1

Risk Management

Lecture 21

Lecture 2

All content “lives” in the form of thinkingOnly those who can “think” through the content, have itAll content “dies” when one tries to learn it without thinking it throughOnly through thinking can learners “take possession” of content @ make it theirsOnly to the extent that a learner asks genuine questions and seeks answers to them, is a learner taking content seriously and thinking it through!

© Paul, R. & Elder, L.

Risks vs. concerns vs. problems

A risk is an event/uncertainty which causes a failure to execute the plan as expected

This requires that a plan be in placeIf you don’t yet have a plan you have a concern

Lecture 23 Lecture 83

If you don t yet have a plan, you have a concern“I don’t know where we’re going to get developers”“We need to bid $X to win, but the true cost is $XX

If a risk comes true, then you have a problem“I didn’t get Dan, and he was key to the effort”

2

Pure vs speculative riskPure risk exists when there is certainty as to

whether loss will occurNo possibility of gain is presented ⎯ only the potential

for loss

Speculative risk exists when there is

Lecture 24 Lecture 84

Speculative risk exists when there is uncertainty about an event that can produce either a profit or a loss

Both pure and speculative risks may be present in some situations

Subjective vs Objective Risk

Subjective risk refers to the mental state of an individual who experiences doubt or worry as to the outcome of a given event It is essentially the psychological uncertainty that

Lecture 25 Lecture 85

arises from an individual’s mental attitude or state of mind

Objective risk differs from subjective risk in the sense that it is more precisely observable and therefore measurable It is the probable variation of actual from

expected experience

Static vs dynamic risk

A risk that arises from the normal course of business activities and does not involve changes in the environment or technology.Static risk can only result in a loss

Lecture 26

Static risk can only result in a lossA risk that arises from the continuous change

that exists in the business or economic environment or in technology. Dynamic risk can produce a gain (or savings) as

well as a loss (or expenses).

Lecture 86

3

Types of risk – summary

Pure risk – loss onlySpeculative risk – loss and gain possibleDynamic risk – changes environment or technology (loss or gain)Static risk – no change in environment or technology (loss only)Subjective risk – psychological uncertaintyObjective risk – observable and measurable (probable variation

Lecture 2

j (pfrom expected experience)

Particular risk – exposure to loss from specific individual eventsFundamental risk – exposure to loss involving a large group of people

from "generic" phenomena (earthquake, inflation, etc.)Financial risk – probable loss inherent in financing methodsNon financial risk – probable loss based on other than financial lending

methodsProbability of loss – finance term, meaning the failure to achieve the

expected resultLaw of large numbers – a theorem stating that as the number of trials of a

random process increases, the difference (as percentage) between the expected and actual result decreases

7

Risk Management Ownership

Each organisation owns its risksEach organisation has its own information security risks

Each organisation must characterise its

Lecture 28

Each organisation must characterise its risksEach organisation must analyse its risksEach organisation must manage its risks

Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).

Key questions:

Lecture 29

•What risks will the organization not accept? (e.g. environmental or quality compromises)

•What risks will the organization take on new initiatives? (e.g. new product lines)

•What risks will the organization accept for competing objectives?(e.g. gross profit vs. market share?)

Source: COSO

4

The Importance of knowing

When something goes wrong, IT must be able to answer:

“What is the problem and where did it

Lecture 210

originate?”

“Who is impacted in our business?”

“What action must we take to resolve the problem?”

“How can we prevent this in the future?”

Without answers to these questions…

IT will be less trusted, less cost-effective, and unable to quantify or manage risk

The Challenge in IT

Development

Deployment

Lecture 211

Operation

IT system risks

Technical

Organisational

new IT system works technically

workers will use it correctly

Lecture 212

Organisational

Business

workers will use it correctly

benefits achieved are cost-justified

5

Risk management

Coordinated activities to direct and control an organisation with regard to risk

ISO/IEC 27000:2009

Should be a systematic and formal processG ll i l dGenerally includes

Risk governanceRisk assessmentRisk treatmentRisk acceptanceRisk communication

Lecture 213

Strategic IT security and risk managementEffective IT security strategy needs a holistic security-conscious environment in entire organisation and commitment to:

Ensuring stakeholders’ confidence and trust

Lecture 214

Ensuring stakeholders confidence and trustMaintaining the confidentiality of personal and financial informationSafeguarding sensitive business information from unauthorised disclosure

Risk adentification

Risk management components

Risk assessment Risk analysis

Risk prioritisation

Lecture 21515

Risk Management

Risk treatment

Risk prioritisation

Risk reduction

Emergency planning

Implementation

6

Effect of risk management

Managing risk effectively can have a positive impact on reputation and shareholder value…

Lecture 216

~ PricewaterhouseCoopers' Global CEO Survey, January, 2005

Of more than 1,300 CEOs, 43 percent consider governance, risk management and compliance (GRC) a value driver and a source of competitive advantage; 56% believe that it has a positive effect on reputation and brand.

7 aspects of inadequate IT risk managementPiecemeal approachCommunication failureSurprises and reactivityC d

Lecture 217

Career damageEvolving, moving subjectsCreeping goalsConsistent competitive underperformance

Governing risk

Setting the boundaries within which an organisation will operateHigh and low limits of risk

risk appetite and risk tolerance

Lecture 218

7

Key risk governance activities…DETERMINE RISK APPETITERisk appetite is the amount of risk — on a

broad level — an entity is willing to accept in pursuit of value.

Lecture 219

DETERMINE RISK TOLERANCEThe acceptable level of variation relative to

achievement of a specific objectiveThe level of risk an organisation is prepared to

be exposed to before it decides that action is necessary

Source: COSO

Ensuring use of IT security and risk management strategyIntegrated approach to prevention, detection and management of attacks Holistic approach to security planning Necessary resources for comprehensive

Lecture 220

Necessary resources for comprehensive security plan involving

technology, strategy, people & culture, structure & systems and processes

Ensuring use of IT security and risk management strategyManagement commitment paramount in the protection of IT resources People, not technology, are often the

k i IT it

Lecture 221

weakness in IT security An otherwise secure IT system will fail if those who use it do not follow the security strategy and plans

8

Risk AssessmentThe process to

Identifythreatsvulnerabilities

Analyse

Lecture 222

Analyseexisting controlslikelihoodimpact

Evaluatecost of

exposureprotection

Prioritise risks

Risk Assessment

Lecture 223NIST SP 800-30

Risk context

Establishobjectivestype of assessmentb d iboundaries

what is in, what is out

assessment validityreliability

liability of assessor

Lecture 224

9

Risk identificationThreat

Potential cause of an unwanted incident, which may result in harm to a system or organisation

ISO/IEC 27000:2009

The potential for a threat source to exercise ( id t ll t i i t ti ll l it)

Lecture 225

(accidentally trigger or intentionally exploit) a specific vulnerability

NIST SP 800-30

VulnerabilityWeakness of an asset or control that can be exploited by a threat

ISO/IEC 27000:2009

A flaw or weakness in system security procedures, design, implementation, or internal controls

NIST SP 800-30

Risk analysis

Existing controlsA countermeasure or safeguard to manage risk

LikelihoodLikelihoodProbability of a risk eventuating

ImpactAdverse change to the level of business objectives achieved

ISO/IEC 27000:2009

Lecture 226

Fundamental Risk Model

“Jacobson’s Window”

ces Hig

h

Lecture 227Robert Jacobson, 1997

Low HighConsequences

LowO

ccur

renc

10

Two Inconsequential Risk Classes

ces Doesn’t happen

Hig

h

Lecture 228

Low HighConsequences

LowO

ccur

renc

Don’t Care

Two Significant Risk Classes

nces

Power transient,minor sw bug,

keystroke error,….

Hig

h

Lecture 229

Low HighConsequences

LowO

ccur

re

Major fire,long power outage,

flooding,cash fraud,

….

Example:Impact analysisWeb site normally runs 7 days/week, 24 hours/day, generating $2000/hr in revenue from customer orders. Annual value (revenue) $17520 000

Lecture 230

(revenue) $17520,000Immediate financial impact of losing asset: unavailable for 6 hoursCalculated exposure .000685% per yearDirectly attributable losses - $12000

11

Example:Impact analysis (cont’d)

Indirect business impact of losing asset:Eg $10000 on advertising to counteract

Lecture 231

negative publicity +Loss of 0.1 of 1 % of annual sales or $17520Therefore, total indirect loss: $27520

Risk evaluation

cost ofexposureprotection

Lecture 232

Risk assessment definitions

Exposure Factor: percentage of asset loss caused by identified threat

Single Loss Expectancy (SLE): Asset value x exposure factor

Lecture 233

Annualised rate of occurrence (ARO): estimated frequency a threat will occur within a year

Annualised loss expectancy (ALE): SLE x ARO

13

Business continuity management (BCM)BCM is part of risk management and it:

Identifies those risks that have the potential to interrupt the normal course of business operationsImplements preventive controls to prevent

Lecture 237

Implements preventive controls to prevent occurrence of such risksDevelops corrective controls for coping should the preventive controls fail and the risk eventuates

Summary

The strategic risk management process involves:

Establishing the business contextIdentifying, analysing and evaluating the risks

Lecture 238

Identifying, analysing and evaluating the risks the business facesDesigning and implementing preventive and corrective controlsMonitoring and reviewing the strategy to ensure its effectiveness and that it responds to changes