risk management models - core consulting
TRANSCRIPT
© Continuity and Resilience – Copyright 2013
Risk Management and Models
CII – Nov. 05, 2015
Introductions
2
About Continuity and Resilience (CORE)
• ISO 22301 Certified Management Consulting Firm • Business Continuity Management
• Crisis Management
• IT Disaster Recovery
• Green IT
• Risk Management
• Information Security Management
• We Consult / Train / Assess and Certify in these
domains
3
A person who can foresee
problems / difficulties and
identify proactive solutions will
live happily - Chanakya (350 – 283 BC), Author of Artha
Sasthra
4
5
What is Risk?
• Risk is the potential that something will go wrong as a result of one or a series of events.
To get profit without risk, experience without danger, and reward without work, is as impossible as it is to live without being born. - A.P. Gouthe
Risk Definitions – the change over time
6
Source Definitions
ISO/IEC Guide 51:1999
Combination of the probability of occurrence of harm and the severity of that harm
ISO/ IEC Guide 73:2002
Combination of the probability of an event and its consequence
AS/NZS 4360: 2004
Chance of something happening that will have an impact on objectives
COSO (2004) ERM Integrated Framework
Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities.
ISO 31000:2009 Effect of uncertainty on objectives
ISO 22301:2012 Effect of uncertainty on objectives
Harmonization of International Standards
• ISO/IEC 31000 - Risk management – Principles and
guidelines
• ISO/IEC 31010 - Risk management – Risk assessment
techniques
• ISO/IEC 27001 - Information technology – Security
techniques – Information security management systems –
Requirements
• ISO/IEC 27005 - Information technology – Security
techniques – Information security risk management systems
Universe of Risks - 2
Natural Manmade Accidental
Internal External
Potential Sources of Risk
Lessons from Animals-1
Don’t be a pigeon!
11
Why are we talking about Risk?
Today’s networks are more exposed to threats & risks
Gartner brought up an interesting concept: "Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting."
The risk environment is
constantly changing.
Financially-motivated, targeted
attacks are increasing – but
most security processes and
technologies are failing to keep
up.
Exposure points
14
“Risk comes from not knowing what
you’re doing”
- Warren Buffett
Well, then I guess, we both are in deep trouble
About …
Risk Management
In assessing risks, technical people tend to focus on technical issues which have occurred to them, but the major risks for a product may be business-related – obstacles they don’t consider as often..
What is Risk Management?
Who uses Risk Management?
How is Risk Management used?
Risk Management Models
• Good management practice
• Process steps that enable improvement in decision making
• A logical and systematic approach
• Identifying opportunities
• Avoiding or minimizing losses
What is Risk Management?
Risk Management is the name given
to a logical and systematic method
of identifying, analysing, treating
and monitoring the risks involved in
any activity or process.
What is Risk Management?
Risk Management is a
methodology that helps managers
make best use of their available
resources
What is Risk Management?
Coordinated activities to direct and
control an organization with
regard to risk
What is Risk Management?
Risk Management - Benefits
21
Likelihood of achieving
objectives is increased
Proactive management is
encouraged
Identification of opportunities and threats is
increased
Legal and regulatory
compliance is achieved
Improvement in mandatory and
voluntary reporting is achieved
Governance is improved
Interested parties’
confidence and trust is enhanced
Decision making and planning is
improved
Resource allocation is
effective
Risk Management - Benefits
22
Operational effectiveness
and efficiency is improved
Health and safety
performance is enhanced
Environmental protection is
improved
Loss prevention and incident
management is improved
Losses are minimised
Organisational learning is improved
Overall improvement is organisational resilience is
achieved
Risk Management
practices are widely used
in public and the private
sectors, covering a wide
range of activities or
operations.
These include:
Who uses Risk Management?
• Finance and Investment
• Insurance
• Health Care
• Public Institutions
• Governments
• Effective Risk Management
is a recognized and valued skill.
• Educational institutions have formal study
courses and award degrees in Risk
Management.
• The Risk Management process is well
established. (International RM process
standards.)
Who uses Risk Management?
Risk Management is
now an integral part of business
planning.
Who uses Risk Management?
Risk Management -Myths
• “We can only do so much; then whatever happens,
happens.”
• “Don’t be concerned with Risk Management (RM); there
is nothing in it that applies to non-financial businesses.”
• “It’s hard to find someone who has the expertise to
address all risks across the organization. Isn’t that what
the CEO and CFO should be doing?”
• “Buying insurance manages the risk, doesn’t it?”
26
Risk Management -Myths
• “Risk management is only for large companies”
• “We have lots of insurance”
• “We already have a safety program”
• “We haven’t had any problems so far”
(but WE ARE ALWAYS ONE DISASTER BEHIND)
• “It’s too expensive to implement a program”
• “My company doesn’t have ethical risks.”
27
28
The Risk Management
process steps are a
generic guide for
any organisation,
regardless of the
type of business,
activity or function.
How is Risk Management used?
There are
7 steps in the RM
process
30
“The first step in the risk management process is to acknowledge the reality of risk.
Denial is a common tactic that substitutes deliberate ignorance for thoughtful planning.” --Charles Tremper
The basic process steps are:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
‘Risk’ is dynamic and subject to constant
change, so the process includes
continuing:
Communication & consultation
Monitoring and review
and
The Risk Management process:
The strategic and organisational context in which risk management will take place.
For example, the nature of your business, the risks inherent in your business and your priorities.
Communicate & consult
Establish the context
The Risk Management process:
Communicate & consult Monitor and review
Defining types of risk, for instance, ‘Strategic’ risks to the goals and objectives of the organisation.
• Identifying the stakeholders, (i.e.,who is involved or affected).
• Past events, future developments.
Identify the risks
The Risk Management process:
Communicate & consult Monitor and review
Analyse the risks
How likely is the risk event to happen? (Probability and frequency?)
What would be the impact, cost or consequences of that event occurring? (Economic, political, social?)
The Risk Management process:
Communicate & consult Monitor and review
Evaluate the risks
Rank the risks according to management priorities, by risk category and rated by likelihood and possible cost or consequence.
Determine inherent levels of risk.
The Risk Management process:
Treat the risks
Develop and implement a plan with specific counter-measures to address the identified risks.
Consider:
• Priorities (Strategic and operational)
• Resources (human, financial and technical)
• Risk acceptance, (i.e., low risks)
The Risk Management process:
Document your risk management plan and describe the reasons behind selecting the risk and for the treatment chosen.
Record allocated responsibilities, monitoring or evaluation processes, and assumptions on residual risk.
Communicate & consult Monitor and review
Treat the risks
The Risk Management process:
Communicate & consult
Risk Management policies and decisions must be regularly reviewed.
Monitor and review
In identifying, prioritising and treating risks, organisations make assumptions and decisions based on situations that are subject to change, (e.g., the business environment, trading patterns, or government policies).
The Risk Management process:
Risk Managers must monitor activities and processes to determine the accuracy of planning assumptions and the effectiveness of the measures taken to treat the risk.
Methods can include data evaluation, audit, compliance measurement.
Communicate & consult
Monitor and review
The Risk Management process:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
“Business as usual is business at risk” - Deloitte Old whitepaper
42
“The problem in my life and other people’s lives is not
the absence of knowing what to do, but the absence
of doing it” - Peter F Drucker
Famous Quotes
43
“Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.” --Dr. Michael Ong
44
• “Risk management should be an enterprise-wide exercise
and engrained in the business culture of the
organization.”
-- Julie Dickson
45
“If you treat risk management as a part-time job, you
might soon find yourself looking for one.”
--someone in Deloitte
4 T’s of Risk Management
46
• Tolerate (what is within your risk appetite)
• Treat (by investing)
• Transfer (through insurance)
• Terminate (the risk / process itself)
Heat Diagram (before and after treatment)
• Number of risks falling in the Red and Amber should
reduce after treatment
• These should further reduce after treatment of the
residual risks
• Which must further keep reducing over a period
• While new risks may also appear 47
Lessons from Animals-2
Don’t be a horse!
48
Risk Management Maturity Model
• There is no established Maturity Model for Risk
Management, exists now;
• But one can easily be developed and adopted
49
“If you can't describe what you are doing as a process,
you don't know what you're doing” W. Edward Deming
RM Maturity Model- Deloitte sample
50
RM Maturity Model
• Levels and Parameters defined by someone else
• Level 1: Ad hoc. Undocumented; in a state of dynamic
change; depends on individual heroics
• Level 2: Preliminary. Risk defined in different ways and
managed in silos. Process discipline is unlikely to be
rigorous.
• Level 3: Defined. A common risk assessment/response
framework is in place. Organization-wide view of risk is
provided to executive leadership. Action plans implemented
in response to high priority risks.
51
RM Maturity Model
• Levels and Parameters defined by someone else
• Level 4: Integrated. Risk management activities
coordinated across business areas. Common risk
management tools and processes used where appropriate,
with enterprise-wide risk monitoring, measurement and
reporting. Alternative responses analyzed with scenario
planning. Process metrics in place.
• Level 5: Optimized. Risk discussion is embedded in
strategic planning, capital allocation, and other processes
and in daily decision-making. Early warning system to notify
board and management to risks above established
thresholds.
52
Other RM Standards
• ISO 14971
• Medical devices – Application of risk management to medical
devices
• ISO /IEC 16085
• Systems and Software Engineering - Life cycle processes – Risk
management
• ISO 17666
• Space systems – Risk management
• ISO / IEC 27005
• Information technology – Security techniques – Information
security risk management
53
Other RM Standards
• AS/ NZS 4360
• Risk Management**
• COSO Enterprise Risk Management – Integrated
Framework
• NIST 800-30
• Risk Management Guide for Information Technology Systems
** Base standard for ISO 31000; is the first international standard on Risk Management
54
1.
Define
1.1 Stakeholders
1.2 Risk Management Executive
1.3 Scope
2.4 Decide
Response
3
Select
Control
Criteria &
Implement
Controls
3.1 Choose
Controls
3.2 Implement
Controls
4.
Audit & Testing
of Controls
4.3 Accreditation
4.2 External
Testing/Auditing 4.1 Internal
Testing/Auditing
5.
Improvement
Plan
5.2 Monitor
5.1 Agree
6.4 Categorise
6.
Incident
Management
6.1 Monitor
6.3 Record
6.2 Respond
2
Risk Analysis 2.1 Risk
Identification
2.3 Calculate Risk
2.2 Identify Appetite
Plan
Do
Check
Act Deming
Cycle
BT Risk Process & Activity Lifecycle
(PDCA Model)
Other Strategic Risks
• Recently, the following have been gaining a lot of
importance
• Sustainability Risks
• Cloud Computing Risks
56
57
Risk Management Rules
1. Don’t underestimate your risks
2. Risks don’t go away (it exists as it is)
3. The certifications doesn’t make you ready
4. You can’t just rely on technology
5. Be careful of professional burnout
6. Look after your (precious) data
7. Risk Management? Incident Management?
8. Manage risks from top down
9. Don’t reveal your internal documents
10. Lies, damn lies and statistics…..
A Balanced Approach - Risks need to be understood
Potential
Threats
to Assets
Potential
Vulnerability
Reality Check
Balanced
Solution
Risk Appetite
Solution for
Acceptable
Risk
Mitigation
Lo
w
Hig
h
Lo
w
Hig
h
Lo
w
Hig
h Information
Security
Cost
Risk Usability
Risk Management is the management of Trade-off
There must be a balance!
© Continuity and Resilience – Copyright 2013
Thank You
CONTINUITY & RESILIENCE Email: [email protected]
Website: www.continuityandresilience.com
http://www.coreconsulting.ae/
62