BUSINESS RISK MANAGEMENT TECHNIQUES AND EXPERT METHODS OF THEIR EVALUATION

Evaluation The article is aimed at researching the problem of risk when substantiating decisions not only of a strategic nature, but also at the stage of short-term planning. In this regard, the problem of risk assessment takes on an independent theoretical and applied value as an important part of the theory and practice of the system of information security management. The next step was to review, research and analyze the system of business planning management for an economic entity that relates to a complex IT system. One of the options for solving this issue may be the development and creation of a computer expert system of business planning. The research results are the types and categories of business risks being analyzed, as well as the impact of IT risks in business, in particular, techniques of business risk management are disclosed. The risk management methodologies such as CRAMM, COBIT, FRAP and OCTAVE, which are among the main and widely used in both government and commercial organizations around the world, have also been described. The methodologies under research have both posi-tive and negative aspects in risk management, and do not provide for the resolution of the consequences of risks that have not been minimized or prevented. Studies have shown that as methods of economic and mathematical modeling of the solution to the task of optimizing the management of business planning processes is proposed to use the results of works on the study and use of artificial intelligence methods, namely, technologies for the development and creation of computer expert systems to implement information support and support managerial decisions. Prospects for further research in this direction are our proposed development of an expert system as an instrumentarium of the system of business process management and support of managerial decision-making, as well as the use of such expert systems to assess risks by business entities, which will provide them with an efficient instrumentarium of forming business plans for the implementation of various production and commercial

N owadays, IT plays an important, sometimes crucial, role in all human activities, including business. Thus, not only business risks but also IT risks, as an integral part of them, should be taken into consideration. When developing strategies and plans aimed to minimize business risks, one should focus on peculiarities of a certain business enterprise or business process and the degree of impact of information technologies on them.
In view of the above, we argue that when managing business risks, it should be understood that their main source is IT risks.
Therefore, an important factor in improving the level of information security is using mathematical methods and models in the preparation of decisions to assess risks and their possible prevention. However, the use of these methods in solving various problems is often impossible due to their complexity. Thus, expert methods of risk assessment have become more widespread.
Under the current instability of the economy, developing and creating an expert system for implementing business planning processes based on the use of modern information technologies will help conduct marketing research for industry or service production, draft a financial plan, and provide risk management and assessment effectively.
Problems related to business risk management techniques and expert methods of their assessment were analyzed in works of a number of Ukrainian and foreign scientists including R. Voronko [1], A. Pastoev [11], K. Korotnev [12], A. Alekseev [15], A. Shorikov [18], V. Krisevich [19], D. Rutkovskaya [20], and others. БІЗНЕСІНФОРМ № 2 '2020 www.business-inform.net They highlight the importance of studying types and categories of business risks as well as the impact of IT risks in business, in particular, describe IT risk management techniques and expert methods for assessing them.
Acknowledging the works of above mention scientists, it should be noted that this problem has not been currently solved, and the development of an expert system as a tool for business process and decision support management is a prospect for further research.
The aim of the article is to identify business risk management techniques and the expert methods of their assessment. I t is safe to assert that we live in a century where technologies are determining the future. Anyone involved in real-time business knows how important technologies are to business. In the initial stages of development, business was fully dependent on the workforce, but with the development of technologies, business tries to keep pace with them. For every business, technologies are important for enhancing its efficiency and achieving success. Since technologies have inherent importance in business, business risks include IT risks.
Considering entrepreneurial risks, we can say that there is no single view of risks and their correlation (or identity) with business risks [1].
Business risk is a risk of inadequate profit or even loss associated with uncertainty -increasing competition, customer preferences, strikes, changes in the government policy, etc. Business risk arises from competition, market conditions, assortment of goods, etc.
The two risks that lead to business risk are: 1. Internal risk, which arises within an organization. These risks are manageable. They are caused by such factors as strikes, work stoppages, factory accidents, employee negligence, machine malfunction, technological obsolescence, damage of goods, fire outbreaks, etc.; 2. External risk, which arises from outside the company and, therefore, is not controllable. It can be caused by fluctuations of prices, changes in customer tastes or government norms, force majeure, etc. [2; 3].
After considering and studying business processes, the structure of business risks can be presented as follows (Fig. 1) [4;6].
IT risk is a threat to business data, critical systems, and business processes. It is related to such aspects as usage, ownership, operation, involvement of IT in an organization. IT risks can harm a company, decreasing its value; they often result from incorrect process and event management [7].
The investigation of IT risks makes it possible to divide them into three categories (Fig. 2): 1) personnel risks (these include managing access to resources, granting it in strict accordance with the functions performed by the employee and monitoring the use of resources; 2) risks associated with failure or malfunction of the equipment; 2) risks of using illegal software [8].
As was already mentioned, IT risks are a source of business risk and cover a number of important business areas shown in Fig. 3 [7].
A ny change in the information infrastructure has a direct or indirect impact on all aspects of enterprise activity and, in fact, this complicates the analysis of the IT implementation effectiveness since it is very difficult to distinguish the impact of information technologies on the functioning of a company as a separate variable, and it is difficult to cover all areas of the impact of the IT used [9].
Risk management strategy is the art of managing enterprise activity under uncertainty, based on risk prediction and risk mitigation techniques.
As for the risk management system, it consists of two subsystems: the object of management and the subject of management (Fig. 4).
The object of management is the risk, risky investment and economic relations between entities in the process of entrepreneurship.
The subject of management is a special group of people that ensures purposeful operation of the management object, using different techniques and methods of managerial influence [10].  For successful management of risky business situations, one should follow the basic principles of risk management ( Fig. 5) [10].
The most common IT risk management techniques in the world are CRAMM, COBIT for Risk, FRAP, OC-TAVE; they have both certain advantages and limitations [11][12][13].
The CRAMM method (CCTA Risk Analysis and Management Method) is based on information security management standards and describes the correlation between vulnerable IT assets and the threats that may af-fect IT assets through these vulnerabilities. The process of risk management according to the CRAMM method consists of the following stages ( Fig. 6) [5; 12-16].
The COBIT methodology, in implementing the function and process of managing IT risks in an organization, singles out the following components that have a significant impact on the risks and their management ( Fig. 7) [5; 12; 13].
The Facilitated Risk Analysis Process (FRAP) describes an approach to qualitative risk evaluation. The purpose of the methodology is to identify, evaluate and БІЗНЕСІНФОРМ № 2 '2020 www.business-inform.net  the amount of risk should not exceed the amount of the equity;  risk nust be justi ed;  risk e ect should be taken into account

Fig. 5. Basic principles of risk management
A series of surveys is conducted during information security risk analysis A full description of the area for further study is given, its boundaries are de ned, and the list of persons involved in risk analysis is compiled The list of IT assets is made. According to the CRAMM method, IT assets can be as follows: data, software assets, physical assets The CRAMM method provides tables describing the correlation between vulnerable IT assets and the threats that may a ect IT assets through these vulnerabilities This step is performed only for the most critical IT assets if a basic set of information security measures is insu cient The risk is calculated as follows: R (risk) = Р (probability) × Z (losses) The probability of realization of risk is calculated as follows: Based on the results of the risk analysis, CRAMM produces a set of countermeasures to ensure information security The areas of weakness or over-provision has been identi ed

Identi cation and valuation of IT assets
Threats and vulnerabilities assessment

Fig. 6. CRAMM Stages
record the composition of information on risks security for a pre-defined field of study. F or the analysis and evaluation of information security, a project team is created; the results of the brainstorming carried out by the project team during the risk analysis and evaluation session are presented in the Fig. 8 [12; 13; 16].
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) describes an approach to qualitative risk assessment. The current version of this framework is OCTAVE Allegro. This methodology is in-tended to formalize and optimize the evaluation of information security risks and provide the possibility for obtaining the necessary for the organization results with minimal time and resources.
According to OCTAVE Allegro, the IT risk management process consists of the following steps ( Fig. 9) [12; 13; 17]: Some advantages and disadvantages of the described methodologies are given in Tbl. 1.
The approaches to risk management may vary, depending on the methodology used for risk analysis and management; all of them contain a detailed description Potential threats to con dentiality Integrity and accessibility Probability of these threats and losses they cause to the core activities of the organization

Fig. 8. The result of the brainstorming during the risk analysis and evaluation session
Step 1 -Identifyication of criteria for measuring risks

Pro ling of IT assets
Step 2 -Development of IT asset pro les Step 3 -Identi cation of the IT asset environment

Identi cation of threats
Step 4 -Identi cation of threat domains Step 5 -Identi cation of threat scenarios

Risk identi cation and treatment
Step 6 -

Risk analysis
Step 8 -Choosing risk management approaches of the instructions for the implementation of each of the listed risk management stages as well as recommendations for choosing the best methodology, depending on the specifics of the organization. I n the modern economy, business planning is an integral part of the functioning of any economic entity, and a modern system for managing business process is a tool required for its successful operation. A project management system for an economic entity is a complex IT system developed on the basis of a relevant economic and mathematical model. The design and creation of an expert system for business planning can be a solution to this problem.
We propose to use the results of research on artificial intelligence, namely the technology of developing and creating expert systems to provide information and decision support as methods of economic and mathematical modeling to optimize the management of business planning processes.
Under the current economic instability, the development and creation of an expert system for the implementation of business planning processes, based on the use of modern information technologies, can be an ef- Table 1 Advantages and disadvantages of risk management techniques

Technique
Advantages Disadvantages CRAMM -a pure formalized description of the methodology that minimizes the possibility of errors in the implementation of risk analysis and management processes; -the availability of risk analysis automation tools minimizes the time and effort spent on risk analysis and management activities -high complexity of collecting raw data; -high consumption of resources and time to implement IT risk analysis and management processes COBIT -relationship with the COBIT shared library; -repeatedly tested method; -a clear formalized description of the methodology -involvement of a large number of stakeholders; -lack of the ability to measure risks in monetary terms FRAP -simplicity and transparency of the process; -lowest labor costs for performing risk analysis and assessment; -involvement of a small number of participants ensures that communication costs within the project team are minimized and results are coordinated with all stakeholders -absence of a well-regulated risk management process and detailed supporting materials, such as catalogs of threats, vulnerabilities, etc.; -absence of a deep decomposition, detailed and accurate risk assessment OCTAVE -an iterative approach provides a gradual increase in the risk analysis profundity; -low labor costs for performing risk analysis and assessment -lack of detailed supporting materials; -lack of ability to measure risks in monetary terms fective toolkit to support an economic entity's decisionmaking when choosing a specific business project that meets the set goals [18]. To formalize knowledge in expert systems, certain rules should be used; these rules establish relationships between data and facts to derive logical conclusions ("cognitive results") similar to those used by a person in solving similar problems. I t should be noted that the main advantage of expert systems designed to provide information and management decision-making support is the possibility to carry out training and accumulate knowledge in the system in the process of their operation, i.e. to accumulate formalized information, which is used in the following processes of logical inference.
In general, an expert system used in business consists of the database (data in different formats, structured according to the architecture of the system), knowledge base (the part of the system that contains facts and knowledge from the relevant subject area, structured and formalized using various methods), output subsystem, problem solver (software implementation of the mechanism for forming the results of solving sub-tasks and a certain task as a whole, based on algorithms connected with the database, including the initial data, and the knowledge base), knowledge acquisition subsystem, explanation subsystem, subsystem of training and intelligent user interface [19]. Fig. 10 shows the structure of an expert system for business planning containing the main subsystems described above. Such an expert system is an intelligent system for providing information and decision support in business planning that is intended for business entities in various sectors of the economy. E xpert systems have been successfully used in those areas where, in addition to the application of standard algorithmic methods based on accurate calculations, there is a need for specific analytical experts' knowledge and experience, and decision making is formed under incomplete data and depends on qualitative rather than quantitative estimates [20].
These subject areas include, first of all, the area of financial activity analysis, where the effectiveness of the made decisions depends on comparing many different factors, accounting complex cause and effect relationships, applying non-trivial logical considerations, etc. Thus, many companies operating on the New York Stock Exchange employ expert systems for making decisions in many industries (Fig. 11).
The use of such expert systems by economic entities will allow them to have an effective toolkit for forming business plans to implement various production and commercial projects, taking into account business risks.
Widely used expert methods are the methods of expert evaluation that are conducted by a group of experts under conditions of uncertainty or risk. Expert methods can be divided into three subgroups [22], which are presented in Fig. 12.
The methods that are most commonly used in risk management are the method for expert evaluation, rank-  ing, the Delphi method, the paired comparison method and scoring.
The method of expert evaluation usually implies processing the opinions of experienced experts (qualified professionals). That is, this method involves collecting and studying estimates of probability of losses by different specialists based on their own intuition, knowledge and experience. These estimates are made with consideration for all risk factors as well as statistics.
T he implementation of the method of expert evaluation is much more complicated if the number of evaluation indicators is small. The basic requirements for expert analysis are presented in Fig. 13.
 50 -nothing certain can be said about the occurrence of the risk;  75 -high risk probability;  100 -the risk is certain to occur.
Expert estimates are analyzed for consistency according to certain rules. First, the maximum permissible difference between estimates of two experts on any factor should not exceed 50. Second, comparisons are made in absolute values (no plus or minus sign is taken into account). This eliminates unacceptable differences in experts' estimates of the probability of a separate risk. If the number of experts is three or more, then the estimates are compared in pairs. This method is often applied in developing modern information security management systems as well as in forecasting and long-term planning.
To provide conditions for improving quality and effectiveness of expert evaluation, active and persistent involvement of professionals at each stage (phase) of decision-making is required.
The stage-by-stage risk assessment approach is based primarily on identifying risks for each stage of the project separately, and then the overall result across the project is summarized [23].
Different methods are used to obtain the final result (expert assessments), the most common of them are questionnaires and the methods of group expertise. That is, each expert, working individually, is provided with a list of primary risks based on questionnaires about all stages of the project and is asked to evaluate the probability of the risks in accordance with the following rating system:  0 -the risk is considered insignificant;  25 -low risk probability; A s a rule, two experts are chosen to assess the consistency of the experts' opinions across the risk set. The basic rule is the maximum divergence of opinions of these experts (minimum cohesion). To calculate the discrepancy, the absolute values of estimates are summarized and the result is divided by the number of simple risks. The result obtained should not exceed 25.
In case of any contradictions between the experts' opinions (at least one of the above mention rules is not fulfilled), they are discussed at the experts' meeting. If contradictions are absent, all the expert's estimates are reduced to the average value (arithmetic mean) and used in the subsequent calculations.
There are other methods of expert risk assessment. One of them is the ranking method. The algorithm of its implementation is as follows.
At the first stage of information processing, all the estimates should be arranged in descending order.
Next, the average value of all estimates is calculated by the formula of the arithmetic mean.

ЕКОНОМІКА
The obtained values are divided into four equal intervals.
In case if evaluations of experts fall into extreme intervals, these experts are asked to justify their opinions. Other experts become familiar with their justification (under complete confidentiality).
The following rounds of discussion take into account those factors that were accidentally lost by the experts in the first round of the survey. As a result, in the second round, there is a less divergence of opinions.
Delphi method involves the rejection of direct communication between experts in the research process. Thus, the essence of this method lies in the individual interviewing of all members of the group through questionnaires in order to clarify their opinions based on personal experience and knowledge about future hypothetical events [24].
Risk scoring is a risk expertise based on a summarizing indicator, which is determined using a number of private indicators (factors) of the risk degree assessed by experts. The following steps are expected:  selection of the factors directly affecting the risk degree of the project;  outlining a generalized criterion and individual indicators characterizing each factor;  assessment of this criterion in terms of risk deegree;  development of risk management recommendaations.
O bviously, the high quality of expertise is achieved in the case of high consistency of experts' opinions of several factors. However, when using any method of expert evaluation, there is a problem associated with inaccuracy of the results obtained due to such factors as: poor choice of specialists, dominance of opinion (usually that of "authoritative leader"), etc. Therefore, it is necessary to carry out an expertise on the reliability of the obtained estimates.
One of evaluation indicators is Kendall's coefficient of concordance (rank correlation coefficient), which is calculated as follows: where m -is the number of experts in the group; n -is the number of factors studied; S -is the sum of squared rank differences (deviations from the mean value).
The results of the analysis are within the following limits:  W < 0.2-0.4 -concordance among the experts is low;  W > 0.6-08 -concordance among the experts is high;  W = 1 -the opinions of all experts are concordant.
Thus, it can be concluded that expert evaluation of risks is a very effective and simple method for analyzing occurrence of adverse events, especially in the area of information security management systems. Moreover, due to its simple organization, this method allows to cover a wide range of investigated factors.
However, due to the exceptional subjectivity of experts' responses, it is necessary to adhere to certain rules in conducting the expertise as well as to analyze the degree of concordance of experts' opinions in order to identify the quality of this expertise.

CONCLUSIONS
Consequently, considering IT risks in business processes, we can argue that IT risks are the main source of business risks since the basic processes of an enterprise are performed using information technologies. Minimization of the risks and assurance of maximum information security demands IT risk management based on the enterprise's specifics.
In the research, techniques of IT risks management were described. We took a closer look at CRAMM, CO-BIT, FRAP and OCTAVE techniques, which are widely used by government and business organizations all around the world. The studied techniques have both advantages and disadvantages for managing risk and do not provide solution for eliminating the consequences of the risks that were not minimized or prevented.
The article suggests the application of expert systems in solving problems of risk evaluation that are difficult for a human expert. In most cases, expert systems are effective for tasks that are difficult to formalize or do not have an algorithmic solution.
Therefore, we can conclude that when developing an expert system, information support and optimization of business planning processes are implemented. In turn, the use of such expert systems for assessing risks by economic entities will allow them to have effective tools to form business plans for the implementation of various production and commercial projects.