3. About Continuity and Resilience
(CORE)
• ISO 22301 Certified Management Consulting Firm
• Business Continuity Management
• Crisis Management
• IT Disaster Recovery
• Green IT
• Risk Management
• Information Security Management
• We Consult / Train / Assess and Certify in these
domains
3
4. A person who can foresee
problems / difficulties and
identify proactive solutions will
live happily
- Chanakya (350 – 283 BC), Author of Artha
Sasthra
4
5. 5
What is Risk?
• Risk is the potential that
something will go wrong as a
result of one or a series of
events.
To get profit without risk, experience without danger,
and reward without work, is as impossible as it is to live
without being born.
- A.P. Gouthe
6. Risk Definitions – the change over time
6
Source Definitions
ISO/IEC Guide
51:1999
Combination of the probability of occurrence of harm
and the severity of that harm
ISO/ IEC Guide
73:2002
Combination of the probability of an event and its
consequence
AS/NZS 4360:
2004
Chance of something happening that will have an impact
on objectives
COSO (2004) ERM
Integrated
Framework
Events with a negative impact represent risks, which can
prevent value creation or erode existing value. Events
with positive impact may offset negative impacts or
represent opportunities.
ISO 31000:2009 Effect of uncertainty on objectives
ISO 22301:2012 Effect of uncertainty on objectives
7. Harmonization of International Standards
• ISO/IEC 31000 - Risk management – Principles and
guidelines
• ISO/IEC 31010 - Risk management – Risk assessment
techniques
• ISO/IEC 27001 - Information technology – Security
techniques – Information security management systems –
Requirements
• ISO/IEC 27005 - Information technology – Security
techniques – Information security risk management systems
13. Today’s networks are more
exposed to threats & risks
Gartner brought up an
interesting concept: "Perimeters
and firewalls are no longer
enough; every app needs to be
self-aware and self-protecting."
The risk environment is
constantly changing.
Financially-motivated, targeted
attacks are increasing – but
most security processes and
technologies are failing to keep
up.
Exposure points
14. 14
“Risk comes from
not knowing what
you’re doing”
- Warren Buffett
Well, then I
guess, we both
are in deep
trouble
15. About …
Risk Management
In assessing risks, technical
people tend to focus on
technical issues which have
occurred to them, but the
major risks for a product
may be business-related –
obstacles they don’t consider
as often..
16. What is Risk Management?
Who uses Risk Management?
How is Risk Management used?
Risk Management Models
17. • Good management practice
• Process steps that enable improvement
in decision making
• A logical and systematic approach
• Identifying opportunities
• Avoiding or minimizing losses
What is Risk Management?
18. Risk Management is the name given
to a logical and systematic method
of identifying, analysing, treating
and monitoring the risks involved in
any activity or process.
What is Risk Management?
19. Risk Management is a
methodology that helps managers
make best use of their available
resources
What is Risk Management?
20. Coordinated activities to direct and
control an organization with
regard to risk
What is Risk Management?
21. Risk Management - Benefits
21
Likelihood of
achieving
objectives is
increased
Proactive
management is
encouraged
Identification of
opportunities
and threats is
increased
Legal and
regulatory
compliance is
achieved
Improvement in
mandatory and
voluntary
reporting is
achieved
Governance is
improved
Interested
parties’
confidence and
trust is enhanced
Decision making
and planning is
improved
Resource
allocation is
effective
22. Risk Management - Benefits
22
Operational
effectiveness
and efficiency is
improved
Health and
safety
performance is
enhanced
Environmental
protection is
improved
Loss prevention
and incident
management is
improved
Losses are
minimised
Organisational
learning is
improved
Overall
improvement is
organisational
resilience is
achieved
23. Risk Management
practices are widely used
in public and the private
sectors, covering a wide
range of activities or
operations.
These include:
Who uses Risk Management?
• Finance and
Investment
• Insurance
• Health Care
• Public
Institutions
• Governments
24. • Effective Risk Management
is a recognized and valued skill.
• Educational institutions have formal study
courses and award degrees in Risk
Management.
• The Risk Management process is well
established. (International RM process
standards.)
Who uses Risk Management?
26. Risk Management -Myths
• “We can only do so much; then whatever happens,
happens.”
• “Don’t be concerned with Risk Management (RM); there
is nothing in it that applies to non-financial businesses.”
• “It’s hard to find someone who has the expertise to
address all risks across the organization. Isn’t that what
the CEO and CFO should be doing?”
• “Buying insurance manages the risk, doesn’t it?”
26
27. Risk Management -Myths
• “Risk management is only for large companies”
• “We have lots of insurance”
• “We already have a safety program”
• “We haven’t had any problems so far”
(but WE ARE ALWAYS ONE DISASTER BEHIND)
• “It’s too expensive to implement a program”
• “My company doesn’t have ethical risks.”
27
29. The Risk Management
process steps are a
generic guide for
any organisation,
regardless of the
type of business,
activity or function.
How is Risk Management used?
There are
7 steps
in the RM
process
30. 30
“The first step in the
risk management
process is to
acknowledge the
reality of risk.
Denial is a common tactic
that substitutes deliberate
ignorance for thoughtful
planning.”
--Charles Tremper
31. The basic process steps are:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
32. ‘Risk’ is dynamic and subject to constant
change, so the process includes
continuing:
Communication & consultation
Monitoring and review
and
33. The Risk Management process:
The strategic and organisational context in
which risk management will take place.
For example, the nature of your business,
the risks inherent in your business and
your priorities.
Communicate & consult
Establish the context
34. The Risk Management process:
Communicate & consult
Monitor and review
Defining types of risk, for instance,
‘Strategic’ risks to the goals and objectives
of the organisation.
• Identifying the stakeholders, (i.e.,who is
involved or affected).
• Past events, future developments.
Identify the risks
35. The Risk Management process:
Communicate & consult
Monitor and review
Analyse the risks
How likely is the risk event to happen?
(Probability and frequency?)
What would be the impact, cost or
consequences of that event occurring?
(Economic, political, social?)
36. The Risk Management process:
Communicate & consult
Monitor and review
Evaluate the risks
Rank the risks according to management
priorities, by risk category and rated by
likelihood and possible cost or
consequence.
Determine inherent levels of risk.
37. The Risk Management process:
Treat the risks
Develop and implement a plan with specific
counter-measures to address the identified
risks.
Consider:
• Priorities (Strategic and operational)
• Resources (human, financial and technical)
• Risk acceptance, (i.e., low risks)
38. The Risk Management process:
Document your risk management plan and
describe the reasons behind selecting the risk
and for the treatment chosen.
Record allocated responsibilities, monitoring or
evaluation processes, and assumptions on
residual risk.
Communicate & consult
Monitor and review
Treat the risks
39. The Risk Management process:
Communicate & consult
Risk Management policies and decisions
must be regularly reviewed.
Monitor and review
In identifying, prioritising and treating risks,
organisations make assumptions and decisions
based on situations that are subject to change,
(e.g., the business environment, trading
patterns, or government policies).
40. The Risk Management process:
Risk Managers must monitor activities and
processes to determine the accuracy of
planning assumptions and the effectiveness
of the measures taken to treat the risk.
Methods can include data evaluation, audit,
compliance measurement.
Communicate & consult
Monitor and review
41. The Risk Management process:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
42. “Business as usual is business at risk”
- Deloitte Old whitepaper
42
“The problem in my life and other people’s lives is not
the absence of knowing what to do, but the absence
of doing it”
- Peter F Drucker
Famous Quotes
43. 43
“Good Risk Management fosters vigilance in times of calm
and instills discipline in times of crisis.”
--Dr. Michael Ong
44. 44
• “Risk management should be an enterprise-wide exercise
and engrained in the business culture of the
organization.”
-- Julie Dickson
45. 45
“If you treat risk management as a part-time job, you
might soon find yourself looking for one.”
--someone in Deloitte
46. 4 T’s of Risk Management
46
• Tolerate (what is within your risk appetite)
• Treat (by investing)
• Transfer (through insurance)
• Terminate (the risk / process itself)
47. Heat Diagram (before and after
treatment)
• Number of risks falling in the Red and Amber should
reduce after treatment
• These should further reduce after treatment of the
residual risks
• Which must further keep reducing over a period
• While new risks may also appear
47
49. Risk Management Maturity Model
• There is no established Maturity Model for Risk
Management, exists now;
• But one can easily be developed and adopted
49
“If you can't describe what you are doing as a process,
you don't know what you're doing” W. Edward Deming
51. RM Maturity Model
• Levels and Parameters defined by someone else
• Level 1: Ad hoc. Undocumented; in a state of dynamic
change; depends on individual heroics
• Level 2: Preliminary. Risk defined in different ways and
managed in silos. Process discipline is unlikely to be
rigorous.
• Level 3: Defined. A common risk assessment/response
framework is in place. Organization-wide view of risk is
provided to executive leadership. Action plans implemented
in response to high priority risks.
51
52. RM Maturity Model
• Levels and Parameters defined by someone else
• Level 4: Integrated. Risk management activities
coordinated across business areas. Common risk
management tools and processes used where appropriate,
with enterprise-wide risk monitoring, measurement and
reporting. Alternative responses analyzed with scenario
planning. Process metrics in place.
• Level 5: Optimized. Risk discussion is embedded in
strategic planning, capital allocation, and other processes
and in daily decision-making. Early warning system to notify
board and management to risks above established
thresholds.
52
53. Other RM Standards
• ISO 14971
• Medical devices – Application of risk management to medical
devices
• ISO /IEC 16085
• Systems and Software Engineering - Life cycle processes – Risk
management
• ISO 17666
• Space systems – Risk management
• ISO / IEC 27005
• Information technology – Security techniques – Information
security risk management
53
54. Other RM Standards
• AS/ NZS 4360
• Risk Management**
• COSO Enterprise Risk Management – Integrated
Framework
• NIST 800-30
• Risk Management Guide for Information Technology Systems
** Base standard for ISO 31000; is the first international standard on Risk Management
54
56. Other Strategic Risks
• Recently, the following have been gaining a lot of
importance
• Sustainability Risks
• Cloud Computing Risks
56
57. 57
Risk Management Rules
1. Don’t underestimate your risks
2. Risks don’t go away (it exists as it is)
3. The certifications doesn’t make you ready
4. You can’t just rely on technology
5. Be careful of professional burnout
6. Look after your (precious) data
7. Risk Management? Incident Management?
8. Manage risks from top down
9. Don’t reveal your internal documents
10. Lies, damn lies and statistics…..
58. A Balanced Approach - Risks need to be
understood
Potential
Threats
to Assets
Potential
Vulnerability
Reality Check
Balanced
Solution
Risk Appetite
Solution for
Acceptable
Risk
Mitigation
Lo
w
Hig
h
Lo
w
Hig
h
Lo
w
Hig
h
Information
Security
Cost
Risk Usability
Risk Management is the
management of Trade-off