Risk Management

Lecture 2

Lecture 2

All content lives in the form of thinking Only those who can think through the content, have it All content dies when one tries to learn it without thinking it through Only through thinking can learners take possession of content @ make it theirs Only to the extent that a learner asks genuine questions and seeks answers to them, is a learner taking content seriously and thinking it through!
Paul, R. & Elder, L.

Risks vs. concerns vs. problems

A risk is an event/uncertainty which causes a failure to execute the plan as expected
This requires that a plan be in place

If you don dont t yet have a plan, plan you have a concern
I dont know where were going to get developers We need to bid $X to win, but the true cost is $XX

If a risk comes true, then you have a problem

I didnt get Dan, and he was key to the effort

Lecture 8 2

Pure vs speculative risk

Pure risk exists when there is certainty as to whether loss will occur
No possibility of gain is presented only the potential for loss

Speculative risk exists when there is uncertainty about an event that can produce either a profit or a loss Both pure and speculative risks may be present in some situations

Lecture 8 2

Subjective vs Objective Risk

Subjective risk refers to the mental state of an individual who experiences doubt or worry as to the outcome of a given event
It is essentially the psychological uncertainty that arises from an individuals mental attitude or state of mind

Objective risk differs from subjective risk in the sense that it is more precisely observable and therefore measurable
It is the probable variation of actual from expected experience
5
Lecture 8 2

Static vs dynamic risk

A risk that arises from the normal course of business activities and does not involve changes in the environment or technology.
Static risk can only result in a loss

A risk that arises from the continuous change that exists in the business or economic environment or in technology.
Dynamic risk can produce a gain (or savings) as well as a loss (or expenses).
6
Lecture 8 2

Types of risk summary

Pure risk Speculative risk Dynamic risk Static risk Subjective risk Objective j risk Particular risk Fundamental risk Financial risk Non financial risk Probability of loss Law of large numbers loss only loss and gain possible changes environment or technology (loss or gain) no change in environment or technology (loss only) psychological uncertainty observable and measurable (p (probable variation from expected experience) exposure to loss from specific individual events exposure to loss involving a large group of people from "generic" phenomena (earthquake, inflation, etc.) probable loss inherent in financing methods probable loss based on other than financial lending methods finance term, meaning the failure to achieve the expected result a theorem stating that as the number of trials of a random process increases, the difference (as percentage) between the expected and actual result decreases
Lecture 2

Risk Management Ownership

Each organisation owns its risks
Each organisation has its own information security risks

Each organisation must characterise its risks Each organisation must analyse its risks Each organisation must manage its risks

Lecture 2

Key questions:
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
What

risks will the organization not accept?

(e.g. environmental or quality compromises)

What risks will the organization take on new initiatives?

(e.g. new product lines)

What risks will the organization accept for competing objectives?

(e.g. gross profit vs. market share?)
9
Lecture 2
Source: COSO

The Importance of knowing

When something goes wrong, IT must be able to answer:
What is the problem and where did it originate? Who is impacted in our business? What action must we take to resolve the Without answers to these questions problem? IT will be can lesswe trusted, less cost-effective, and How prevent this in the future? unable to quantify or manage risk
10
Lecture 2

The Challenge in IT
Development Deployment Operation

11

Lecture 2

IT system risks
Technical new IT system works technically

Organisational

workers will use it correctly

Business

benefits achieved are costjustified

12

Lecture 2

Risk management
Coordinated activities to direct and control an organisation with regard to risk
ISO/IEC 27000:2009

Should be a systematic and formal process G Generally ll i includes l d

Risk governance Risk assessment Risk treatment Risk acceptance Risk communication
13
Lecture 2

Strategic IT security and risk management

Effective IT security strategy needs a holistic security-conscious environment in entire organisation and commitment to:
Ensuring stakeholders stakeholders confidence and trust Maintaining the confidentiality of personal and financial information Safeguarding sensitive business information from unauthorised disclosure

14

Lecture 2

Risk management components

Risk adentification Risk assessment Risk Management Risk reduction Risk treatment Emergency planning Implementation
15
Lecture 2

Risk analysis Risk prioritisation

Effect of risk management

Managing risk effectively can have a positive impact on reputation and shareholder value

Of more than 1,300 CEOs, 43 percent consider governance, risk management and compliance (GRC) a value driver and a source of competitive advantage; 56% believe that it has a positive effect on reputation and brand.
~ PricewaterhouseCoopers' Global CEO Survey, January, 2005

16

Lecture 2

7 aspects of inadequate IT risk management

Piecemeal approach Communication failure Surprises and reactivity C Career d damage Evolving, moving subjects Creeping goals Consistent competitive underperformance

17

Lecture 2

Governing risk
Setting the boundaries within which an organisation will operate High and low limits of risk
risk appetite and risk tolerance

18

Lecture 2

Key risk governance activities

DETERMINE RISK APPETITE Risk appetite is the amount of risk on a broad level an entity is willing to accept in pursuit of value. DETERMINE RISK TOLERANCE The acceptable level of variation relative to achievement of a specific objective The level of risk an organisation is prepared to be exposed to before it decides that action is necessary
19
Lecture 2
Source: COSO

Ensuring use of IT security and risk management strategy

Integrated approach to prevention, detection and management of attacks Holistic approach to security planning Necessary resources for comprehensive security plan involving
technology, strategy, people & culture, structure & systems and processes
20
Lecture 2

Ensuring use of IT security and risk management strategy

Management commitment paramount in the protection of IT resources People, not technology, are often the weakness k i in IT security it An otherwise secure IT system will fail if those who use it do not follow the security strategy and plans

21

Lecture 2

Risk Assessment
The process to
Identify
threats vulnerabilities

Analyse
existing controls likelihood impact

Evaluate
cost of
exposure protection
22

Prioritise risks

Lecture 2

Risk Assessment

23

Lecture 2
NIS T S P 8 0030

Risk context
Establish
objectives type of assessment b boundaries d i
what is in, what is out

assessment
validity reliability

liability of assessor
24
Lecture 2

Risk identification
Threat
Potential cause of an unwanted incident, which may result in harm to a system or organisation
ISO/IEC 27000:2009

The potential for a threat source to exercise ( (accidentally id t ll t trigger i or i intentionally t ti ll exploit) l it) a specific vulnerability
NIST SP 800-30

Vulnerability
Weakness of an asset or control that can be exploited by a threat
ISO/IEC 27000:2009

A flaw or weakness in system security procedures, Lecture 2 or internal controls 25 design, implementation,
NIST SP 800-30

Risk analysis
Existing controls
A countermeasure or safeguard to manage risk

Likelihood
Probability of a risk eventuating

Impact
Adverse change to the level of business objectives achieved
ISO/IEC 27000:2009

26

Lecture 2

Fundamental Risk Model

Jacobsons Window
Occurrenc ces Low High

Consequences Low
27
Lecture 2
Robert Jacobson, 1997

High

Two Inconsequential Risk Classes

Occurrenc ces Low High

Doesnt happen

Dont Care

Consequences Low
28
Lecture 2

High

Two Significant Risk Classes

Occurrences
Power transient, minor sw bug, keystroke error, . Major fire, long power outage, flooding, cash fraud, . Consequences Low
29
Lecture 2

Low

High

High

Example: Impact analysis

Web site normally runs 7 days/week, 24 hours/day, generating $2000/hr in revenue from customer orders. Annual value (revenue) $17520 $17520,000 000 Immediate financial impact of losing asset: unavailable for 6 hours Calculated exposure .000685% per year Directly attributable losses - $12000
30
Lecture 2

10

Example: Impact analysis (contd)

Indirect business impact of losing asset: Eg $10000 on advertising to counteract negative publicity + Loss of 0.1 of 1 % of annual sales or $17520 Therefore, total indirect loss: $27520

31

Lecture 2

Risk evaluation
cost of
exposure protection

32

Lecture 2

Risk assessment definitions

Exposure Factor: percentage of asset loss caused by identified threat Single Loss Expectancy (SLE): Asset value x exposure factor Annualised rate of occurrence (ARO): estimated frequency a threat will occur within a year Annualised loss expectancy (ALE): SLE x ARO

33

Lecture 2

11

12

Business continuity management (BCM)

BCM is part of risk management and it:
Identifies those risks that have the potential to interrupt the normal course of business operations Implements preventive controls to prevent occurrence of such risks Develops corrective controls for coping should the preventive controls fail and the risk eventuates

37

Lecture 2

Summary
The strategic risk management process involves:
Establishing the business context Identifying, analysing and evaluating the risks the business faces Designing and implementing preventive and corrective controls Monitoring and reviewing the strategy to ensure its effectiveness and that it responds to changes

38

Lecture 2

13