RISK MANAGEMENT

Mas.jamal@gmail.com
 www.icdp.biz

Risk Management

 RISK
 RISK MANAGEMENT
 RISK ASSESSMENT
 www.icdp.biz

Risk {what}

 Definisi :
• Risiko adalah dampak negatif dari perlakuan terhadap
kelemahan (vulnerability), dalam konteks tingkat
kemungkinan (probability) dan dampak (impact) terjadinya.
 www.icdp.biz

Risk {why}

Opportunity Risk Challenge

GAS REM
 www.icdp.biz

Risk vs. Uncertainty

Risk
 When making decision
under condition of risk, you
know the probability of the
risk event you are
examining.
Uncertainty
 When making decisions
under condition of
uncertainty, you do not.

Perfect Total
Information Uncertainty Risk Ignorance
 www.icdp.biz

Classifying Risk

Pure (or Business Project risk Operationa Technical Political

insurable risk l Risk Risk Risk
risk) • Text

Source : external and internal

 www.icdp.biz

Business risk

Market risk

Operational Financial
risk risk

Business
risk

Requlatory
Project risk
risk
 www.icdp.biz

Sources of Operational risk

 Lack of well established procedures

 Poorly trained workforce
 Incompetence
 Inattention
 Poorly maintained or obsolete
equipment and software
 www.icdp.biz

Identifying risk

 Checklists
 Brainstorming sessions
 Issues logs
 Behavioral models
 Diagramming techniques (fishbone &
Process environment /PE)
 Flowcharting project & process
models
 Regular meeting
GLOBAL RISK

1
GLOBAL RISK 2014

Three Risks in Focus

• Instabilities in an increasingy multipolar world
• Generation Lost
• Digital disintegration

1
 31 jenis risiko dalam 5 kategori
10 yang paling
1A. RISIKO utama
GLOBAL 2014
(1) Fiscal Crises in key Economies Greater incidence of extreme weather events
(6) (7) Global governance failure
(eg. floods, storms, fires)
Failure of a Major Financial
(9)
Political copllapse of nation of geopolitical
Greater incidence of natural catastrophes (eg. importance
Mechanism or institution earthquakes, tsunamis, volcanoi eruptions)

Environmental

Geopolitical
Increasing corruption
Economic

Liquidity Crises
Greater incidence of man-made environmental Major escalation in organized crime and illicit
Structurally high
(2) catastrophes (eg. oil spills, nuclear accidents) trade
unemployment/underemployment
Large scale terrorist attacks
Major biodiversity loss and ecosystem collapse
Oil-price shock to the global (land and ocean)
economy Deployment of weapons of mass destruction

Failur/Shortfall of critical (3) Water crises Violent inter-state conflict with regional
infrastructure consequences
Decline of importance of the US Failure of climate change mitigation and
(5)
Escalation of economic and resource
dollar as a major currency adaptation
nationalization

(8) Food crises Breakdown of critical information

infrastructure and networks
Pandemic outbreak
Unmanageable burden of chronic disesase Escalation in large-scale cyber attacks
Technological

(4) Severe income disparity

Social

Antibiotic-resistant bacteria Massive incident of data fraud/theft

Mismanaged urbanization (e.g. planning failures,

inadequate infrastructure and supply chains)
Decline of importance of the US dollar as a
major cuurency
(10) Profound political and social instability
 Besaran Risiko
1A. RISIKO GLOBAL 2014

Economical

Environmental

Geopolitical

Social

Technological
 Interconnection Map
1A. RISIKO GLOBAL 2014

Economical

Environmental

Geopolitical

Social

Technological
1B. KONDISI EKONOMI GLOBAL
 Shifting Wealth and The New World Economy
1B. KONDISI EKONOMI GLOBAL
SW I :
encompassed the initial opening of China and India to world markets which
really became felt from th 1990- a “one-off” event that integrated 2 billion
people, or 40% of the global labour force, into the global market economy,
with openness and manufacturing base created international trade,
production and investment networks, especially with Asia, while its
commodity-intensitve growth created a “China-commodities complex”,
especially with Africa, Latin America and some OECD commodity
exporters..
SW II :
refers to a long term process of sustained and higher growth in
heavily populated emerging economies if they keep accumulating
skills, capital and modern technology, buid a middle-income class,
switch (in the case of China in particular) from investment-led
growth toward more consuption and expoert increasingling
sophisticated goodd and services
Shifting Wealth and The New World Economy
1A. KONDISI EKONOMI GLOBAL
 www.icdp.biz

Kuliah ke-2
 www.icdp.biz

RISK MANAGEMENT FRAMEWORK

 www.icdp.biz

RISK ASSESSMENT PROCESS

 www.icdp.biz

STEP 1 : IDENTIFY THREAT SOURCES

Natural Threats Technical Threats Human Threats

Kebakaran Kegagalan Power Kekacauan, huru-

hara

Gempa Bumi Tidak berfungsinya Serangan bom

server

Banjir Kegagalan DNS Kejahatan Komputer

Angin Topan Kerusakan Penyalahgunaan

Perangkat Lunak wewenang

Tsunami Kegagalan Human Error

Telekomunikasi

Letusan Gunung Cacat Perangkat Kode Illegal /

Berapi Lunak Malicious Code

Epidemic / Flu Kebocoran Gas Penyadapan

Burung Jaringan

Tanah Longsor Kontaminasi Radiasi Serangan Dos

 www.icdp.biz

STEP 2 : IDENTIFY THREAT EVENTS

Threat Threat Event

Source
Hacker Unathorized e-Commerce
website access
Banjir Kegagalan Power

Banjir Kegagalan Telekomunikasi

 www.icdp.biz

STEP 3 : IDENTIFY CONSEQUENCES

Threat Threat Event Critical Asset Consequence

Source
Hacker Unathorized e- Clients’ personal Unauthorized
Commerce information access to
website access personal
information
Flood Power Outage Computer Computer
Center systems
shutdown
Flood Unsafe driving Staff Shortage of staff
conditions
 www.icdp.biz

STEP 4 : ASSESS SINGLE LOSS (or IMPACT) EXPECTANCIES

OUTPUT :
-THREAT CONSEQUENCES,
-SINGLE LOSS EXPECTANCY (SLE) values or SINGLE IMPACT EXPECTANCY
(SIE) values
 www.icdp.biz

STEP 5 : ASSESS LIKELIHOODS

OUTPUT :
-LIST OF ANNUALIZED RATE OF THREAT OCCURANCE (ART)
 www.icdp.biz

STEP 6 : DERIVE RISK VALUES

ALE = Single Loss Expectancy (SLE) * Annualized Rate of Threat Occurrence (ART)
dimana
Single Loss Expectancy (SLE) = Asset Loss Potential Value (ALPV) * Exposure Factor (EF)

Result of Step 6 ALE

Componen
ts
Threat Threat Consequence Risk Value : SLE ART
Source Event ALE
Flood Power Computer $625,000 $2,5 ¼
Outage System ($2,5M x ¼) M
Shutdown
AIE = Single Impact Exposure(SIE) * Annualized Rate of Threat Occurrence (ART)

Result of Step 6 AIE

Component
s
Threat Threat Consequence Risk Value : SIE ART
Source Event AIE
Flood Power Computer System Low (or a High (or a ¼
Outage Shutdown numeric value numeric
of 20= 80 x ¼) value of
80)
 www.icdp.biz

Phase ii : risk control options assessment

k Control Options can be divided into four different categories :
1. Risk Acceptance – Accept the risk and do nothing
May be adopted as a control if, for instance, all other options are extremely costly, or\
A threat has a negligible risk associated with it.

2. Risk Avoidance – Avoid the risk altogether

In many cases it may be either or cost prohibitive.
3. Risk Reduction – Reduce the risk to an acceptable level
The first step in reducing risk is to determine an acceptable risk level for a given threat;
the second step is to explore control options that lower the current risk level to the
Acceptable level
4. Risk Transfer – transfer the risk to another entity or organization
(eg. To an insurance company or service provider.)
Is used to transfer the risk to another organization than can compensate for the loss or
impact caused by a disruptive event
Risk Control Options Risk Control Category

1 Relocate the main facility/Data Center to a safe Risk Avoidance

distance away from the airport
2 Relocate the main facility to a location a few miles Risk Reduction
away from the airport
3 Distribute the main facility over three different Risk Reduction
locations spread around the airport
4 Purchase a plane crash insurance policy Risk Transfer
 www.icdp.biz

PHASE iii : RISK CONTROLS COST AND

EFFECTIVENESS ASSESSMENT
Step 1. Cost of Control Options
Risk Control Options Risk Control Category Option Cost

1 Relocate the main Risk Avoidance $200M

facility/Data Center to a safe
distance away from the
airport
2 Relocate the main facility to a Risk Reduction $200M
location a few miles away
from the airport
3 Distribute the main facility Risk Reduction $50M
over three different locations
spread around the airport
4 Purchase a plane crash Risk Transfer $100M over 20 year period
insurance policy (or $5 M per year)

Step 2. Effectiveness of Control Options

Threat Source Threat Event Consequence Risk Value : Option Cost
ALE
Aircrafts Plane crash Damage to the $20M (or $600 1/30 (once in
main facility and M x 1/30) 30 years)
loss of life
 www.icdp.biz

PHASE iii : RISK CONTROLS COST AND

EFFECTIVENESS ASSESSMENT
Risk values and Risk Control Options
Risk Control Risk Control Option Cost Option’s Risk Risk
Options Category Value : ALE Reduction
1 Relocate the Risk Avoidance $200M $0.12M (or $19.88 M (or
main facility/Data $600 M x $20 M -
Center to a safe 1/5000) with a $0.12M)
distance away likelihood of
from the airport once every
5000 years
2 Relocate the Risk Reduction $200M $10 M (or $600 $10 M (or $20M
main facility to a M x 1/60) with - $10M)
location a few a likelihood of
miles away from once every 60
the airport years
3 Distribute the Risk Reduction $50M $6.7 M (or $13.3 M (or
main facility over $600 M x 1/3 x $20 M - $6.7M)
three different 1/30)
locations spread
around the
airport
4 Purchase a plane Risk Transfer $100M over 20 0 $20 M (or
crash insurance year period (or $20M – 0)
policy $5 M per year)
 www.icdp.biz

PHASE iii : RISK CONTROLS COST AND

EFFECTIVENESS ASSESSMENT
p 3 : Cost-Effectiveness Comparison of Risk Control Options
Risk Control Risk Control Option Cost Risk Reduction Cost per unit of
Options Category Risk Reduction
(CURR)

1 Relocate the main Risk Avoidance $200M $19.88 M $10.06

facility/Data
Center to a safe
distance away
from the airport
2 Relocate the main Risk Reduction $200M $10 M $ 20.00
facility to a
location a few
miles away from
the airport
3 Distribute the main Risk Reduction $50M $13.3 M $3.75
facility over three
different locations
spread around the
airport
4 Purchase a plane Risk Transfer $100M over 20 $20 M $ 5 (assuming
crash insurance year period (or the cost of
policy $5 M per year) $100M over 20
year period)

Cost per Unit of Risk Reduction (CURR) = Cost of Control Option / Risk Reduction
 www.icdp.biz

PHASE IV : RISK REPORTING

The risk assessment report must includes of the following

1. Threats and risks identified in Phase I;

2. Critical Assets exposed to the threats;
3. For each threat event, a list of risk control options and their categories; and
4. For each risk control option :
• Cost of implementing each risk control option
• Risk reduction effectiveness
• Cost per unit of risk reduction (CURR values)
• The best risk control options based on their CURR values.

The contens of the report must be reviewed to determine the following :

1. Relevance and significance of the threats and risk, identified in the report, to
the organization;
2. Validity of the assumptions used in the report;
3. Accuracy of the cost estimated for implementing control options; and
4. Best control options recommended in the report.
 www.icdp.biz

PHASE V : RISK CONTROL DECISION PROCESS

MANAGEMENT REVIEWS THE REPORT AND CHOOSES

THE BEST RISK CONTROL OPTION

THIS PHASE CAN BE DIVIDED INTO FOUR MAIN STEPS :

1. Establish a range of Acceptable Risk (AR) values to help with
the decision process.
(the range of AR values indicates the level of risk management is willing to
tolerate for any given threat).
2. Select threats with a tolerable level of risk by comparing their
current risk values with the range of the AR values.
3. Focuses on threats with current risk values outside the range
of AR values.
4. Determine the single most appropriate risk control option for
each threat.
 www.icdp.biz

PHASE VI : RISK CONTROL IMPLEMENTATION

THIS PHASE AIMS TO IMPLEMENT THE RISK CONTROL DECISIONS OF

MANAGEMENT.

THIS PHASE CAN BE DIVIDED INTO THREE MAIN STEPS FOR EACH RISK OPTION

1. Conduct Feasibility Study for implementing the risk control option

(should determine whether or not the control option is operationally,
technically, economically viable).
2. The Feasibility report and a request for project funding is presented to
management
3. Implements the risk control project only if management approves the risk
control project and its funding requirements
 www.icdp.biz

PHASE VII : RISK MONITORING AND CONTROL

THIS PHASE REPRESENTS AN ON-GOING MONITORING AND CONTROL

OF THE CHANGES IN THE EXISTING THREATS AND ADDITION OF NEW
THREATS TO THE ORGANIZATION.

THE RISK MONITORING AND CONTROL PHASE CONDUCTS PERIODIC

RISK ASSESSMENTS AND RISK AUDITS TO EVALUATE CHANGES IN
THE THREATS AND RISKS TO THE ORGANIZATION, AND IMPLEMENTS
APPROPRIATE RISK CONTROL OPTIONS.
 www.icdp.biz

Risk Management vs BCM