IT 34 - Risk Management

RISK

effect of uncertainty of objectives

PROBABILITY

of a threat

EFFECT

deviation from the expected - positive and/or negative

• Often expressed in terms of consequences of an event and its likelihood

VULNERABILITY

 of the asset to the threat

IMPACT

if it occurred

RISK APPETITE

refers to the amount of risk an organization is prepared to accept, tolerate, or be exposed to at any point in time

RESIDUAL RISK

level of risk remaining after all cost-effective actions have been taken to lessen the impact, probability, and consequences of a specific/group of risk, subject to an organization’s risk appetite.

RISK LOG/REGISTER

a summary of identified risks and their ranking, and how they are to be treated

Human-Induced

1. Terrorist event

2. Industrial accidents 

3. Transport accidents

Technological

Cyber security breaches affecting critical infrastructure

Natural

Hydro-meteorological Tropical cyclones  Storm surges  Heavy rainfall and flooding Geophysical Earthquakes  Landslides Volcanic Activity  Tsunami

Biological

Epidemics

TYPES OF HAZARDS

1. Natural

2. Human-Induced

3. Technological

4. Biological

Facility

Primary workplace is rendered unavailable (denial of access)

People

1. Employee safety and wellbeing are affected; 

2. Workforce is disrupted affecting operations

Public

Loss of public trust and confidence

Process

Critical operational activities within the organization are disrupted

Supply Chain

Inability of critical supplier or third party service provide to deliver services required by vital processes

ICT

Loss of access to critical ICT systems and applications which support vital operations

IMPACT AREAS

1. Facility

2. People

3. Public

4. Process

5. Supply Chain

6. ICT

RISK ANALYSIS

establishes the basis for risk evaluation by identifying the nature and level or risk for an event

• quantitative or qualitative

• provides the basis for risk evaluation and decisions for the risk treatment.

• helps determine the magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood

Risk Analysis: Quantitative

1. Rare

2. Unlikely

3. Possible

4. Likely

5. Almost Certain

Extreme

1. Significant injuries or fatalities to employees or third parties, such as guests or other service providers/contractors 

2. Significant prosecution and fines, litigation including class actions, incarceration of leadership 

3. International long-term negative media coverage

Major

1. Limited in-patient care required for employees or third parties, such as guests or other service providers/contractors 

2. Report to regulator requiring major project for corrective action 

3. Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice

4. National long-term negative media coverage

Moderate

1. Out-patient medical treatment required for employees or third parties, such as guests or other service providers/contractors 

2. Report of breach to regulator with immediate correction to be implemented 

3. Widespread staff morale problems and high turnover

4. National short-term negative media coverage

Minor

1. No or minor injuries to employees or third parties, such as guests or other service providers/contractors 

2. Reportable incident to regulator, no follow up 

3. General staff morale problems and increase in turnover 

4. Local reputational damage

Incidental

1. No injuries to employees or third parties, such as guests or other service providers/contractors

2. Not reportable to regulator 

3. Isolated staff dissatisfaction 

4. Local media attention quickly remedied

Evaluate and Classify Risks

1. Risk under and beyond the company’s control

2. Risks with prior warnings and no prior warnings
   

Evaluate Impact of Risks and Vulnerabilities

1. Availability of personnel 

2. Availability of ICT

3. Status of infrastructure 

4. Supply chain

Purpose of risk evaluation

to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation.

Identify and Evaluate Effectiveness of Controls and Safeguards in Place 

1. Inherent protection afforded to key assets. 

2. Continuity capabilities for groups within and external to the organization on which it is dependent to conduct its operations

3. Actions taken to reduce the probability of occurrence of incidents that could cause potential interruption 

4. Reactive and preventive controls

5. Security-related communications

Recommended Changes to Controls for Reducing Impact

1. Physical protection

2. Logical protection

3. Location of assets

4. Changes to personnel procedures

5. Increased preventive maintenance

6. Redundancy of utilities

7. Interface with external agencies

Risk Treatment

the selection and implementation of measures to modify risk.

Risk Avoidance/Risk Elimination

eliminating the source of pure risk; the most effective form of risk treatment

• Sample Intervention: Implementation and observation of “no build zones”

Risk Control

reducing and managing the risk to within acceptable levels

• Sample Intervention: prevention, preparedness, mitigation, response and continuity strategies

Risk Transfer

passing the risk to a third party; also called risk sharing. 

• Sample Intervention: Insurance

Risk Acceptance/Risk Assumption

the organization has determined that the risk is not sufficient to warrant additional controls (residual risk) or it is impossible to eliminate the risk.

Risk Financing

a form of self insurance in which the organization sets aside and manages funds to cover a future potential loss