Risk AnalysisA few introductory thoughts
Dr. Gábor Jeney, PhDSenior reseacher (BME)
Senior/lead auditor of ISO 27001 at AIB-VincotteCEO of Network Security Audit Ltd.
Outline
● Understanding the meaning of the subject● The process of RA● Examples – how people do the process of RA
Notations● Arrows represent information flows and/or
dependence● Light grey slides are off topic (background)
Why should we bother?
● What is the point of this subject?
● Why do a risk analysis?
● Where is risk analysis?
● What is risk anyway?
● Threat vs. opportunity
● Why do risk analysis? What can it do for us?
● What can we do with risks?
● Assess them– Identify them, analyse them, evaluate them
● Treat them
Where is RA?
● In the heart of each investor
● Low risk investments are preferred– Whatever „low risk” means...
● In the centre of most management systems:
● In modern Quality MS's, including:– ISO/TS 16949 (automotive industry)
– QS 9000 (precedessor of ISO/TS 16949)
– AS-9100 (aerospace industry)
● ISO 14001 (Environmental MS)
● ISO 27001 (Information Security MS)
● ISO 31000 (Risk Management)
● To sum up: RA is in the heart of a good manager
What is risk? – from the book
● Risk/Threat = random event that could have a negative effect/impact on the goals of the organization/investment● Risk = scenario + probability + severity (of impact)
● Opportunity = random event that could have a positive effect/impact on the goals of the organization/investment● The same three elements
● Threat <=> opportunity: opposite sides of the coin● Opportunity = we have a high probability (p > 50%)
threat which might not happen (with probability 1 – p < 50%)
What is risk? – from ISO 31000
● Internal and external factors make it uncertain that organizations can achieve their goals and objectives
● RISK = effect of this uncertainty● All activities involve RISK (!)
What is risk? Examples
● A crock of plant falling on head while walking ● Suffering a car accident while driving● Closing financial positions with lower balance
compared to the opening one
How many risks are there? Plenty!
● While walking
● A crock of plant falling on head● Suffering an accident (e.g. fracture), etc.
● While driving
● Suffering a car accident ● Running out of petrol● Having technical problems (e.g. breakdown), etc.
● Financial example
● Closing positions with lower balance ● Loss of liquidity (unable to close the position), etc.
Why do RA? – from ISO 31000
● Increase the likelihood of achieving objectives
● Encourage proactive management
● Be aware of the need to identify and treat risk through organization
● Improve the identification of opportunities and threats
● Comply with relevant legal and regulatory requirements and international norms
● Improve mandatory and voluntary reporting
● Improve governance
● Improve stakeholder confidence and trust
● Establish a reliable basis for decision making and planning
Why do RA? – from ISO 31000 (cont.)
● Improve controls
● Effectively allocate and use resources for risk treatment
● Improve operational effectiveness and efficiency
● Enhance health and safety performance and environmental protection
● Improve loss prevention and incident management
● Minimize losses
● Improve organizational learning
● Improve organizational resilience
Basics: the process based thinking
● Every activity could be divided into subsequent, or paralel processes
● Processes should have● Name, and description● Inputs (material, or information)● Outputs (material, or information)● Methodology (the way the process should be done)● People („employees” of the process)● Machine, tools, etc. (tools needed for the process)● Measure (the efficiency of the process)
Basics: the process based thinking: the turtle diagram
Process nameand
descriptionInputs Outputs
Methodology
Machines, tools
People
Measure
The responsibility assignment (RACI) matrix/diagram
● R = Responsible● Who does the work. Typically one person
● A = Accountable● Who approves the work. Must be one person
● C = Consulted (Collaborating)● Two-way communication
● I = Informed● One-way communication
Risk assessment
What to do with risks?
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
Con
c ept
and
fra m
ewo
rkof
ris
k as
s ess
men
t
Mo
nit o
ring
and
revi
e wof
ris
k as
s ess
men
t
Risk definitions – vocabulary (from ISO 31000)
● Risk: effect of uncertainty on objectives
● Risk is often characterized by events and consequences and likelihood
● Risk assessment: overall process of risk identification, RA and risk evaluation
● Risk identification: process of finding, recognizing and describing risks
● Risk analysis: process to comprehend the nature of risk and to determine the level of risk
● Level of risk: magnitude of risk expressed in terms of combination of consequences and likelihood
Risk definitions – vocabulary (from ISO 31000) (cont.)
● Risk criteria: terms of reference against which the significance of risk is evaluated
● Risk evaluation: process of comparing the results of risk analyses with risk criteria to determine whether the risk and/or its magnitude is acceptable/tolerable
● Risk treatment: process to modify risk● Residual risk: risk remaining after risk treatment
PDCA in risk management
A (Act)Continual improvement
of the framework
P (Plan)Design of framework
for managing risk
D (Do)Implementing
risk management
C (Check)Monitoring and review
of the framework
P. Design of framework for managing risk
● P.1 Understanding of the organization and its context
● P.2 Establishing risk management policy● P.3 Accountability● P.4 Integration into organizational processes● P.5 Resources● P.6–7 Establishing (P.6) internal and (P.7)
external communication and reporting mechanisms
P.1 Understanding of the organization and its context
● External context● Social, cultural, political, legal, regulatory, financial,
technological, economic, natural, competitive environment– National, regional, or local level
● Key drivers and trends having impact on the organization
● Relationships with external stakeholders
P.1 Understanding of the organization and its context
● Internal context
● Governance, organizational structure, roles and accountibilities
● Policies, objectives, strategies● Capabilities (capital, time, people, processes, systems,
technologies)● Information systems, information flows and decision making● Relationship with internal stakeholder● Organizational culture● Standards and models adopted by the organization● Contractual relationships
P.2 Establishing the risk management policy (RMP)
● Organization's rationale for managing risk● Link between organization's objectives and
policies and RMP● Accountabilities and responsibilities for
managing risk● How conflicting interests are dealt with● Commitment to provide resources● Risk management performance measures● Commitment to review and improve RMP
P.3 Accountability
● Identify risk owners that have accountability● Identify accountable for development,
implementation and maintenance of the risk management framework
● Identify other responsibilities in the organization● Establish performance measures of internal
and/or external reporting ● Ensure appropriate levels of recognition
P.4 Integration into organizational processes
● Risk management should be embedded into policy development, business and strategic planning and review
● Organization-wide risk management plan● To ensure that risk management is embedded in all
organizational practices and processes● It can be integrated in the strategic plan
P.5 Resources
● People, skills, experience and competence● Resources needed for each step of the risk
management process● Processes, methods and tools needed for risk
management● Documented processes and procedures● Information and knowledge management
systems● Training programs
P.6 Establishing internal communication and reporting
● Key components (and modifications) of the framework must be communicated correctly
● Adequate internal reporting of effectiveness and outcomes
● Availability of information is provided● Processes for consultation with internal
stakeholders● Consolidation of information from different
sources and different sensitivities
P.7 Establishing external communication and reporting
● Effective exchange of information with external stakeholders
● External reporting for (legal, regulatory and governance) compliance
● Feedback and reporting on communication and consultation
● Use communication to build confidence in the organization
● Communicate with stakeholders in case of crisis or contingency
PDCA in risk management (revealed)
A (Act)Continual improvement
of the framework
P (Plan)Design of framework
for managing risk
D (Do)Implementing
risk management
C (Check)Monitoring and review
of the framework
D. Implement risk management
● Define timing and strategy for implementing the framework
● Apply and implement risk management policy and process
● Comply with legal and regulatory requirements
● Ensure that decisions (incl. setting objectives) are based on the outcomes of risk management
● Hold information and training sessions
● Communicate and consult with stakeholders to ensure that risk management framework is appropriate
C. Monitoring and review of the framework
● Continuously measure risk management performance against expectations
● Periodically measure progress against risk management plan
● Periodically review the risk management framework (change of internal/external context)
● Report on risk, progress with risk management plan and how the risk management policy is followed
● Review the efficiency of the risk management framework
A. Continual improvement of the framework
● Based on monitoring and reviews, decisions are made on how risk management ● framework, ● policy and ● plan
can be improved
Remember
● Risk assessment = Risk identification + Risk analysis + Risk evaluation
Risk assessment
Identify the risks
Analyse the risks
Evaluate the risks
Risk identification
● Aim: to generate a comprehensive list of risks based on those events that might effect the achievement of objectives
● Risk: 1) events, 2) their causes, 3) their consequences
● Collection of risks (events, causes and consequences)
● Comprehensive identification is critical, because a risk that is not identified here will not be included in next steps. All significant causes and consequences should be considered
● Cascade and cumulative effects are to be considered
● Should consider wide-range of consequences
● Relevant and up-to-date information (appropriate background information)
● People with appropriate knowledge should be involved
The turtle of risk identification
● Inputs: relevant and up-to-date information (appropriate background information)
● Tools: anything producing the above inputs, or any other help
● Output: comprehensive list (inventory) of risks ● People: people with appropriate knowledge● Methodology: to provide comprehensive
inventory (more concrete methodology is to describe)
● Measure: e.g. the number of risks forgotten
Risk analysis 1
● Aim: to understand risks, to make risks comparable
● Two outputs:
● Risk evaluation: should the risk be treated?
● Decision making: types and levels of risk related to different choices
● Consideration of causes and sources of risks, their consequences and likelihood
● Existing controls should be taken into account
● Interdependence between risks and their sources should be considered
● Confidence should be clearly stated (e.g. divergence of opinion among experts, uncertainty)
Risk analysis 2
● Risk Analysis can be 1) qualitative, 2) semi-quantitative, 3) quantitative, or the combination of these
● Risk is analyzed by determining consequences and their likelihood
● Verbal => numerical transformation● Consequences can be expressed in terms of tangible and
intangible impacts● Likelihood can be determined by modelling, extrapolation, or
from available data● In some cases more than one numerical value is required