Risk Analysis A few introductory thoughts

Transcription

1 Risk Analysis A few introductory thoughts Dr. Gábor Jeney, PhD Senior reseacher (BME) Senior/lead auditor of ISO at AIB-Vincotte CEO of Network Security Audit Ltd.

2 Outline Understanding the meaning of the subject The process of RA Examples how people do the process of RA Notations Arrows represent information flows and/or dependence Light grey slides are off topic (background)

3 Why should we bother? What is the point of this subject? Why do a risk analysis? Where is risk analysis? What is risk anyway? Threat vs. opportunity Why do risk analysis? What can it do for us? What can we do with risks? Assess them Identify them, analyse them, evaluate them Treat them

4 Where is RA? In the heart of each investor Low risk investments are preferred Whatever low risk means... In the centre of most management systems: In modern Quality MS's, including: ISO/TS (automotive industry) QS 9000 (precedessor of ISO/TS 16949) AS-9100 (aerospace industry) ISO (Environmental MS) ISO (Information Security MS) ISO (Risk Management) To sum up: RA is in the heart of a good manager

5 What is risk? from the book Risk/Threat = random event that could have a negative effect/impact on the goals of the organization/investment Risk = scenario + probability + severity (of impact) Opportunity = random event that could have a positive effect/impact on the goals of the organization/investment The same three elements Threat <=> opportunity: opposite sides of the coin Opportunity = we have a high probability (p > 50%) threat which might not happen (with probability 1 p < 50%)

6 What is risk? from ISO Internal and external factors make it uncertain that organizations can achieve their goals and objectives RISK = effect of this uncertainty All activities involve RISK (!)

7 What is risk? Examples A crock of plant falling on head while walking Suffering a car accident while driving Closing financial positions with lower balance compared to the opening one

8 How many risks are there? Plenty! While walking A crock of plant falling on head Suffering an accident (e.g. fracture), etc. While driving Suffering a car accident Running out of petrol Having technical problems (e.g. breakdown), etc. Financial example Closing positions with lower balance Loss of liquidity (unable to close the position), etc.

9 Why do RA? from ISO Increase the likelihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk through organization Improve the identification of opportunities and threats Comply with relevant legal and regulatory requirements and international norms Improve mandatory and voluntary reporting Improve governance Improve stakeholder confidence and trust Establish a reliable basis for decision making and planning

10 Why do RA? from ISO (cont.) Improve controls Effectively allocate and use resources for risk treatment Improve operational effectiveness and efficiency Enhance health and safety performance and environmental protection Improve loss prevention and incident management Minimize losses Improve organizational learning Improve organizational resilience

11 Background: continuous improvement, the PDCA cycle Plan (P) Do (D) Act (A) Check (C)

12 Basics: the process based thinking Every activity could be divided into subsequent, or paralel processes Processes should have Name, and description Inputs (material, or information) Outputs (material, or information) Methodology (the way the process should be done) People ( employees of the process) Machine, tools, etc. (tools needed for the process) Measure (the efficiency of the process)

13 Basics: the process based thinking: the turtle diagram Methodology People Inputs Process name and description Outputs Machines, tools Measure

14 The responsibility assignment (RACI) matrix/diagram R = Responsible Who does the work. Typically one person A = Accountable Who approves the work. Must be one person C = Consulted (Collaborating) Two-way communication I = Informed One-way communication

15 What to do with risks? Concept and framework of risk assessment Risk assessment Identify the risks Analyse the risks Evaluate the risks Treat the risks Monitoring and review of risk assessment

16 Where is risk analysis? Risk management

17 Risk definitions vocabulary (from ISO 31000) Risk: effect of uncertainty on objectives Risk is often characterized by events and consequences and likelihood Risk assessment: overall process of risk identification, RA and risk evaluation Risk identification: process of finding, recognizing and describing risks Risk analysis: process to comprehend the nature of risk and to determine the level of risk Level of risk: magnitude of risk expressed in terms of combination of consequences and likelihood

18 Risk definitions vocabulary (from ISO 31000) (cont.) Risk criteria: terms of reference against which the significance of risk is evaluated Risk evaluation: process of comparing the results of risk analyses with risk criteria to determine whether the risk and/or its magnitude is acceptable/tolerable Risk treatment: process to modify risk Residual risk: risk remaining after risk treatment

19 PDCA in risk management P (Plan) Design of framework for managing risk A (Act) Continual improvement of the framework D (Do) Implementing risk management C (Check) Monitoring and review of the framework

20 P. Design of framework for managing risk P.1 Understanding of the organization and its context P.2 Establishing risk management policy P.3 Accountability P.4 Integration into organizational processes P.5 Resources P.6 7 Establishing (P.6) internal and (P.7) external communication and reporting mechanisms

21 P.1 Understanding of the organization and its context External context Social, cultural, political, legal, regulatory, financial, technological, economic, natural, competitive environment National, regional, or local level Key drivers and trends having impact on the organization Relationships with external stakeholders

22 P.1 Understanding of the organization and its context Internal context Governance, organizational structure, roles and accountibilities Policies, objectives, strategies Capabilities (capital, time, people, processes, systems, technologies) Information systems, information flows and decision making Relationship with internal stakeholder Organizational culture Standards and models adopted by the organization Contractual relationships

23 P.2 Establishing the risk management policy (RMP) Organization's rationale for managing risk Link between organization's objectives and policies and RMP Accountabilities and responsibilities for managing risk How conflicting interests are dealt with Commitment to provide resources Risk management performance measures Commitment to review and improve RMP

24 P.3 Accountability Identify risk owners that have accountability Identify accountable for development, implementation and maintenance of the risk management framework Identify other responsibilities in the organization Establish performance measures of internal and/or external reporting Ensure appropriate levels of recognition

25 P.4 Integration into organizational processes Risk management should be embedded into policy development, business and strategic planning and review Organization-wide risk management plan To ensure that risk management is embedded in all organizational practices and processes It can be integrated in the strategic plan

26 P.5 Resources People, skills, experience and competence Resources needed for each step of the risk management process Processes, methods and tools needed for risk management Documented processes and procedures Information and knowledge management systems Training programs

27 P.6 Establishing internal communication and reporting Key components (and modifications) of the framework must be communicated correctly Adequate internal reporting of effectiveness and outcomes Availability of information is provided Processes for consultation with internal stakeholders Consolidation of information from different sources and different sensitivities

28 P.7 Establishing external communication and reporting Effective exchange of information with external stakeholders External reporting for (legal, regulatory and governance) compliance Feedback and reporting on communication and consultation Use communication to build confidence in the organization Communicate with stakeholders in case of crisis or contingency

29 PDCA in risk management (revealed) P (Plan) Design of framework for managing risk A (Act) Continual improvement of the framework D (Do) Implementing risk management C (Check) Monitoring and review of the framework

30 D. Implement risk management Define timing and strategy for implementing the framework Apply and implement risk management policy and process Comply with legal and regulatory requirements Ensure that decisions (incl. setting objectives) are based on the outcomes of risk management Hold information and training sessions Communicate and consult with stakeholders to ensure that risk management framework is appropriate

31 C. Monitoring and review of the framework Continuously measure risk management performance against expectations Periodically measure progress against risk management plan Periodically review the risk management framework (change of internal/external context) Report on risk, progress with risk management plan and how the risk management policy is followed Review the efficiency of the risk management framework

32 A. Continual improvement of the framework Based on monitoring and reviews, decisions are made on how risk management framework, policy and plan can be improved

33 Implementing risk management: Risk assessment

34 Remember Risk assessment = Risk identification + Risk analysis + Risk evaluation Risk assessment Identify the risks Analyse the risks Evaluate the risks

35 Risk identification Aim: to generate a comprehensive list of risks based on those events that might effect the achievement of objectives Risk: 1) events, 2) their causes, 3) their consequences Collection of risks (events, causes and consequences) Comprehensive identification is critical, because a risk that is not identified here will not be included in next steps. All significant causes and consequences should be considered Cascade and cumulative effects are to be considered Should consider wide-range of consequences Relevant and up-to-date information (appropriate background information) People with appropriate knowledge should be involved

36 The turtle of risk identification Inputs: relevant and up-to-date information (appropriate background information) Tools: anything producing the above inputs, or any other help Output: comprehensive list (inventory) of risks People: people with appropriate knowledge Methodology: to provide comprehensive inventory (more concrete methodology is to describe) Measure: e.g. the number of risks forgotten

37 Risk analysis 1 Aim: to understand risks, to make risks comparable Two outputs: Risk evaluation: should the risk be treated? Decision making: types and levels of risk related to different choices Consideration of causes and sources of risks, their consequences and likelihood Existing controls should be taken into account Interdependence between risks and their sources should be considered Confidence should be clearly stated (e.g. divergence of opinion among experts, uncertainty)

38 Risk analysis 2 Risk Analysis can be 1) qualitative, 2) semi-quantitative, 3) quantitative, or the combination of these Risk is analyzed by determining consequences and their likelihood Verbal => numerical transformation Consequences can be expressed in terms of tangible and intangible impacts Likelihood can be determined by modelling, extrapolation, or from available data In some cases more than one numerical value is required

39 The turtle of risk analysis HOMEWORK