RISK MANAGEMENT .pdf

Full Transcript

Principles of Risk Management
Terminologies
Risk-Based Thinking Risk
Proactive - Effect on uncertainty
- Focuses on anticipating objectives
potential risks
Risk management
Holistic - Coordinated activities to
- Considers the entire direct and control an
organization & organization with regard
Interconnected system to risk

Opportunity-focused Stakeholder (interested parties)
- Looks into potential - Person / organization that
benefits in a risk/certain can affect, be affected by,
situation or perceive themselves by
a decision or activity
Decision Driven
- Helps to make a thorough Risk Source
decision - Element which alone or in
combination has the
KINDS OF ORGANIZATIONS potential to give rise to
risk (origin / cause)
1. External (Controlled)
2. Internal Factors (Limited Event
Control) - Occurrence or change of a
particular set of
Managing Risk circumstances
It is interactive (Repeatedly) and
assists organizations in setting Likelihood
strategy, objectives, and decision - Chance of something
making happening
Part of a governance &
leadership Control
Part of all activities associated - Measure that maintains &
within an organization and modifies risk
interaction with stakeholders
Principle, Framework, Process
 Principles
E. Dynamic
The purpose of Risk Management - Risk management
is the creation and protection of anticipates, detects,
value. acknowledges, and
responds to those changes
Improves performance, and events in an
encourages innovation, and appropriate and timely
supports the achievement of manner
objectives.
F. Best available information
A. Integrated - The inputs on risk
- Risk management is an management are history
integral part of all and past mistakes
organizational activities
G. Human & Control factors
B. Structured & Comprehensive - Human behavior and
- This contributes to culture significantly
consistent and influence all aspects of
comparable results risk management

C. Customized H. Continual Improvement
- The risk management - Risk management is
framework and process continually improved
are customized and through learning and
proportionate to the experience
organization’s external &
internal content related to
its objectives

D. Inclusive
- Appropriate & Timely
involvement of
stakeholders enables their
knowledge, views, and
perceptions to be
considered.
 Framework of Risk Management External context

The purpose is to assist the organization
in integrating risk management into
significant activities and functions.

Leadership and Commitment
Top management and oversight
bodies, where applicable, should
ensure that risk management is Internal context
integrated into all organizational
activities

Top Management
Accountable for managing risk

Oversight bodies
Accountable for overseeing risk
management

Articulating risk management
FRAMEWORK
commitment
- Top management &
1. Integrating risk management
oversight bodies should
- Relies on an understanding of
demonstrate and
organizational structures and
articulate their continual
context
commitment to risk
- Structures differ depending on
management through
purpose, goals, and complexity
policy, statement, forms

2. Design
Assigning organizational roles,
authorities, responsibilities, and
Understanding the organization
accountabilities
and its context
- Top management &
- The organization should
oversight bodies should
examine and understand
ensure that the
its external and internal
authorities,
context
responsibilities, and
 accountabilities are assigned to 4. Evaluation
organizations Periodically measure risk
management framework
Allocating resources performance against its purpose,
1. People, skills, experience, and implementation, plans,
competence indicators, and behavior
2. Organization’s processes,
methods, and tools to be used for 5. Improvement
managing risk
3. Documented processes and Adapting
procedures - Organization should
4. Information and knowledge continually monitor and
management systems adapter the risk
5. Professional development and management framework
training needs to address external &
internal changes
Establishing communication and
consultation Continually improving
- Organization should established - Organization should
an approved approach to continually improve the
communication and consultation suitability, adequacy, and
in order to support the effectiveness of the
framework and facilitate framework and the way
effective application of risk the process is integrated
management

3. Implementation

The organization should implement the
risk management framework by:
Developing an appropriate plan
How types of decisions are made
Across the organization & by who
Modifying the applicable decision
making processes
Ensure that organization
arrangements for managing risks
are understood and practiced
 Popular Risk Management OCTAVE (Operationally Critical
Frameworks Threat Analysis and Response)
- Collaborative approach
NST Risk Management that involves a team of
Framework (RMF) stakeholders from
- By the National Institute departments
of Standards and
Technology
- Used in the United States
government & private
sector

COSO Enterprise Risk
Management (ERM)
- Provides a structured
approach to managing
enterprise-wide risks

ISO 31000
- International standard
that offers framework for
risk management
- Applicable to
organizations of all sizes
and sectors

FAIR (Factor Analysis of
Information Risk)
- Quantitative risk
assessment methodology
that calculates the
financial impact of
information security risks
 Risk Management Process Defining risk criteria
- Specify the amount and type of
The risk management process should be risk that it may or may not take,
an integral part of management and relative to objectives
decision making and integrated into the - Define criteria to evaluate the
structure, operations and processes of significance of the risk and to
the organization. support decision making

Process 3. Risk Assessment
- It is the overall process of risk
1. Communication and identification, analysis, and
Consultation evaluation
- The purpose is to assist relevant - Should be conducted
stakeholders in understanding systematically, iteratively, and
risk, the basis on which decisions collaboratively, drawing on the
are made and the reasons why knowledge and news of
particular actions are needed. stakeholders

2. Scope, context, and criteria Risk Identification
- The purpose is to customize the - Purpose is to find, recognize,
risk management process, describe risks that might help or
enabling effective risk prevent an organization
assessment and appropriate risk achieving its objectives
treatment
Risk Analysis
Defining the scope - The purpose is to comprehend
- The organization should define the nature of risk and its
the scope of its risk management characteristics
activities. - Involves a detailed consideration
of uncertainties, sources etc.
External and internal context
- The external and internal context Risk Evaluation
is the environment in which the - The purpose is to support
organization seeks to define and decisions
achieve its objectives. - Comparing the results of the risk
analysis with the established risk
criteria to determine where
additional action is required
 and reported through
appropriate mechanisms
4. Risk Treatment
- Purpose is to select and Factors to consider for reporting, but
implement options for addressing are not limited to:
risk
1. Differing stakeholders, and their
Selection of risk treatment specific information needs and
options requirements
- Involves balancing potential 2. Cost, frequency, timeliness of
beliefs derived in relation to the reporting
achievement of the objectives 3. Method of reporting
against cost, effort, or 4. Relevance of information to
disadvantages of implementation organizational objectives and
decision making
Risk treatment options are not
necessarily mutually exclusive or
appropriate in all circumstances.

Preparing and implementing
risk treatment plans
- Purpose is to specify how the
chosen treatment options will be
implemented, so that
arrangements are understood by
those involved
- Clearly identify the order in which
risk treatment should be
implemented

5. Monitoring and Review
- The purpose is to assure and
improve the quality and
effectiveness of process design,
implementation and outcomes

6. Recording and Reporting
- The risk man processes and its
outcomes should be documented