Lesson 20-Risk Management

1
Lesson 20-Risk Management
2
Objectives

• Upon completion of this lesson, the learner will
  be able to
• Explain the purpose of risk management and
  describe an approach to effectively manage risk.
• Describe differences between qualitative and
  quantitative risk assessment.
• Explain, by example, how both approaches,
  qualitative and quantitative risk assessment, are
  necessary to effectively manage risk.
• Define important terms associated with risk
  management.
• Describe various tools related to risk management.

3
Risk Management An Overview

• Risk management can be described as a
  decision-making process which avoids costly
  oversights and unexpected problems.
• It as an ongoing process and is an essential
  element of management. It encompasses all the
  actions to
• Reduce complexity.
• Increase objectivity.
• Identify important decision factors.
• Businesses need to take risks to retain their
  competitive edge.
• Risk management is both a skill and a task.
• Depending on the size of the project and the
  amount of risk involved, risk management can be
  simple or complex.

4
Macro-Level Example of Risk Management
International Banking

• The Basel Committee on Banking Supervision is
  composed of government central-bank governors
  from around the world.
• This body created a basic, global risk management
  framework for market and credit risk.
• The Basel Committee implemented capital charge to
  banks at flat 8 percent internationally to manage
  bank risks.
• However, if banks can show they have very strong
  risk mitigation procedures and controls in place,
  that capital charge can be reduced to as low as
  0.37 (0.37 percent).
• If a bank has poor procedures and controls, then
  capital charge can be as high as 45 (45
  percent).

5
Understanding Risk Management

• Key terms
• Risk - the possibility of suffering a loss.
• Risk management - the decision-making process of
  identifying threats and vulnerabilities and their
  potential impacts.
• Risk assessment (or risk analysis) - the process
  of analyzing an environment to identify the
  threats, vulnerabilities, and mitigating actions
  to determine the impact of an event on a project,
  program, or business.
• Asset - a resource or information required by an
  organization to conduct its business.
• Threat - any circumstance or event that may cause
  harm to an asset.
• Vulnerability - the characteristic of an asset
  that can be exploited by a threat to cause harm.
• Impact - the loss when a threat exploits a
  vulnerability.
• Control (countermeasure or safeguard) - a measure
  to detect, prevent, or mitigate the risk
  associated with a threat.

6
Understanding Risk Management

• Key terms (continued)
• Qualitative risk assessment - the process of
  subjectively determining the impact of an event
  that affects a project, program, or business.
• Quantitative risk assessment - the process of
  objectively determining the impact of an event
  that affects a project, program, or business.
• Mitigate - action taken to reduce the likelihood
  of a threat occurring.
• Single loss expectancy (SLE) - the monetary loss
  or impact of each occurrence of a threat.
• Exposure factor - a measure of the magnitude of
  loss of an asset. It is used in the calculation
  of single loss expectancy.
• Annualized rate of occurrence (ARO) - the
  frequency with which an event is expected to
  occur on an annualized basis.
• Annualized loss expectancy (ALE) - the estimate
  of how much an event is expected to cost per year.

7
Risk Management

• Carnegie Mellon Universitys Software Engineering
  Institute defines continuous risk management as
  processes, methods, and tools for managing risks
  in a project. It provides a disciplined
  environment for proactive decision-making to
• Assess what could go wrong (risks).
• Determine which risks are important.
• Implement strategies to deal with those risks.
• Risk is often divided into two areas
• Business risk
• Technology risk

8
Examples of Business Risks

• Treasury management
• Revenue management
• Contract management
• Fraud
• Environmental risk management
• Regulatory risk management
• Business continuity management
• Technology
• Security and privacy.
• Information technology operations.

• Business systems control and effectiveness.
• Business continuity management.
• Information systems testing.
• Reliability and performance management.
• Information technology asset management.
• Project risk management.
• Change management.

The most common business risks
9
General Risk Management Model

• There are several risk management models for
  managing risk through its various phases.
• The chosen models should align with the business
  objectives and strategies.
• The two risk management models are general risk
  management model and the Software Engineering
  Institute model.
• General risk management model includes the
  following steps
• Asset identification.
• Threat assessment.
• Impact definition and quantification.
• Control design and evaluation.
• Residual risk management.

10
Asset Identification

• In this step, the assets, systems, and processes
  that need protection need to be identified and
  classified, as they are vulnerable to threats.
• Assets include
• Inventory and buildings.
• Cash.
• Information and data.
• Hardware and software.
• Services, documents, and personnel.
• Brand recognition and organization reputation.
• Goodwill.

11
Threat Assessment

• In this step, the possible threats and
  vulnerabilities associated with each asset and
  the likelihood of their occurrence is identified.
• Common classes of threat include
• Natural disasters.
• Man-made disasters.
• Terrorism.
• Errors.
• Malicious damage or attacks.
• Fraud.
• Theft.
• Equipment or software failure.

12
Threat Assessment

• Vulnerabilities are characteristics of resources
  that can be exploited by a threat to cause harm.
• Unprotected facilities.
• Unprotected computer systems.
• Unprotected data.
• Insufficient procedures and controls.
• Insufficient or unqualified personnel.

13
Impact Definition and Quantification

• When a threat is realized, it turns risk into
  impact which is the loss created when a threat
  exploits a vulnerability.
• Impacts can be either tangible or intangible.
• Tangible impacts include
• Direct loss of money.
• Endangerment of staff or customers.
• Loss of business opportunity.
• Reduction in operational efficiency or
  performance.
• Interruption of a business activity.
• Intangible impacts include
• Breach of legislation or regulatory requirements.
• Loss of reputation or goodwill (brand damage).
• Breach of confidence.

14
Control Design and Evaluation

• Controls are designed to control risk by reducing
  vulnerabilities to an acceptable level.
• Controls can be actions, devices, or procedures.
• They can be
• Preventive controls - prevent the vulnerability
  from being exploited by a threat, thus causing an
  impact.
• Detective controls - detect a vulnerability that
  has been exploited by a threat so that action can
  be taken.

15
Residual Risk Management

• Any risks that remain after implementing controls
  are termed residual risks.
• Residual risks can be further evaluated to
  identify where additional controls are required
  to further reduce risk.
• Business process reengineering or organizational
  changes can create new risks or weaken existing
  control activities.

16
Software Engineering Institute Model

• The Software Engineering Institute model lists
  the following steps for risk management
• Identify - look for risks before they become
  problems.
• Analyze convert the data into information that
  can be used to make decisions.
• Plan - review and evaluate the risks and decide
  the actions to mitigate them.
• Track - monitor the risks and the mitigation
  plans.
• Control - make corrections for deviations from
  the risk mitigation plans.

17
Qualitatively Assessing Risk

• To qualitatively assess risk, the impact of the
  threat needs to be compared with the probability
  of occurrence.
• For example, if a threat has a high impact and a
  high probability of occurring, the risk exposure
  is high.
• Conversely, if the impact is low with a low
  probability, the risk exposure is low.

Risk Complexity vs Project Size
18
Qualitatively Assessing Risk
Three levels of analysis
19
Qualitatively Assessing Risk
Example of a combination assessment
20
Quantitatively Assessing Risk

• Quantitative risk assessment applies historical
  information and trends to predict future
  performance. It is dependent on historical data,
  which can be difficult to gather.
• Quantitative risk assessment may also rely on
  models.
• These models provide decision-making information
  in the form of quantitative metrics, which
  attempt to measure risk levels across a common
  scale.
• Key assumptions underlie any model, and different
  models will produce different results even when
  the input data is the same.
• Despite research in improving and refining the
  various risk analysis models, expertise and
  experience are considered essential for risk
  assessment.
• Models can never replace judgment and experience,
  but they can enhance the decision-making process.

21
Adding Objectivity to a Qualitative Assessment

• Adding Weights and Definitions to the Potential
  Impact

22
A Common Objective Approach

• More complex models allow analyses based on
  statistical and mathematical models.
• A common method is the calculation of the
  annualized loss expectancy (ALE).
• This calculation begins by calculating
  single-loss expectancy (SLE) with the following
  formula
• SLE asset value exposure factor

23
Qualitative versus Quantitative Risk Assessment

• It is impossible to conduct risk management that
  is purely quantitative.
• Usually risk management includes both qualitative
  and quantitative elements, requiring both
  analysis and judgment or experience.
• It is possible to accomplish purely qualitative
  risk management.
• The decision of whether to use qualitative versus
  quantitative risk management depends on
• The criticality of the project.
• The resources available.
• The management style.
• The decision will be influenced by the degree to
  which the fundamental risk management metrics can
  be quantitatively defined.

24
Tools to Enhance Risk Management

• The tools that can be used during the various
  phases of risk assessment are
• Affinity grouping - A method of identifying
  related items and then identifying the principle
  that ties them together into a group.
• Baseline identification and analysis - The
  process of establishing a baseline set of risks.
  It produces a snapshot of all the identified
  risks at a given point in time.
• Cause and effect analysis - Identifying
  relationships between a risk and the factors that
  can cause it.
• Cost/benefit analysis - A method for comparing
  cost estimates with the benefits of a mitigation
  strategy.
• Gantt charts - A management tool for diagramming
  schedules, events, and activity duration.
• Interrelationship digraphs - A method for
  identifying cause-and-effect relationships by
  defining the problem, identifying its key
  elements, and describing their relationships.
• PERT (program evaluation and review technique)
  charts - A diagram depicting interdependencies
  between project activities, showing the sequence
  and duration of each activity.
• Risk management plan - A comprehensive plan
  documenting how risks will be managed on a given
  project.