RISK  

Management

1
Introduction
•  Risk Management
•  Benefits of Risk Management
•  PDCA Cycle
•  Risk Framework Design

-  Process of RisM
•  Risk Criteria
•  Risk Identification
•  Risk Analysis
•  Risk Treatment
•
 
What  is  Risk
 Threat-­‐-­‐-­‐a  poten,al  cause  of  an  incident  that  may  result  in  harm  to  a  system  or  organisa,on  
Vulnerability-­‐  a  weakness  of  an  asset  (resource)  that  can  be  exploited  by  one  or  more  threats  
Risk-­‐  poten,al  for  loss,  damage,  or  destruc,on  of  an  asset  as  a  result  of  a  threat  exploi,ng  a  
vulnerability  

RISK Threats Vulnerability

Financial  Risk Insider  Threat Software  Bugs
Reputation  Risk Criminals Broken  Processes
Legal/ Government Ineffective  
Regulatory   Terrorists controls
               Threat  

Risk = Press X Hardware  Flaws

Operational   Competitors Business  Change
Risk Hacker Legacy  Systems
Compliance   Nature Inadequate  BCP
Asset Risk Human  Error
Client  Risk
Market  Risk

     Vulnerability
 Risk  Management
“Process  of  iden-fying,  controlling  and  minimising  or  elimina-ng  security  risks  that  
may  affect  informa-on  systems,  for  an  acceptable  cost.”  -­‐-­‐-­‐  assessment  of  risk  and  
the  implementa-on  of  procedures  and  prac-ces  designed  to  control  the  level  of  
risk  
Risk  assessment  
Risk  iden,fica,on-­‐-­‐-­‐decision  driver  analysis,  
assump,on  analysis,  decomposi,on  
Risk  analysis-­‐-­‐-­‐cost  models,  network  analysis,  
decision  analysis,  quality  factor  analysis  
Risk  priori,sa,on-­‐-­‐-­‐risk  leverage,  component  
risk  reduc,on  
Risk  control  
Risk  management  planning-­‐-­‐-­‐risk  avoidance,  
transfer,  reduc,on,  element  planning,  plan  
integra,on  
Risk  resolu,on-­‐-­‐-­‐Simula,ons,  benchmarks,  
analysis,  staffing  
Risk  monitoring-­‐-­‐-­‐Top  Risk  tracking,  Key  Risk  
Indicator,  
Assessing risk and stakes
What is the business value of others having our information?
What is the business impact of information leaks?
What is the business impact of unavailability of information to legitimate users?
What are the other consequences of information leaks like reputational damage,
regulatory fines, etc.?
How likely is the risk to materialize?
How should we handle the risk (avoid, mitigate, transfer, accept)?
How should we treat accepted risk (ignore, budget, insure)?
Who owns the risk (governance, process, financial)?

Approach to information
What do we have?
What do we need to have?
What do we no longer need to have?
What value does it have to us?
How do we store and archive it?
Who owns and inherits it? 7
What can be purged?

Approach to information processing

Where and how do we process data?
Where and how do we store data?
How do we manage data?
How do we transmit data?
 Types  of  Risks
External
People Process Systems
Events

Internal Frauds No process Outage Vendors

Competency Transaction Risk System failure External Frauds
Work environment Operational Control Data loss Natural calamities
Motivation Risk Access denied Accidents
Turnover / Rotation Poorly defined roles / DOS Attacks Economic Factors
Reputation Risk responsibilities Sub-optimal systems Acts of war /
Conflict of interest Non-availability of terrorism
No maker / checker system support
Excessive privileges MIS Risk
Lack of audit /
oversight
Obstacles  of  Risk  Management
•  Top Management Support
•  Internal Communication/buy-in
•  Fragmented risk systems/processes
•  Risk Measurement
•  Dispersed/global operations
•  Changing regulatory /legal requirements
•  3rd-party risks
•  Risk prioritization over time

 Benefit  of  Risk  management
•  increase the likelihood of achieving objectives;
•  encourage proactive management;
•  be aware of the need to identify and treat risk throughout the organization;
•  improve the identification of opportunities and threats;
•  comply with relevant legal and regulatory requirements and international
norms;
•  improve mandatory and voluntary reporting;
•  improve governance;
•  improve stakeholder confidence and trust;
•  establish a reliable basis for decision making and planning;
•  improve controls;
•  effectively allocate and use resources for risk treatment;
•  improve operational effectiveness and efficiency;
•  enhance health and safety performance, as well as environmental
protection;
•  improve loss prevention and incident management;
•  minimize losses;
•  improve organizational learning; and
•  improve organizational resilience.

10
PDCA  Cycle

11
 Risk  Framework
set of components that provide the foundations and organizational
arrangements for designing, implementing, monitoring, reviewing
and continually improving risk management throughout the
organization
NOTE 1 The foundations include the policy, objectives, mandate
and commitment to manage risk
NOTE 2 The organizational arrangements include plans,
relationships, accountabilities, resources, processes and activities
NOTE 3 The risk management framework is embedded within the
organization's overall strategic and operational policies and
practices “

(ISO 31000)

12
 Components  to  the    ERM  Framework
 1. Mandate and commitment to 3.   Integration into the
the framework (step 1) Organization
a. Agreement in principle to 4.   Risk Management Process
proceed 5.   Communications and
b. Gap analysis Reporting
c. Context for framework 6.   Accountability
d. Design of framework •  a.  Risk ownership and risk
e. Implementation plan register
2.   Risk management policy •  b.  Managers’ performance
a. Policies for the framework, its evaluation
processes and procedures 7.   Monitoring, Review and
b. Policies for risk management Continuous improvement
decisions; a. Responsibility for maintaining
o  i.      Risk Appetite and improving framework
b. Risk Maturity and continuous
o  ii.     Risk Criteria
improvement of framework
o  iii.    Internal Risk Reporting

13
Commit  and  Mandate   Framework  Implementa,on     Communicate  &  Train  
• Policy  Statement   • Stakeholder  analysis  
• Standards   • Training  needs  analysis  
• Guidelines   • Communica-on  strategy  
• RM  Plan  and  RM  Process   • Training  strategy  
• Assurance  Plan   Establish  context   • Roles  and  Repor-ng  

Communicate  and  consult  

Monitor  and  review  
Risk  assessment  
Iden&fy  risks  

Implementa,on  
Framework  
Framework  Con,nuous    
Improvement  Cycle    

Analyse  risks  

Evaluate  risks  

Treat  risks  

Process for Managing Risk

Review  &  Improve   Structure  &  Accountability  

• Control  assurance   • Board  RM  CommiGee  
Management  Informa,on  System    
• RM  Plan  progress   • Execu-ve  RM  Group  
-­‐Risk  Registers              -­‐Treatment  Plans    
• RM  Maturity  Evalua-on   • RM  Working  Group  
-­‐Assurance  Plan  -­‐Repor-ng  templates  
• RM  KPIs   • Facilitator  for  Risk  Management  
• Benchmarking   • RM  Champions  
• Governance  repor-ng   • Risk  and  Control  Owners  
Framework  Con,nuous    
Improvement  Cycle  
 Process  of  RisM

15
 Step  1.Communicate  and  consult

- Communication and consultation

aims to identify who should be
involved in assessment of risk
(including identification, analysis
and evaluation) and it should
engage those who will be involved in
the treatment, monitoring and review
of risk.

16
-As such, communication and consultation will be reflected in
each step of the process described here.

-As an initial step, there are two main aspects that should be
identified in order to establish the requirements for the
remainder of the process.

-These are communication and consultation

aimed at:
A- Eliciting risk information
B-Managing stakeholder perceptions for
management of risk.

17
 Step  2.  Establish  the  context
provides a five-step process to assist
with establishing the context
within which risk will be identified.
1-Establish the internal context
2-Establish the external context
3-Establish the risk management
context
4- Develop risk criteria
5- Define the structure for risk analysis

18
1- Establish the internal context

-As previously discussed, risk is the chance of something

happening that will impact on objectives.
As such, the objectives and goals of a business, project or
activity must first be identified to ensure that all significant
risks are understood.
This ensures that risk decisions always support the broader goals
and objectives of the business. This approach encourages
long-term and strategic thinking.

19
•  In establishing the internal context, the
business owner may also ask themselves the
following questions:

- Is there an internal culture that needs to be considered? For

example, are staff Resistant to change? Is there a
professional culture that might create unnecessary risks for
the business?
- What staff groups are present?
- What capabilities does the business have in terms of people,
systems, processes, equipment and other resources?

20
 2.  Establish  the  external  context

•  This step defines the overall environment in which a

business operates and includes an understanding of the
clients’ or customers’ perceptions of the business. An
analysis of these factors will identify the strengths,
weaknesses, opportunities and threats to the business in the
external environment.

21
•  A business owner may ask the following
questions when determining the external
context:
• What regulations and legislation must the business comply
with?
• Are there any other requirements the business needs to
comply with?
• What is the market within which the business operates? Who
are the competitors?
• Are there any social, cultural or political issues that need to
be considered?

22
•  Tips for establishing internal and external contexts

-Determine the significance of the activity in achieving the

organization's goals and objectives
- Define the operating environment
- Identify internal and external stakeholders and determine
their involvement in the risk management process.

23
 3-­‐‑  Establish  the  risk  management  context

- Before beginning a risk identification exercise, it is important

to define the limits, objectives and scope of the activity or
issue under examination.

- For example, in conducting a risk analysis for a new project,

such as the introduction of a new piece of equipment or a
new product line, it is important to clearly identify the
parameters for this activity to ensure that all significant risks
are identified.

24
•  Tips for establishing the risk management context
• Define the objectives of the activity, task or function
• Identify any legislation, regulations, policies, standards and
operating procedures that need to be complied with
• Decide on the depth of analysis required and allocate
resources accordingly
• Decide what the output of the process will be, e.g. a risk
assessment, job safety analysis or a board presentation. The
output will determine the most appropriate structure and
type of documentation.

25
4. Develop risk criteria

Risk criteria allow a business to clearly define

unacceptable levels of risk. Conversely, risk criteria may
include the acceptable level of risk for a specific activity or
event. In this step the risk criteria may be broadly defined
and then further refined later in the risk management
process.

26
•  Tips for developing risk criteria

• Decide or define the acceptable level of risk for each

activity
• Determine what is unacceptable
• Clearly identify who is responsible for accepting risk and at
what level.

27
 5.  Define  the  structure  for  risk  analysis

Isolate the categories of risk that you want to manage. This will
provide greater depth and accuracy in identifying
significant risks.
The chosen structure for risk analysis will depend upon the
type of activity or issue,
its complexity and the context of the risks.

28
Step  3.  Identify  the  risks

Risk cannot be managed unless it is

first identified. Once the context of
the business has been defined, the
next step is to utilize the information
to identify as many risks as possible.

29
•  The aim of risk identification is to identify possible risks that
may affect, either negatively or positively, the objectives of
the business and the activity under analysis. Answering the
following questions identifies the risk:

30
•  There are two main ways to identify risk:
1- Identifying retrospective risks

Retrospective risks are those that have previously occurred,

such as incidents or accidents. Retrospective risk
identification is often the most common way to identify risk,
and the easiest. It’s easier to believe something if it has
happened before. It is also easier to quantify its impact and
to see the damage it has caused.

31
•  There are many sources of information about
retrospective risk. These include:

• Hazard or incident logs or registers

• Audit reports
• Customer complaints
• Accreditation documents and reports
• Past staff or client surveys
• Newspapers or professional media, such as journals or
websites.

32
2-Identifying prospective risks

Prospective risks are often harder to identify. These are things

that have not yet happened, but might happen some time
in the future.

Identification should include all risks, whether or not they are

currently being managed. The rationale here is to record all
significant risks and monitor or review the effectiveness of
their control.

33
•  Methods for identifying prospective risks include:

• Brainstorming with staff or external stakeholders

• Researching the economic, political, legislative and
operating environment
• Conducting interviews with relevant people and/or
organizations
• Undertaking surveys of staff or clients to identify
anticipated issues or problems
• Flow charting a process
• Reviewing system design or preparing system analysis
techniques.

34
 Tips  for  effective  risk  identification

Select a risk identification methodology appropriate to the

type of risk and the nature of the activity
Involve the right people in risk identification activities
Take a life cycle approach to risk identification and
determine how risks change and evolve throughout this
cycle.

35
Step  4.  Analyze  the  risks
During the risk identification step, a
business owner may have
identified many risks and it is often
not possible to try to address all
those identified.
The risk analysis step will assist in
determining which risks have a
greater consequence or impact
than others.

36
•  What is risk analysis?

Risk analysis involves combining the possible consequences,

or impact, of an event,

with the likelihood of that event occurring. The result is a ‘level

of risk’. That is:

Risk = consequence x likelihood

37
•  Elements of risk analysis
The elements of risk analysis are as follows:

1. Identify existing strategies and controls that act to minimize

negative risk and enhance opportunities.
2. Determine the consequences of a negative
impact or an opportunity (these may be positive or
negative).
3. Determine the likelihood of a negative consequence or
an opportunity.
4. Estimate the level of risk by combining consequence and
likelihood.
5. Consider and identify any uncertainties in the estimates.

38
•  Types of analysis
Three categories or types of analysis can be used to determine
level of risk:
• Qualitative
• Semi-quantitative
• Quantitative.

- The most common type of risk analysis is the qualitative method.

The type of analysis chosen will be based upon the area of risk
being analyzed.

39
•  Tips for effective risk analysis

• Risk analysis is usually done in the context of existing controls

– take the time to identify them
• The risk analysis methodology selected should, where
possible, be comparable to the significance and
complexity of the risk being analyzed, i.e. the higher the
potential consequence the more rigorous the
methodology
• Risk analysis tools are designed to help rank or priorities risks.
To do this they must be designed for the specific context
and the risk dimension under analysis.

40
Step  5.  Evaluate  the  risks
Risk evaluation involves comparing the
level of risk found during the analysis
process with previously established risk
criteria, and deciding whether these
risks require treatment.
The result of a risk evaluation is a
prioritized list of risks that require further
action.
This step is about deciding whether risks
are acceptable or need treatment.

41
•  Risk acceptance
A risk may be accepted for the following reasons:

• The cost of treatment far exceeds the benefit, so that

acceptance is the only option (applies particularly to lower
ranked risks)
• The level of the risk is so low that specific treatment is not
appropriate with available resources
• The opportunities presented outweigh the threats to such
a degree that the risks justified
• The risk is such that there is no treatment available, for
example the risk that the business may suffer storm
damage.

42
 Step  6.  Treat  the  risks

Risk treatment is about considering

options for treating risks that were
not considered acceptable or
tolerable at Step 5.

Risk treatment involves identifying

options for treating or controlling risk,
in order to either reduce or
eliminate negative consequences,
or to reduce the likelihood of an
adverse occurrence. Risk treatment
should also aim to enhance positive
outcomes.

43
•  Options for risk treatment:

identifies the following options that may assist in the

minimization of negative risk or an increase in the impact of
positive risk.
1- Avoid the risk
2- Change the likelihood of the occurrence
3- Change the consequences
4- Share the risk
5- Retain the risk

44
•  Tips for implementing risk treatments

• The key to managing risk is in implementing effective

treatment options
• When implementing the risk treatment plan, ensure that
adequate resources are available, and define a
timeframe, responsibilities and a method for monitoring
progress against the plan
• Physically check that the treatment implemented reduces
the residual risk level
• In order of priority, undertake remedial measures to reduce
the risk.

45
 Step  7.  Monitor  and  review
Monitor and review is an essential and
integral step in the risk management
process.
A business owner must monitor risks and
review the effectiveness of the
treatment plan, strategies and
management system that have been
set up to effectively manage risk.

46
Risks need to be monitored periodically to ensure changing
circumstances do not alter the risk priorities. Very few risks
will remain static, therefore the risk management process
needs to be regularly repeated, so that new risks are
captured in the process and effectively managed.
A risk management plan at a business level should be
reviewed at least on an annual basis. An effective way to
ensure that this occurs is to combine risk planning or risk
review with annual business planning.

47
 Summary  of  risk  management  steps

48
Thank You

49