. The six identified types of risks that are vulnerable for ACORN would be physical threats, electronic threats, infrastructure failure, technical threats, human errors and compliance violations (Iqbal et al. 2015). These above mentioned risks can be mitigated by undertaking proper risk management strategies and mitigation policies. With successful implementation of these risk mitigation strategies, it would be easier for ACORN to deal with the complexities related to CDP and other projects. Moreover, decision making process would be improved successfully and the entire business would be highly benefitted in this process.

Conclusion

Conclusion

Therefore, from the above discussion, it can be concluded that information security or IS risk management is the subsequent procedure to manage various types of risks that are related to the utilization of IT or information technology. It even includes identification, assessment as well as treating of different risks to CIA or confidentiality, integrity and availability of the organizational assets or resources. The major objective of the procedure is treating the risks as per the organizational risk tolerance. The different organizations should not expect to eradicate each and every risk and they must seek in identification and achievement of an acceptable level of risk for the company. The different stages of information security risk management includes identification of assets, identification of vulnerabilities, identification of threats and finally identification of controls. Risk management is helpful to establish the insurance requirements of the company for saving on unnecessary premium. They even incorporate different scope, goals and leadership. The above provided report has clearly outlined a detailed analysis of the case study of ACORN with relevant details related to risk management for their IT/ IS and information security management practices along with its multi-nation operation, associated risks, mitigation strategies and recommendations all with the ISO/IEC 27001 standardizations.

References

Aven, T. and Zio, E., 2014. Foundational issues in risk assessment and risk management. Risk Analysis, 34(7), pp.1164-1172.

Aven, T., 2016. Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), pp.1-13.

Bowers, J. and Khorakian, A., 2014. Integrating risk management in the innovation project. European Journal of innovation management, 17(1), pp.25-40.

Bromiley, P., McShane, M., Nair, A. and Rustambekov, E., 2015. Enterprise risk management: Review, critique, and research directions. Long range planning, 48(4), pp.265-276.

Brustbauer, J., 2016. Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal, 34(1), pp.70-85.

Chance, D.M. and Brooks, R., 2015. Introduction to derivatives and risk management. Cengage Learning.

Cole, S., Giné, X. and Vickery, J., 2017. How does risk management influence production decisions? Evidence from a field experiment. The Review of Financial Studies, 30(6), pp.1935-1970.

Drennan, L.T., McConnell, A. and Stark, A., 2014. Risk and crisis management in the public sector. Routledge.

Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information security risk management. Information Management & Computer Security, 22(5), pp.410-430.

Gatzert, N. and Martin, M., 2015. Determinants and value of enterprise risk management: empirical evidence from the literature. Risk Management and Insurance Review, 18(1), pp.29-53.

Glendon, A.I. and Clarke, S., 2015. Human safety and risk management: A psychological perspective. Crc Press.

Grote, G., 2015. Promoting safety by increasing uncertainty–Implications for risk management. Safety science, 71, pp.71-79.

Hayne, C. and Free, C., 2014. Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management. Accounting, Organizations and Society, 39(5), pp.309-330.

Hopkin, P., 2018. Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.

Iqbal, S., Choudhry, R.M., Holschemacher, K., Ali, A. and Tamošaitien?, J., 2015. Risk management in construction projects. Technological and Economic Development of Economy, 21(1), pp.65-78.

Lam, J., 2014. Enterprise risk management: from incentives to controls. John Wiley & Sons.

Lavell, A. and Maskrey, A., 2014. The future of disaster risk management. Environmental Hazards, 13(4), pp.267-280.

Lundqvist, S.A., 2014. An exploratory study of enterprise risk management: Pillars of ERM. Journal of Accounting, Auditing & Finance, 29(3), pp.393-429.

Lundqvist, S.A., 2015. Why firms implement risk governance–Stepping beyond traditional risk management to enterprise risk management. Journal of Accounting and Public Policy, 34(5), pp.441-466.

Marcelino-Sádaba, S., Pérez-Ezcurdia, A., Lazcano, A.M.E. and Villanueva, P., 2014. Project risk management methodology for small firms. International journal of project management, 32(2), pp.327-340.

McNeil, A.J., Frey, R. and Embrechts, P., 2015. Quantitative Risk Management: Concepts, Techniques and Tools-revised edition. Princeton university press.

Meyer, T. and Reniers, G., 2016. Engineering risk management. Walter de Gruyter GmbH & Co KG.

Pritchard, C.L. and PMP, P.R., 2014. Risk management: concepts and guidance. Auerbach Publications.

Pulwarty, R.S. and Sivakumar, M.V., 2014. Information systems in a changing climate: Early warnings and drought risk management. Weather and Climate Extremes, 3, pp.14-21.

Rampini, A.A., Sufi, A. and Viswanathan, S., 2014. Dynamic risk management. Journal of Financial Economics, 111(2), pp.271-296.

Sadgrove, K., 2016. The complete guide to business risk management. Routledge.

Stulz, R.M., 2015. Risk?taking and risk management by banks. Journal of Applied Corporate Finance, 27(1), pp.8-18.

Sweeting, P., 2017. Financial enterprise risk management. Cambridge University Press.

Teller, J., Kock, A. and Gemünden, H.G., 2014. Risk management in project portfolios is more than managing project risks: A contingency perspective on risk management. Project Management Journal, 45(4), pp.67-80.

Van Staveren, M., 2018. Uncertainty and ground conditions: a risk management approach. CRC Press.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Wiengarten, F., Humphreys, P., Gimenez, C. and McIvor, R., 2016. Risk, risk management practices, and the success of supply chain integration. International Journal of Production Economics, 171, pp.361-370.