Professional Documents
Culture Documents
Lecture 2
Lecture 2
All content lives in the form of thinking Only those who can think through the content, have it All content dies when one tries to learn it without thinking it through Only through thinking can learners take possession of content @ make it theirs Only to the extent that a learner asks genuine questions and seeks answers to them, is a learner taking content seriously and thinking it through!
Paul, R. & Elder, L.
If you don dont t yet have a plan, plan you have a concern
I dont know where were going to get developers We need to bid $X to win, but the true cost is $XX
Lecture 8 2
Speculative risk exists when there is uncertainty about an event that can produce either a profit or a loss Both pure and speculative risks may be present in some situations
Lecture 8 2
Objective risk differs from subjective risk in the sense that it is more precisely observable and therefore measurable
It is the probable variation of actual from expected experience
5
Lecture 8 2
A risk that arises from the continuous change that exists in the business or economic environment or in technology.
Dynamic risk can produce a gain (or savings) as well as a loss (or expenses).
6
Lecture 8 2
Each organisation must characterise its risks Each organisation must analyse its risks Each organisation must manage its risks
Lecture 2
Key questions:
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
What
The Challenge in IT
Development Deployment Operation
11
Lecture 2
IT system risks
Technical new IT system works technically
Organisational
Business
12
Lecture 2
Risk management
Coordinated activities to direct and control an organisation with regard to risk
ISO/IEC 27000:2009
14
Lecture 2
Managing risk effectively can have a positive impact on reputation and shareholder value
Of more than 1,300 CEOs, 43 percent consider governance, risk management and compliance (GRC) a value driver and a source of competitive advantage; 56% believe that it has a positive effect on reputation and brand.
~ PricewaterhouseCoopers' Global CEO Survey, January, 2005
16
Lecture 2
17
Lecture 2
Governing risk
Setting the boundaries within which an organisation will operate High and low limits of risk
risk appetite and risk tolerance
18
Lecture 2
21
Lecture 2
Risk Assessment
The process to
Identify
threats vulnerabilities
Analyse
existing controls likelihood impact
Evaluate
cost of
exposure protection
22
Prioritise risks
Lecture 2
Risk Assessment
23
Lecture 2
NIS T S P 8 0030
Risk context
Establish
objectives type of assessment b boundaries d i
what is in, what is out
assessment
validity reliability
liability of assessor
24
Lecture 2
Risk identification
Threat
Potential cause of an unwanted incident, which may result in harm to a system or organisation
ISO/IEC 27000:2009
The potential for a threat source to exercise ( (accidentally id t ll t trigger i or i intentionally t ti ll exploit) l it) a specific vulnerability
NIST SP 800-30
Vulnerability
Weakness of an asset or control that can be exploited by a threat
ISO/IEC 27000:2009
A flaw or weakness in system security procedures, Lecture 2 or internal controls 25 design, implementation,
NIST SP 800-30
Risk analysis
Existing controls
A countermeasure or safeguard to manage risk
Likelihood
Probability of a risk eventuating
Impact
Adverse change to the level of business objectives achieved
ISO/IEC 27000:2009
26
Lecture 2
Consequences Low
27
Lecture 2
Robert Jacobson, 1997
High
Doesnt happen
Dont Care
Consequences Low
28
Lecture 2
High
Low
High
High
10
31
Lecture 2
Risk evaluation
cost of
exposure protection
32
Lecture 2
33
Lecture 2
11
12
37
Lecture 2
Summary
The strategic risk management process involves:
Establishing the business context Identifying, analysing and evaluating the risks the business faces Designing and implementing preventive and corrective controls Monitoring and reviewing the strategy to ensure its effectiveness and that it responds to changes
38
Lecture 2
13