key components of a successful risk assessmentiso 31000 changes the perspective on risk management...

Key Components of a Successful RiskAssessment

ASIS Internationalseminar and Exhibition

Tuesday, September 30, 2014

Carol FoxRIMS Director, Strategic &Enterprise Risk Practice

Marc SiegelCommissioner, Global Standards

Copyright © 2014 ASIS International and RIMS


Risk Assessment StandardUnder Development

Risk Assessment StandardUnder Development

Development of the Risk Assessment (RA)ANSI American National Standard is a jointinitiative.

Both are ANSI accredited SDOs.

2


About ASIS InternationalAbout ASIS International

Largest professional society for securitymanagement practitioners

• Founded in 1955• More than 38,000 Members in 133 Countries• 218 Chapters in 60 countries• 31 Councils; ranging from disaster management, financial services, physical

security, IT security, supply chain security, utilities, hotels and hospitality andretail

• Recognized as international body by ISO – Liaison Status• Chair and Secretariat of ISO/OC284 – Security Operations

• Recognized as European body by CEN – Liaison Status• Accredited by ANSI as American SDO – OPEN TO MEMBERS GLOBALLY• Standards Development and Training• Credentialing and Certification of Security Professionals

3


About RIMSAbout RIMS

4

Global not-for-profit organization focusedon advancing risk management fororganizational success

• Founded in 1950• More than 11,000 Members located in more than 60 Countries• More than 80 Chapters• More than 3,500 industrial, service, nonprofit, charitable and government

entities throughout the world• Accredited by ANSI as American SDO – open to members globally• Member of US-TAG to ISO/TC262 – Risk Management• Learning: Risk Management Development Offerings / Designations• Networking: Conferences, Meetings, Standards and Practices Committee• Resources: Publications, Research, Surveys, Articles, Tools


ANSI/ASIS/RIMS StandardBuilds on the Foundation ofISO 31000: Risk Management

ANSI/ASIS/RIMS StandardBuilds on the Foundation ofISO 31000: Risk Management

ISO 31000:2009, Risk management – Principlesand guidelines ISO Guide 73:2009, Risk management –

Vocabulary ISO/IEC 31010:2009

Risk management –Risk assessmenttechniques

5


Bottom Line: Risk Managers areBusiness Managers

Bottom Line: Risk Managers areBusiness Managers

Old View New View

Event Focused Objectives Focused


Evolving Views ofRisk ManagementEvolving Views ofRisk Management

Risk management is a price of doingbusiness and spend as little as possible.

Risk management has some strategicvalue but there is a need to rationalize thecost of risk profile improvement.

Risk management creates businessopportunities and helps realize positivereturns on risk management investments.

7


Risk Management is tailored tothe Business – Not Vice-Versa

Risk Management is tailored tothe Business – Not Vice-Versa

8

Risk managerthat recognizesthat it is aboutvalue creation,products, andservices

Risk managerthat thinks it isabout tailoringthe business tomanaging risk


ISO 31000 Changes thePerspective on Risk Management

ISO 31000 Changes thePerspective on Risk Management

Proactive modeObjectives-focused

Predictive indicatorsForesightStrategic

Creating and capturing value

Expanding organizational risk management competencies

Reactive modeEvent-focused

Post-action responseAfterthoughtTransactional

Protecting value

Old View New View

Defines risk as “effect of uncertainty on objectives”

Copyright © 2014 ASIS International and RIMS 10

Using ISO 31000:2009 as a BaseUsing ISO 31000:2009 as a Base

Copyright © 2014 ASIS International and RIMS 11

ISO 31000:2009Risk Management

ISO 31000:2009Risk Management


Risk AssessmentExpressed Another way

Risk AssessmentExpressed Another way

12

Who/What/When/Where/How

Why/How Often/How Much/HowCritical/Level of Risk Based on

What Criteria?

What is Acceptable orUnacceptable / Solution Options /

Priorities

Reproduced from ISO 31010 www. iso.org. Copyright remains with IEC|ISO.


Creating AND Protecting ValueCreating AND Protecting Value

13

Value Creation

Value Preservation


ISO/IEC 31010ISO/IEC 31010

14

ISO/IEC 31010:2009 Risk management — Riskassessment◦ Provides guidance on selection and application of systematic

techniques for risk assessment.◦ A range of techniques are presented, with specific

references to other international standardswhere the concept and application oftechniques are described in greater detail. Selection of risk assessment techniques Comparison of risk assessment techniques Description of risk assessment techniques

Proposing an AmericanNational

Risk AssessmentStandard

Proposing an AmericanNational

Risk AssessmentStandard

A Collaborative Approach

15


Reliable risk assessments require that theybe conducted using a systematic approach:◦ Organized and well-documented◦ Clearly defined objectives and criteria◦ Clearly identified stakeholders◦ Biases understood◦ Documented assumptions◦ Defined sampling techniques

The standard will discuss managing a riskassessment program, as well as conductingindividual risk assessment.

16

Risk Assessment StandardDefining the Process



American National RiskAssessment Standard Intent

American National RiskAssessment Standard Intent

Provides guidance for establishing a risk assessment program andconducting individual risk assessments consistent with the ISO31000:2009 Risk management — Principles and Guidelines, andthe COSO Enterprise Risk Management (ERM) framework

Provides guidance on conducting risk assessments for risk andresilience based management system standards, includingprinciples of risk assessments, managing the risk assessmentprogram, and conducting risk assessments, as well as evaluation ofcompetence of persons involved in the risk assessment process

Describes the process for conducting risk assessments consistentwith the Plan-Do-Check-Act Model, and

Provides the informational basis necessary for decision makers tomake informed decisions about managing risks in the organizationand its supply chain.

17


Formalized Risk Assessment Providesa Critical Decision Making Tool

Formalized Risk Assessment Providesa Critical Decision Making Tool

Whether an activity should be undertaken How to maximize opportunitiesWhether risks need to be treated Choosing between options with different

risks Prioritizing risk treatment options The most appropriate selection of risk

treatment strategies that will bring adverserisks to a tolerable level and make rewardoutcomes for risk-taking more certain


Importance of RiskAssessment

Importance of RiskAssessment

Provide the foundation on which organization’ssecurity operations management and riskmanagement plans and programs are based.

Strategies will be formulated and plans will bedeveloped to meet the needs identified in them.

Therefore:Should be repeated on a regularbasis and/or in response tosignificant changes to theorganization’s operatingenvironment.


Risk Assessment PrinciplesRisk Assessment Principles

Impartiality Independence and objectivity Trust, competence, and due

professional care Honest and fair representation Responsibility and authority Consultative approach Fact-based approach Confidentiality Change management Continual improvement

20


PDCA for a Risk AssessmentProgram

PDCA for a Risk AssessmentProgram

21


Managing theRisk Assessment Program

Managing theRisk Assessment Program

Understand the organization and itsobjectives Establish the framework Establish the program Implement the risk assessment

programMonitor the risk assessment program Review and improve

22


Establishing aRisk Assessment Program

Establishing aRisk Assessment Program

Define the objectives for the risk assessment program Identify the scope of the risk assessment◦ Extent/number/types/duration/locations/schedule of the risk assessments;

Establish risk assessment procedures◦ Criteria◦ Influences◦ Methods

Identify stakeholders Select risk assessment teams Identify information sources Determine resources necessary Verify processes for handling confidentiality Monitor and measure to ensure that objectives are achieved Establish how information will be recorded and communicated Review in order to identify possible improvements


…Don’t Forget…Don’t Forget

Management commitment◦ Setting risk criteria◦ Support of risk assessment program

Who will lead and participate in theprocess?

Documentation◦ Assumptions◦ Types and methods◦ People involved◦ Data and information sources◦ Risk descriptions◦ Error analysis◦ Sensitivity analysis◦ Document control


Communicate and ConsultCommunicate and Consult

Should take place during all stages ofthe risk management process. A two-way dialogue between

stakeholders. Develop communication strategy at the

context stage. Ensure stakeholders perception of risk

is addressed. Seeks to improve performance based

on informed, mutual decisions.


Understanding BiasesUnderstanding Biases

Social and cultural biases Familiarity and confirmation bias Perception, observational selection,

and memory biases Belief and behavioral biases Relational, group-think, and tribal

biases Confirmation and post rationalization

biases Information availability bias Decision making biases Illusion of control biases


Performing Individual RiskAssessments

Performing Individual RiskAssessments

Commencing the risk assessment Planning risk assessment activities Conducting risk assessment activities Post risk assessment activities

27


Formal vs. InformalRisk Assessments

Formal vs. InformalRisk Assessments


Using Multiple TechniquesUsing Multiple Techniques

29


Identify the RisksIdentify the Risks

Why could something happen?◦ A cause or factor creating risk◦ Effectiveness of controls

Who could be involved?◦ Individuals or groups associated with threat,

control of risk, and/or impacted by risk How could it happen?◦ A source of risk

What could happen?◦ Potential event◦ Potential consequences

When could something happen? Where could it happen?


Risk IdentificationRisk Identification

Asset and serviceidentification, valuation andcharacterization Threat and opportunity

analysis Vulnerability and capability

analysis, and Criticality and impact

analysis.

31


The Risk ArenaThe Risk Arena

Internal circle –internal risks External circle –

external risks

These risks do notexist in isolationand can haveoverlapping andmultiple effects.


Threat AssessmentThreat Assessment


Identification Output =Analysis Input

Identification Output =Analysis Input


Risk AnalysisRisk Analysis

Purpose:◦ Separate minor risks from major.◦ Provide data to assist in evaluation.

Determine the adequacy and appropriateness of existingcontrols to manage identified priority risks.

Prioritize risks for subsequent evaluation of tolerance orneed for further treatment.

Provide a better understanding of the necessary risktreatments to protect the value of critical assets toidentified risks.

Identify opportunities means to achieve objectives.


Types of Risk AnalysisTypes of Risk Analysis

Quantitative analysis – relies on probabilities andstatistics using mathematical formulas andcalculations to interpret numbers, data, and estimates Qualitative analysis – relies on the subjective

judgment based on the intuitive assessment of teammembers using terms, words, and images asdescriptors of risk, and Combined approaches – used when numerical

values would be inadequate to properly describe allthe risks being assess (and their likelihoods andconsequences)


Risk EvaluationRisk Evaluation

Determining which risks are tolerable,and which risks require control andtreatment

Criteria for risk evaluation should havebeen identified in the scope and policy ofthe management system in consultationwith top management

All risk cannot be eliminated – what isthe cost effective “As Low A ReasonablyPractical” risk.


Are Existing ControlsEffective?

Are Existing ControlsEffective?

38


Risk Assessment –The Funnel Analogy

Risk Assessment –The Funnel Analogy

A “box” is filled up with all identifiedrisks, and tipped into a funnel.

Depending upon the organization'stolerance for risk, the funnel’s filterswill allow different sized risks to fallthrough the gaps, or remain at thetop.

The way risks are prioritizeddepends on where they sit in thefunnel; the higher they sit, thegreater the priority they represent.

Some risks are so small they fallthrough the bottom of the funneland accepted.

Levels of risk tolerance may differbetween assessments, or acrossorganizations, because of thecontext.


Risk Assessment DrivesDecision Making

Risk Assessment DrivesDecision Making

Risk management process needs clear governancestructure Risk management is based on specific business

objectives and is objectives focused Risk assessment is defined in terms of

organizational objectives Key performance indicators linked to

business objectives Risk management supports decision making,

therefore proactive Risk management protects and creates value

40


Managing a risk assessment program andconducting individual risk assessment:◦ Scope Project objectives Project scope and boundaries Definition of variables Statement of work◦ Planning Gaps analysis Legal and other requirements Objectives, targets and strategies Data gathering and sampling

41




Implementation◦ Asset identification and valuation◦ Threat analysis◦ Criticality and impact analysis◦ Vulnerability analysis◦ Cost benefit analysis◦ Risk control and treatments◦ Roles, resources and responsibilities◦ Skills and competencies◦ Documents, records, and document control

Checking and evaluation Review and improvement

42




Marc SiegelASIS International

Commissioner, GlobalStandards

(858) [email protected]

Thank You – Questions?Thank You – Questions?

www.asisonline.orgwww.RIMS.org

43

Carol FoxRIMS – Director, Strategic

and Enterprise Risk Practice(212) [email protected]