Risk management models - Core Consulting
2 likes3,671 views
This document discusses risk management and provides definitions of risk. It summarizes the key steps in the risk management process as establishing context, identifying risks, analyzing risks, evaluating risks, treating risks, and monitoring and reviewing risks on an ongoing basis. Communication and consultation are also emphasized. Various risk management models and the benefits of risk management for organizations are outlined. Myths about risk management are dispelled.
Risk management models - Core Consulting
- 1. © Continuity and Resilience – Copyright 2013 Risk Management and Models CII – Nov. 05, 2015
- 3. About Continuity and Resilience (CORE) • ISO 22301 Certified Management Consulting Firm • Business Continuity Management • Crisis Management • IT Disaster Recovery • Green IT • Risk Management • Information Security Management • We Consult / Train / Assess and Certify in these domains 3
- 4. A person who can foresee problems / difficulties and identify proactive solutions will live happily - Chanakya (350 – 283 BC), Author of Artha Sasthra 4
- 5. 5 What is Risk? • Risk is the potential that something will go wrong as a result of one or a series of events. To get profit without risk, experience without danger, and reward without work, is as impossible as it is to live without being born. - A.P. Gouthe
- 6. Risk Definitions – the change over time 6 Source Definitions ISO/IEC Guide 51:1999 Combination of the probability of occurrence of harm and the severity of that harm ISO/ IEC Guide 73:2002 Combination of the probability of an event and its consequence AS/NZS 4360: 2004 Chance of something happening that will have an impact on objectives COSO (2004) ERM Integrated Framework Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. ISO 31000:2009 Effect of uncertainty on objectives ISO 22301:2012 Effect of uncertainty on objectives
- 7. Harmonization of International Standards • ISO/IEC 31000 - Risk management – Principles and guidelines • ISO/IEC 31010 - Risk management – Risk assessment techniques • ISO/IEC 27001 - Information technology – Security techniques – Information security management systems – Requirements • ISO/IEC 27005 - Information technology – Security techniques – Information security risk management systems
- 9. Universe of Risks - 2 Natural Manmade Accidental Internal External
- 10. Potential Sources of Risk
- 11. Lessons from Animals-1 Don’t be a pigeon! 11
- 12. Why are we talking about Risk?
- 13. Today’s networks are more exposed to threats & risks Gartner brought up an interesting concept: "Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting." The risk environment is constantly changing. Financially-motivated, targeted attacks are increasing – but most security processes and technologies are failing to keep up. Exposure points
- 14. 14 “Risk comes from not knowing what you’re doing” - Warren Buffett Well, then I guess, we both are in deep trouble
- 15. About … Risk Management In assessing risks, technical people tend to focus on technical issues which have occurred to them, but the major risks for a product may be business-related – obstacles they don’t consider as often..
- 16. What is Risk Management? Who uses Risk Management? How is Risk Management used? Risk Management Models
- 17. • Good management practice • Process steps that enable improvement in decision making • A logical and systematic approach • Identifying opportunities • Avoiding or minimizing losses What is Risk Management?
- 18. Risk Management is the name given to a logical and systematic method of identifying, analysing, treating and monitoring the risks involved in any activity or process. What is Risk Management?
- 19. Risk Management is a methodology that helps managers make best use of their available resources What is Risk Management?
- 20. Coordinated activities to direct and control an organization with regard to risk What is Risk Management?
- 21. Risk Management - Benefits 21 Likelihood of achieving objectives is increased Proactive management is encouraged Identification of opportunities and threats is increased Legal and regulatory compliance is achieved Improvement in mandatory and voluntary reporting is achieved Governance is improved Interested parties’ confidence and trust is enhanced Decision making and planning is improved Resource allocation is effective
- 22. Risk Management - Benefits 22 Operational effectiveness and efficiency is improved Health and safety performance is enhanced Environmental protection is improved Loss prevention and incident management is improved Losses are minimised Organisational learning is improved Overall improvement is organisational resilience is achieved
- 23. Risk Management practices are widely used in public and the private sectors, covering a wide range of activities or operations. These include: Who uses Risk Management? • Finance and Investment • Insurance • Health Care • Public Institutions • Governments
- 24. • Effective Risk Management is a recognized and valued skill. • Educational institutions have formal study courses and award degrees in Risk Management. • The Risk Management process is well established. (International RM process standards.) Who uses Risk Management?
- 25. Risk Management is now an integral part of business planning. Who uses Risk Management?
- 26. Risk Management -Myths • “We can only do so much; then whatever happens, happens.” • “Don’t be concerned with Risk Management (RM); there is nothing in it that applies to non-financial businesses.” • “It’s hard to find someone who has the expertise to address all risks across the organization. Isn’t that what the CEO and CFO should be doing?” • “Buying insurance manages the risk, doesn’t it?” 26
- 27. Risk Management -Myths • “Risk management is only for large companies” • “We have lots of insurance” • “We already have a safety program” • “We haven’t had any problems so far” (but WE ARE ALWAYS ONE DISASTER BEHIND) • “It’s too expensive to implement a program” • “My company doesn’t have ethical risks.” 27
- 28. 28
- 29. The Risk Management process steps are a generic guide for any organisation, regardless of the type of business, activity or function. How is Risk Management used? There are 7 steps in the RM process
- 30. 30 “The first step in the risk management process is to acknowledge the reality of risk. Denial is a common tactic that substitutes deliberate ignorance for thoughtful planning.” --Charles Tremper
- 31. The basic process steps are: Establish the context Identify the risks Analyse the risks Evaluate the risks Treat the risks
- 32. ‘Risk’ is dynamic and subject to constant change, so the process includes continuing: Communication & consultation Monitoring and review and
- 33. The Risk Management process: The strategic and organisational context in which risk management will take place. For example, the nature of your business, the risks inherent in your business and your priorities. Communicate & consult Establish the context
- 34. The Risk Management process: Communicate & consult Monitor and review Defining types of risk, for instance, ‘Strategic’ risks to the goals and objectives of the organisation. • Identifying the stakeholders, (i.e.,who is involved or affected). • Past events, future developments. Identify the risks
- 35. The Risk Management process: Communicate & consult Monitor and review Analyse the risks How likely is the risk event to happen? (Probability and frequency?) What would be the impact, cost or consequences of that event occurring? (Economic, political, social?)
- 36. The Risk Management process: Communicate & consult Monitor and review Evaluate the risks Rank the risks according to management priorities, by risk category and rated by likelihood and possible cost or consequence. Determine inherent levels of risk.
- 37. The Risk Management process: Treat the risks Develop and implement a plan with specific counter-measures to address the identified risks. Consider: • Priorities (Strategic and operational) • Resources (human, financial and technical) • Risk acceptance, (i.e., low risks)
- 38. The Risk Management process: Document your risk management plan and describe the reasons behind selecting the risk and for the treatment chosen. Record allocated responsibilities, monitoring or evaluation processes, and assumptions on residual risk. Communicate & consult Monitor and review Treat the risks
- 39. The Risk Management process: Communicate & consult Risk Management policies and decisions must be regularly reviewed. Monitor and review In identifying, prioritising and treating risks, organisations make assumptions and decisions based on situations that are subject to change, (e.g., the business environment, trading patterns, or government policies).
- 40. The Risk Management process: Risk Managers must monitor activities and processes to determine the accuracy of planning assumptions and the effectiveness of the measures taken to treat the risk. Methods can include data evaluation, audit, compliance measurement. Communicate & consult Monitor and review
- 41. The Risk Management process: Establish the context Identify the risks Analyse the risks Evaluate the risks Treat the risks
- 42. “Business as usual is business at risk” - Deloitte Old whitepaper 42 “The problem in my life and other people’s lives is not the absence of knowing what to do, but the absence of doing it” - Peter F Drucker Famous Quotes
- 43. 43 “Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.” --Dr. Michael Ong
- 44. 44 • “Risk management should be an enterprise-wide exercise and engrained in the business culture of the organization.” -- Julie Dickson
- 45. 45 “If you treat risk management as a part-time job, you might soon find yourself looking for one.” --someone in Deloitte
- 46. 4 T’s of Risk Management 46 • Tolerate (what is within your risk appetite) • Treat (by investing) • Transfer (through insurance) • Terminate (the risk / process itself)
- 47. Heat Diagram (before and after treatment) • Number of risks falling in the Red and Amber should reduce after treatment • These should further reduce after treatment of the residual risks • Which must further keep reducing over a period • While new risks may also appear 47
- 48. Lessons from Animals-2 Don’t be a horse! 48
- 49. Risk Management Maturity Model • There is no established Maturity Model for Risk Management, exists now; • But one can easily be developed and adopted 49 “If you can't describe what you are doing as a process, you don't know what you're doing” W. Edward Deming
- 50. RM Maturity Model- Deloitte sample 50
- 51. RM Maturity Model • Levels and Parameters defined by someone else • Level 1: Ad hoc. Undocumented; in a state of dynamic change; depends on individual heroics • Level 2: Preliminary. Risk defined in different ways and managed in silos. Process discipline is unlikely to be rigorous. • Level 3: Defined. A common risk assessment/response framework is in place. Organization-wide view of risk is provided to executive leadership. Action plans implemented in response to high priority risks. 51
- 52. RM Maturity Model • Levels and Parameters defined by someone else • Level 4: Integrated. Risk management activities coordinated across business areas. Common risk management tools and processes used where appropriate, with enterprise-wide risk monitoring, measurement and reporting. Alternative responses analyzed with scenario planning. Process metrics in place. • Level 5: Optimized. Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds. 52
- 53. Other RM Standards • ISO 14971 • Medical devices – Application of risk management to medical devices • ISO /IEC 16085 • Systems and Software Engineering - Life cycle processes – Risk management • ISO 17666 • Space systems – Risk management • ISO / IEC 27005 • Information technology – Security techniques – Information security risk management 53
- 54. Other RM Standards • AS/ NZS 4360 • Risk Management** • COSO Enterprise Risk Management – Integrated Framework • NIST 800-30 • Risk Management Guide for Information Technology Systems ** Base standard for ISO 31000; is the first international standard on Risk Management 54
- 55. 1. Define 1.1 Stakeholders 1.2 Risk Management Executive 1.3 Scope 2.4 Decide Response 3 Select Control Criteria & Implement Controls 3.1 Choose Controls 3.2 Implement Controls 4. Audit & Testing of Controls 4.3 Accreditation 4.2 External Testing/Auditing 4.1 Internal Testing/Auditing 5. Improvement Plan 5.2 Monitor 5.1 Agree 6.4 Categorise 6. Incident Management 6.1 Monitor 6.3 Record 6.2 Respond 2 Risk Analysis2.1 Risk Identification 2.3 Calculate Risk 2.2 Identify Appetite Plan Do Check Act Deming Cycle BT Risk Process & Activity Lifecycle (PDCA Model)
- 56. Other Strategic Risks • Recently, the following have been gaining a lot of importance • Sustainability Risks • Cloud Computing Risks 56
- 57. 57 Risk Management Rules 1. Don’t underestimate your risks 2. Risks don’t go away (it exists as it is) 3. The certifications doesn’t make you ready 4. You can’t just rely on technology 5. Be careful of professional burnout 6. Look after your (precious) data 7. Risk Management? Incident Management? 8. Manage risks from top down 9. Don’t reveal your internal documents 10. Lies, damn lies and statistics…..
- 58. A Balanced Approach - Risks need to be understood Potential Threats to Assets Potential Vulnerability Reality Check Balanced Solution Risk Appetite Solution for Acceptable Risk Mitigation Lo w Hig h Lo w Hig h Lo w Hig h Information Security Cost Risk Usability Risk Management is the management of Trade-off
- 59. There must be a balance!
- 61. © Continuity and Resilience – Copyright 2013 Thank You
- 62. CONTINUITY & RESILIENCE Email: info@continuityandresilience.com Website: www.continuityandresilience.com http://www.coreconsulting.ae/ 62