SlideShare a Scribd company logo

Webinar - Risk Methodologies - Why are there so many?

E
easy2comply

The document outlines various risk assessment methodologies, their strengths and weaknesses, and the purpose of assessing risks within organizations. It emphasizes the importance of having a standardized approach to identify, assess, and respond to risks while providing examples of different methodologies such as scorecards, questionnaires, and financial valuation. Additionally, it discusses the subjective nature of risk assessment and the balance between creativity and standardization in identifying risks.

Education
Related topics:
Risk-Management Risk Assessment
1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Risk Methodologies Why are there so many? 1st June 2011
Presenter Jeremy Kaye, VP GRC Strategy +44 20 7903 5139 jeremy.kaye@easy2comply.com Confidential
Housekeeping • The slides for this event will be distributed afterwards • The webinar recording will be archived on easy2comply website • Q&A at the end Confidential
Webinar Focus • Purpose of Assessing Risks • Different Methodologies • Strengths and Weaknesses • How to Choose? Confidential
Risk: A Definition • Possibility of loss or injury • Someone or something that creates a hazard • Chance of loss to the subject matter of an insurance contract • Chance that an investment will lose value • Potential that a chosen action will lead to an undesirable outcome Confidential
Risk versus Uncertainty • Uncertainty is where there are different outcomes • Risk is your potential exposure to those outcomes • We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk • Risk Assessment is therefore subjective November 2008: Viewed and Bauer came right down to the line in the Melbourne Cup Confidential
Types of Risks Examples of • Market Risk Financial Risks • Credit Risk Note: We’re not referring to financial assessment • Liquidity Risk methodologies but to types of risk whose nature is financial • Strategic Risk Examples of Non- Financial Risks • Operational Risk • Business Risk • IT Risk Confidential
Purpose of Risk Assessment • To gain a sense of the “size” of the risks • To prioritise based on our analysis • To determine a course of action (controls) as needed Confidential
Webinar Focus • Purpose of Assessing Risks • Different Assessment Methodologies • Strengths and Weaknesses • How to Choose? Confidential
Examples of Methodologies and Techniques • Methodology Examples: CRAMM, ISO31000, 27005 • Techniques: – Scorecards – Questionnaires – Risk Squares – Financial Valuation – Scenario Confidential
Scorecards • Purpose is to attain an overall score for the risk – Questions broken into sections – Each question has a score – Each section has an overall score Score: 1 Score: 3 Score: 2 Overall Score: 6 Confidential
Questionnaires • Purpose is to attain a set of descriptive information about the risk • Questions and Answers • Don’t necessarily generate a score; yield information Confidential
Risk Squares • Impact and Likelihood 1. What is the impact of this risk to the ________? 2. How likely is this risk to occur? • Risk score generated by multiplying two values • Variables: – The scale – The values – Odd vs. Even Confidential
Risk Squares Confidential
Risk Cubes “Velocity” Impact Likelihood Confidential
Financial Valuation • How do we get to a $ value instead of “just” a number? • Need to understand purpose of valuation – Prioritisation – “Real” valuation • What’s the difference? • Parameters we could use: – Direct history – Insurance data – Management insight Confidential
Don’t Kid Yourself • History is history; the future is something else • Financial valuations are generally no less reliable than other measures • How do we aggregate them? • Do the numbers make sense? Confidential
Scenario Analysis • Top-down approach to identify major risk scenarios • Will use heavy combination of subjective and objective data • Incorporates many people into the process • Single scenario: – Real history – Insurance coverage – Overall control environment – Ownership – Potential loss expression – “Other” impacts Confidential
Top-Down vs. Bottom-Up • Different purposes • Scenarios at top level are generally strategic • Risks at lower level are generally for business management • Need to find a way to link them Confidential
Linking the Data Together • Generate the risk S1 S2 S3 S4 S5 scenarios • Use them as part of the risk classification • Allow business to R1 R2 R3 R4 R5 identify their own risks R6 R7 R8 R9 R10 • Map low-level risks to R11 R12 R13 R14 R15 the higher-level scenarios Confidential
Linking the Data Together • Ensures that business S1 S2 S3 S4 S5 has freedom to think out of the box • Gives executive management a view on R1 R2 R3 R4 R5 how risk scenarios are R6 R7 R8 R9 R10 expressed throughout R11 R12 R13 R14 R15 the business Confidential
Risk Surveys • Collaborative approach • Sit round a table, or via teleconference, and everyone has an opinion • Lots of input Confidential
Webinar Focus • Purpose of Assessing Risks • Different Assessment Methodologies • Strengths and Weaknesses • How to Choose? Confidential
Common Factors • All approaches have a fundamental common theme Identify Assess Respond • Methodology choice is very personal Confidential
How do we Identify Risks? • Do we let them tell us what their risks are? • Do we tell people what their risks are? • How do we stop “the lost pencil” effect? Blank Sheet Templates Confidential
The Blank Sheet Approach • Business identifies their own risks • Based on their own knowledge and understanding • Accountability and responsibility for the process • Submit the data back to central team Confidential
The Template Approach • Risk department build template • Pre-defined risks • Business asked to assess the risks • Submit the data back to the risk team • Allows for standardization Confidential
Strengths and Weaknesses • Template Approach • We never create the opportunity for creativity • We never reinforce ownership (“not my risks”) • Blank Sheet Approach • Too much creativity / lacks balance • Difficult to compare and aggregate • Too much work (“I don’t have time for this”) Confidential
Which is the “Worst” Risk? Risk Impact R1 R2 R3 R4 R5 R6 R7 R8 R9 Confidential
Webinar Focus • Purpose of Assessing Risks • Different Assessment Methodologies • Strengths and Weaknesses • How to Choose? Confidential
Remember the Purpose • To gain a sense of the “size” of the risks • To prioritise based on our analysis • Most important thing is to have a standardised approach and the ability to compare • Don’t spend months choosing a methodology – get something that is sensible and is practical • Don’t be nervous to amend it over time Confidential
How do we Respond to Risks? • Risk Assessment gives us our opportunity to respond accordingly – Accept / Tolerate – Mitigate / Add Controls – Insure – Review Confidential
Example from easy2comply Risk Controls Confidential
Risk Score vs. Residual Risk • The risk score together with the control effectiveness generates the Residual Risk Confidential
Questions and Answers Jeremy Kaye, VP GRC Strategy +44 20 7903 5139 jeremy.kaye@easy2comply.com Confidential

More Related Content

PDF
Software Security Austerity - 44CON 2012
44CON
 
PPTX
NCC Group - Software Security Austerity - Software security debt in modern so...
Global Business Events
 
PDF
Risk Management
Emanuele Della Valle
 
PPT
Comprehensive Overview Of Risk Management
Andrew Valenti
 
PDF
Risk Management Enterprise and A Case Study on Starbucks
Karen Ning
 
DOCX
Strategic planning of starbucks
Namrata Patel
 
PPT
Market Segmentation
Shameem Ali
 
PDF
Starbucks Strategy
ReillyWB
 
Software Security Austerity - 44CON 2012
44CON
 
NCC Group - Software Security Austerity - Software security debt in modern so...
Global Business Events
 
Risk Management
Emanuele Della Valle
 
Comprehensive Overview Of Risk Management
Andrew Valenti
 
Risk Management Enterprise and A Case Study on Starbucks
Karen Ning
 
Strategic planning of starbucks
Namrata Patel
 
Market Segmentation
Shameem Ali
 
Starbucks Strategy
ReillyWB
 

Similar to Webinar - Risk Methodologies - Why are there so many? (20)

PPT
Reliability
Chellamuthu K
 
PPTX
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
Presentation qrm shc
Peter Schellinck
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPT
Review of Enterprise Security Risk Management
Rand W. Hirt
 
PDF
Integration Of Prince2® And M O R® 1 John Fisher
BPUG Congress
 
PDF
Risk analysis, priority setting team building and strategic insight
Stephen Grey
 
PPTX
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptx
GraciaSuratos
 
PPTX
Business risk assessment
Uzair Khan
 
PPT
Project Risk management
CMA (Dr.) Ashok Panigrahi
 
PPT
Project risk management
Er Swati Nagal
 
PPTX
Information Security Risk Management
Nikhil Soni
 
PPT
Risk Management (1) (1).ppt
AjjuSingh2
 
PPT
Risk Management
Stephen Penn
 
PPT
RiskAssesment.ppt
AbdulSalamSagir1
 
PDF
practical-approach-to-strategic-risk-management-220318051837.pdf
Hany Farouk
 
PPT
practical-approach-to-strategic-risk-management.ppt
AnkitSharma13479
 
PPT
practical-approach-to-strategic-risk-management.ppt
Kameswara Rao Poranki
 
PPT
practical-approach-to-strategic-risk-management.ppt
new617824
 
PPT
strategic-risk-management
dollumehta1
 
Reliability
Chellamuthu K
 
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Presentation qrm shc
Peter Schellinck
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Integration Of Prince2® And M O R® 1 John Fisher
BPUG Congress
 
Risk analysis, priority setting team building and strategic insight
Stephen Grey
 
PRINCIPLES-OF-RISK-AND-MANAGEMENT.pptx
GraciaSuratos
 
Business risk assessment
Uzair Khan
 
Project Risk management
CMA (Dr.) Ashok Panigrahi
 
Project risk management
Er Swati Nagal
 
Information Security Risk Management
Nikhil Soni
 
Risk Management (1) (1).ppt
AjjuSingh2
 
Risk Management
Stephen Penn
 
RiskAssesment.ppt
AbdulSalamSagir1
 
practical-approach-to-strategic-risk-management-220318051837.pdf
Hany Farouk
 
practical-approach-to-strategic-risk-management.ppt
AnkitSharma13479
 
practical-approach-to-strategic-risk-management.ppt
Kameswara Rao Poranki
 
practical-approach-to-strategic-risk-management.ppt
new617824
 
strategic-risk-management
dollumehta1
 
Ad

More from easy2comply (10)

PDF
easy2comply Partner's Training Workbook
easy2comply
 
PDF
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
easy2comply
 
PDF
Webinar - Disaster in Japan: A Lesson in BCM
easy2comply
 
PPTX
Online Training Solvency II
easy2comply
 
PPTX
Online Training Sarbanes-Oxley
easy2comply
 
PPTX
Online Training Internal Control Management
easy2comply
 
PPTX
Online Training Information Security Management
easy2comply
 
PPTX
Online Training Basel II
easy2comply
 
PDF
Compliance Management Software
easy2comply
 
PDF
Risk Management Software
easy2comply
 
easy2comply Partner's Training Workbook
easy2comply
 
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
easy2comply
 
Webinar - Disaster in Japan: A Lesson in BCM
easy2comply
 
Online Training Solvency II
easy2comply
 
Online Training Sarbanes-Oxley
easy2comply
 
Online Training Internal Control Management
easy2comply
 
Online Training Information Security Management
easy2comply
 
Online Training Basel II
easy2comply
 
Compliance Management Software
easy2comply
 
Risk Management Software
easy2comply
 
Ad

Recently uploaded (20)

PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Institutional Correction lecture only . . .
limvtheghins
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Lesson notes of climatology university.
sgladness67
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Pre independence Education in Inndia.pdf
goofy5603
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 

Webinar - Risk Methodologies - Why are there so many?

  • 1. Risk Methodologies Why are there so many? 1st June 2011
  • 2. Presenter Jeremy Kaye, VP GRC Strategy +44 20 7903 5139 jeremy.kaye@easy2comply.com Confidential
  • 3. Housekeeping • The slides for this event will be distributed afterwards • The webinar recording will be archived on easy2comply website • Q&A at the end Confidential
  • 4. Webinar Focus • Purpose of Assessing Risks • Different Methodologies • Strengths and Weaknesses • How to Choose? Confidential
  • 5. Risk: A Definition • Possibility of loss or injury • Someone or something that creates a hazard • Chance of loss to the subject matter of an insurance contract • Chance that an investment will lose value • Potential that a chosen action will lead to an undesirable outcome Confidential
  • 6. Risk versus Uncertainty • Uncertainty is where there are different outcomes • Risk is your potential exposure to those outcomes • We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk • Risk Assessment is therefore subjective November 2008: Viewed and Bauer came right down to the line in the Melbourne Cup Confidential
  • 7. Types of Risks Examples of • Market Risk Financial Risks • Credit Risk Note: We’re not referring to financial assessment • Liquidity Risk methodologies but to types of risk whose nature is financial • Strategic Risk Examples of Non- Financial Risks • Operational Risk • Business Risk • IT Risk Confidential
  • 8. Purpose of Risk Assessment • To gain a sense of the “size” of the risks • To prioritise based on our analysis • To determine a course of action (controls) as needed Confidential
  • 9. Webinar Focus • Purpose of Assessing Risks • Different Assessment Methodologies • Strengths and Weaknesses • How to Choose? Confidential
  • 10. Examples of Methodologies and Techniques • Methodology Examples: CRAMM, ISO31000, 27005 • Techniques: – Scorecards – Questionnaires – Risk Squares – Financial Valuation – Scenario Confidential
  • 11. Scorecards • Purpose is to attain an overall score for the risk – Questions broken into sections – Each question has a score – Each section has an overall score Score: 1 Score: 3 Score: 2 Overall Score: 6 Confidential
  • 12. Questionnaires • Purpose is to attain a set of descriptive information about the risk • Questions and Answers • Don’t necessarily generate a score; yield information Confidential
  • 13. Risk Squares • Impact and Likelihood 1. What is the impact of this risk to the ________? 2. How likely is this risk to occur? • Risk score generated by multiplying two values • Variables: – The scale – The values – Odd vs. Even Confidential
  • 14. Risk Squares Confidential
  • 15. Risk Cubes “Velocity” Impact Likelihood Confidential
  • 16. Financial Valuation • How do we get to a $ value instead of “just” a number? • Need to understand purpose of valuation – Prioritisation – “Real” valuation • What’s the difference? • Parameters we could use: – Direct history – Insurance data – Management insight Confidential
  • 17. Don’t Kid Yourself • History is history; the future is something else • Financial valuations are generally no less reliable than other measures • How do we aggregate them? • Do the numbers make sense? Confidential
  • 18. Scenario Analysis • Top-down approach to identify major risk scenarios • Will use heavy combination of subjective and objective data • Incorporates many people into the process • Single scenario: – Real history – Insurance coverage – Overall control environment – Ownership – Potential loss expression – “Other” impacts Confidential
  • 19. Top-Down vs. Bottom-Up • Different purposes • Scenarios at top level are generally strategic • Risks at lower level are generally for business management • Need to find a way to link them Confidential
  • 20. Linking the Data Together • Generate the risk S1 S2 S3 S4 S5 scenarios • Use them as part of the risk classification • Allow business to R1 R2 R3 R4 R5 identify their own risks R6 R7 R8 R9 R10 • Map low-level risks to R11 R12 R13 R14 R15 the higher-level scenarios Confidential
  • 21. Linking the Data Together • Ensures that business S1 S2 S3 S4 S5 has freedom to think out of the box • Gives executive management a view on R1 R2 R3 R4 R5 how risk scenarios are R6 R7 R8 R9 R10 expressed throughout R11 R12 R13 R14 R15 the business Confidential
  • 22. Risk Surveys • Collaborative approach • Sit round a table, or via teleconference, and everyone has an opinion • Lots of input Confidential
  • 23. Webinar Focus • Purpose of Assessing Risks • Different Assessment Methodologies • Strengths and Weaknesses • How to Choose? Confidential
  • 24. Common Factors • All approaches have a fundamental common theme Identify Assess Respond • Methodology choice is very personal Confidential
  • 25. How do we Identify Risks? • Do we let them tell us what their risks are? • Do we tell people what their risks are? • How do we stop “the lost pencil” effect? Blank Sheet Templates Confidential
  • 26. The Blank Sheet Approach • Business identifies their own risks • Based on their own knowledge and understanding • Accountability and responsibility for the process • Submit the data back to central team Confidential
  • 27. The Template Approach • Risk department build template • Pre-defined risks • Business asked to assess the risks • Submit the data back to the risk team • Allows for standardization Confidential
  • 28. Strengths and Weaknesses • Template Approach • We never create the opportunity for creativity • We never reinforce ownership (“not my risks”) • Blank Sheet Approach • Too much creativity / lacks balance • Difficult to compare and aggregate • Too much work (“I don’t have time for this”) Confidential
  • 29. Which is the “Worst” Risk? Risk Impact R1 R2 R3 R4 R5 R6 R7 R8 R9 Confidential
  • 30. Webinar Focus • Purpose of Assessing Risks • Different Assessment Methodologies • Strengths and Weaknesses • How to Choose? Confidential
  • 31. Remember the Purpose • To gain a sense of the “size” of the risks • To prioritise based on our analysis • Most important thing is to have a standardised approach and the ability to compare • Don’t spend months choosing a methodology – get something that is sensible and is practical • Don’t be nervous to amend it over time Confidential
  • 32. How do we Respond to Risks? • Risk Assessment gives us our opportunity to respond accordingly – Accept / Tolerate – Mitigate / Add Controls – Insure – Review Confidential
  • 34. Risk Score vs. Residual Risk • The risk score together with the control effectiveness generates the Residual Risk Confidential
  • 35. Questions and Answers Jeremy Kaye, VP GRC Strategy +44 20 7903 5139 jeremy.kaye@easy2comply.com Confidential