Risk Analysis A few introductory thoughts Dr. Gábor Jeney, PhD Senior reseacher (BME) Senior/lead auditor of ISO 27001 at AIB-Vincotte CEO of Network Security Audit Ltd.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Risk AnalysisA few introductory thoughts
Dr. Gábor Jeney, PhDSenior reseacher (BME)
Senior/lead auditor of ISO 27001 at AIB-VincotteCEO of Network Security Audit Ltd.
Outline
● Understanding the meaning of the subject● The process of RA● Examples – how people do the process of RA
Notations● Arrows represent information flows and/or
dependence● Light grey slides are off topic (background)
Why should we bother?
● What is the point of this subject?
● Why do a risk analysis?
● Where is risk analysis?
● What is risk anyway?
● Threat vs. opportunity
● Why do risk analysis? What can it do for us?
● What can we do with risks?
● Assess them– Identify them, analyse them, evaluate them
● Treat them
Where is RA?
● In the heart of each investor
● Low risk investments are preferred– Whatever „low risk” means...
● In the centre of most management systems:
● In modern Quality MS's, including:– ISO/TS 16949 (automotive industry)
– QS 9000 (precedessor of ISO/TS 16949)
– AS-9100 (aerospace industry)
● ISO 14001 (Environmental MS)
● ISO 27001 (Information Security MS)
● ISO 31000 (Risk Management)
● To sum up: RA is in the heart of a good manager
What is risk? – from the book
● Risk/Threat = random event that could have a negative effect/impact on the goals of the organization/investment● Risk = scenario + probability + severity (of impact)
● Opportunity = random event that could have a positive effect/impact on the goals of the organization/investment● The same three elements
● Threat <=> opportunity: opposite sides of the coin● Opportunity = we have a high probability (p > 50%)
threat which might not happen (with probability 1 – p < 50%)
What is risk? – from ISO 31000
● Internal and external factors make it uncertain that organizations can achieve their goals and objectives
● RISK = effect of this uncertainty● All activities involve RISK (!)
What is risk? Examples
● A crock of plant falling on head while walking ● Suffering a car accident while driving● Closing financial positions with lower balance
compared to the opening one
How many risks are there? Plenty!
● While walking
● A crock of plant falling on head● Suffering an accident (e.g. fracture), etc.
● While driving
● Suffering a car accident ● Running out of petrol● Having technical problems (e.g. breakdown), etc.
● Financial example
● Closing positions with lower balance ● Loss of liquidity (unable to close the position), etc.
Why do RA? – from ISO 31000
● Increase the likelihood of achieving objectives
● Encourage proactive management
● Be aware of the need to identify and treat risk through organization
● Improve the identification of opportunities and threats
● Comply with relevant legal and regulatory requirements and international norms
● Improve mandatory and voluntary reporting
● Improve governance
● Improve stakeholder confidence and trust
● Establish a reliable basis for decision making and planning
Why do RA? – from ISO 31000 (cont.)
● Improve controls
● Effectively allocate and use resources for risk treatment
● Improve operational effectiveness and efficiency
● Enhance health and safety performance and environmental protection
● Improve loss prevention and incident management
● Minimize losses
● Improve organizational learning
● Improve organizational resilience
Background: continuous improvement, the PDCA cycle
Plan (P)
Check (C)
Do (D) Act (A)
Basics: the process based thinking
● Every activity could be divided into subsequent, or paralel processes
● Processes should have● Name, and description● Inputs (material, or information)● Outputs (material, or information)● Methodology (the way the process should be done)● People („employees” of the process)● Machine, tools, etc. (tools needed for the process)● Measure (the efficiency of the process)
Basics: the process based thinking: the turtle diagram
Process nameand
descriptionInputs Outputs
Methodology
Machines, tools
People
Measure
The responsibility assignment (RACI) matrix/diagram
● R = Responsible● Who does the work. Typically one person
● A = Accountable● Who approves the work. Must be one person
● C = Consulted (Collaborating)● Two-way communication
● I = Informed● One-way communication
Risk assessment
What to do with risks?
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
Con
c ept
and
fra m
ewo
rkof
ris
k as
s ess
men
t
Mo
nit o
ring
and
revi
e wof
ris
k as
s ess
men
t
Risk management
Where is risk analysis?
Risk definitions – vocabulary (from ISO 31000)
● Risk: effect of uncertainty on objectives
● Risk is often characterized by events and consequences and likelihood
● Risk assessment: overall process of risk identification, RA and risk evaluation
● Risk identification: process of finding, recognizing and describing risks
● Risk analysis: process to comprehend the nature of risk and to determine the level of risk
● Level of risk: magnitude of risk expressed in terms of combination of consequences and likelihood
Risk definitions – vocabulary (from ISO 31000) (cont.)
● Risk criteria: terms of reference against which the significance of risk is evaluated
● Risk evaluation: process of comparing the results of risk analyses with risk criteria to determine whether the risk and/or its magnitude is acceptable/tolerable
● Risk treatment: process to modify risk● Residual risk: risk remaining after risk treatment
PDCA in risk management
A (Act)Continual improvement
of the framework
P (Plan)Design of framework
for managing risk
D (Do)Implementing
risk management
C (Check)Monitoring and review
of the framework
P. Design of framework for managing risk
● P.1 Understanding of the organization and its context
● P.2 Establishing risk management policy● P.3 Accountability● P.4 Integration into organizational processes● P.5 Resources● P.6–7 Establishing (P.6) internal and (P.7)
external communication and reporting mechanisms
P.1 Understanding of the organization and its context
● External context● Social, cultural, political, legal, regulatory, financial,
technological, economic, natural, competitive environment– National, regional, or local level
● Key drivers and trends having impact on the organization
● Relationships with external stakeholders
P.1 Understanding of the organization and its context
● Internal context
● Governance, organizational structure, roles and accountibilities
● Policies, objectives, strategies● Capabilities (capital, time, people, processes, systems,
technologies)● Information systems, information flows and decision making● Relationship with internal stakeholder● Organizational culture● Standards and models adopted by the organization● Contractual relationships
P.2 Establishing the risk management policy (RMP)
● Organization's rationale for managing risk● Link between organization's objectives and
policies and RMP● Accountabilities and responsibilities for
managing risk● How conflicting interests are dealt with● Commitment to provide resources● Risk management performance measures● Commitment to review and improve RMP
P.3 Accountability
● Identify risk owners that have accountability● Identify accountable for development,
implementation and maintenance of the risk management framework
● Identify other responsibilities in the organization● Establish performance measures of internal
and/or external reporting ● Ensure appropriate levels of recognition
P.4 Integration into organizational processes
● Risk management should be embedded into policy development, business and strategic planning and review
● Organization-wide risk management plan● To ensure that risk management is embedded in all
organizational practices and processes● It can be integrated in the strategic plan
P.5 Resources
● People, skills, experience and competence● Resources needed for each step of the risk
management process● Processes, methods and tools needed for risk
management● Documented processes and procedures● Information and knowledge management
systems● Training programs
P.6 Establishing internal communication and reporting
● Key components (and modifications) of the framework must be communicated correctly
● Adequate internal reporting of effectiveness and outcomes
● Availability of information is provided● Processes for consultation with internal
stakeholders● Consolidation of information from different
sources and different sensitivities
P.7 Establishing external communication and reporting
● Effective exchange of information with external stakeholders
● External reporting for (legal, regulatory and governance) compliance
● Feedback and reporting on communication and consultation
● Use communication to build confidence in the organization
● Communicate with stakeholders in case of crisis or contingency
PDCA in risk management (revealed)
A (Act)Continual improvement
of the framework
P (Plan)Design of framework
for managing risk
D (Do)Implementing
risk management
C (Check)Monitoring and review
of the framework
D. Implement risk management
● Define timing and strategy for implementing the framework
● Apply and implement risk management policy and process
● Comply with legal and regulatory requirements
● Ensure that decisions (incl. setting objectives) are based on the outcomes of risk management
● Hold information and training sessions
● Communicate and consult with stakeholders to ensure that risk management framework is appropriate
C. Monitoring and review of the framework
● Continuously measure risk management performance against expectations
● Periodically measure progress against risk management plan
● Periodically review the risk management framework (change of internal/external context)
● Report on risk, progress with risk management plan and how the risk management policy is followed
● Review the efficiency of the risk management framework
A. Continual improvement of the framework
● Based on monitoring and reviews, decisions are made on how risk management ● framework, ● policy and ● plan
can be improved
Implementing risk management:Risk assessment
Remember
● Risk assessment = Risk identification + Risk analysis + Risk evaluation
Risk assessment
Identify the risks
Analyse the risks
Evaluate the risks
Risk identification
● Aim: to generate a comprehensive list of risks based on those events that might effect the achievement of objectives
● Risk: 1) events, 2) their causes, 3) their consequences
● Collection of risks (events, causes and consequences)
● Comprehensive identification is critical, because a risk that is not identified here will not be included in next steps. All significant causes and consequences should be considered
● Cascade and cumulative effects are to be considered
● Should consider wide-range of consequences
● Relevant and up-to-date information (appropriate background information)
● People with appropriate knowledge should be involved
The turtle of risk identification
● Inputs: relevant and up-to-date information (appropriate background information)
● Tools: anything producing the above inputs, or any other help
● Output: comprehensive list (inventory) of risks ● People: people with appropriate knowledge● Methodology: to provide comprehensive
inventory (more concrete methodology is to describe)
● Measure: e.g. the number of risks forgotten
Risk analysis 1
● Aim: to understand risks, to make risks comparable
● Two outputs:
● Risk evaluation: should the risk be treated?
● Decision making: types and levels of risk related to different choices
● Consideration of causes and sources of risks, their consequences and likelihood
● Existing controls should be taken into account
● Interdependence between risks and their sources should be considered
● Confidence should be clearly stated (e.g. divergence of opinion among experts, uncertainty)
Risk analysis 2
● Risk Analysis can be 1) qualitative, 2) semi-quantitative, 3) quantitative, or the combination of these
● Risk is analyzed by determining consequences and their likelihood
● Verbal => numerical transformation● Consequences can be expressed in terms of tangible and
intangible impacts● Likelihood can be determined by modelling, extrapolation, or
from available data● In some cases more than one numerical value is required
The turtle of risk analysis
● HOMEWORK
Related Documents
