Analysis and treatment of risks in information systems

Abstract

The risk is the mathematical estimation of the probability of human loss, material damage, environmental damage, social and psychological damage, over a reference period, respectively future and in a given area, for a certain type of risk event. Risk is defined as a product between the probability of the disaster occurring and its impact [1]. Risks exist in all information systems, but they do not necessarily occur. Most experts are of the opinion: the sooner the potential danger will be determined, the more time it will remain for the team of designers to neutralize it or minimize the losses. Thus, the identification of risks must be carried out at the beginning of the works on the information systems. The risks that affect a system and that must be considered at the estimation stage can be differentiated as inherent risks, control risks and undetected risks. These factors have a direct impact on the degree of risk of the audit, which can be defined as the risk that the information / financial report could contain material errors that could go undetected during the audit. Risk management must be subordinated to the objectives that form an integrated, coherent and convergent system towards the general objectives, so that the activity levels are mutually supportive [2]. In order to manage the risks in an organization, it is necessary, first of all, to know these risks and to identify them. Risk identification is the first step in building the risk profile of an organization. The risks must be identified at any level where it is noticed that there are consequences on reaching the objectives and specific measures can be taken to solve the problems, raised by the respective risks.