In this webinar, we will discuss about risk assessment methodology, the link between assets, risks, vulnerability and how to start-off. This presentation is tailored to enhance practitioner’s insights on how to combine assets, threats and vulnerability, in order to identify the risks that supply chain services and activities are exposed to. Main points covered: • Risk Assessment Methodology • How to match Assets, Risks & Vulnerability • Start-Off Presenter: The webinar was presented by Mr. Samuel MAZOYA (ITIL EXPERT, CRM, ABCP-BCMS, ISO 28000, 22301). A graduate of Industrial Design/Technology with over 15 years in the world of IT. He is an erudite instructor with excellent delivery testimonials. His areas of expertise are ITIL® (IT Infrastructure Library-Foundation, Intermediate, and Expert Levels), ISO 28000 (Supply Chain), ISO 22301 (BCMS) and CRM (Customer Relationship Management). Link of the recorded session published on YouTube: https://youtu.be/CHJ5PUaLfss

2. Samuel Mazoya
Managing Partner at BIWDANT CONSULT
LIMITED
Samuel MAZOYA: (ITIL EXPERT, CRM, ABCP-BCMS, ISO 28000,
22301). A graduate of Industrial Design/Technology with over 15
years in the world of IT. He is an erudite instructor with very good
and unmatched delivery testimonials. His areas of expertise are
ITIL® (IT Infrastructure Library-Foundation, Intermediate, and
Expert Levels), ISO 28000 (Supply Chain), ISO 22301 (BCMS) and
CRM (Customer Relationship Management).
Contact Information
Add your number please
samuel@biwdant.com
www.biwdant.com
https://ng.linkedin.com/in/samuel-mazoya

3. Overview
Risk management methodology in the past allows you to
identify risks using any methodology you like; however,
today’s Risk management requires identification of
assets, threats and vulnerabilities.
This presentation is tailored to enhance practitioners
insights on how to combine assets, threats and
vulnerability in order to identify risks to which supply
chain services, processes and activities are exposed to.

4. Assets
 An asset is anything that has value to the
organization which needs to be protected.
 For Supply Chain operations, we can
categorize assets as follows:
 1. Primary Assets which consists of business
processes and information assets. During our
risk assessment activities, these primary
assets should take upmost importance in
safeguarding.

5. Assets Cont.
 2. Supporting Assets: These includes the
hardware, software, computer networks, staff,
sites and organizational structures needed to
support the primary assets to deliver its
outputs to business opeartions.

6. Risk
 The chance of something happening,
measured in terms of probability and
consequences. The consequence may be
either positive or negative. Risk in a general
sense can be defined as the threat of an
action or inaction that will prevent an
organisation’s ability to achieve its business
objectives. The results of a risk occurring are
defined by the impact.

7. Vulnerability
 A weakness that could be exploited by a
threat-For example, an open firewall port, a
password that is never changed.
 A missing or weak control measure can also
be considered to be a vulnerability

8. Start-off Approach
* Gain agreement on Risk Assessment Tolerance with all
stakeholders
* Risk identification is the first step of the Risk Assessment
process and care + quality time should be invested in
carrying out this activity.
* After identifying the Risk Supply Chain processes,
services and activities plus systems are vulnerable to,
the Risk Evaluation process (Assessing the impact and
likelihood) follows.

9. Start-Off Approach cont.
 Evaluate and classify risk impacts and
vulnerabilities related to supply chain
processes, activities and operations as well as
their dependencies
 Conduct an analysis of the controls in place to
identify business resiliency strategy for
mitigating identified risks
 Document and present the risk assessment
for management approval

10. Start-off Approach cont.
 To make your risk assessment easier, you can use a
sheet with assets, threats and vulnerabilities in columns;
you should also include some other information like risk
ID, risk owners, impact and likelihood, etc
S/N Risk ID Risk Owner Impact Likelihood

11. Developing Threats, Assets &
Vulnerability Matrix
It is usually easiest to start listing items column by column,
not row by row – this means you should list all of your
assets first, and only then start finding a couple of
threats for each asset, and finally find a couple of
vulnerabilities for each threat.
We have identified risks faced , lets look at what the
matching of these three, Assets, Threats and
Vulnerability looks like for a Supply Chain operation.

12. Developing Threats, Assets &
Vulnerability Matrix
 This matrix gives a broader picture of which
risk have the highest probability of having the
most impact. The last column should indicate
what recommended mitigation should be put
in place to reduce the effect of the risk in the
even of occurrence.
 The next slide gives an example of
Threat/Risk Matrix

13. Threat/Risk Matrix sample
Risk Power
Failure
Buildin
g
Access
Facility/
Equipmen
t Damage
Fire Commu
nication
Access
Comput
er
Shutdo
wn
Data
Loss
Threats
Tornado * * * * * * *
Lightning * * * * * * *
Plane
Crash
* * * * * * *
Water/Pi
e leak
* * *
Fire * * * * * * *
Cable
Cut
* * * * *

14. Location/Threat Matrix
Location Threat/Probability Recommended
Control
H/Q Office Hurricane/Low Business Continuity
Plan
Boston Office Power Outage/High Backup Generator UPS
on critical systems
San Francisco Office Tornado/Medium Tornado shelter on site,
Tornado drills, Property
insurance, Weather
radios
Miami Office Earthquake/High Anchor equipment to
walls/desktops, Secure
hazardous items
UK Office Hurricane/High Backup generator,
Business Continuity
Plan

15. Matching of Assets, Threats &
Vulnerability
 Supply Chain Assets: Paper Document.
 threat: fire; vulnerability: document is not stored in a
fire-proof cabinet (risk related to the loss of availability
of the information)
 threat: fire; vulnerability: there is no backup of the
document (potential loss of availability)
 threat: unauthorized access; vulnerability: document is
not locked in a cabinet (potential loss of
confidentiality)

16. Matching of Assets, Threats &
Vulnerability Cont.
 Supply Chain Asset: digital document:
 threat: disk failure; vulnerability: there is no backup of
the document (potential loss of availability)
 threat: virus; vulnerability: anti-virus program is not
properly updated (potential loss of confidentiality,
integrity and availability)
 threat: unauthorized access; vulnerability: access
control scheme is not properly defined (potential loss
of confidentiality, integrity and availability)
 threat: unauthorized access; vulnerability: the access
was given to too many people (potential loss of
confidentiality, integrity and availability)

17. Matching of Assets, Threats &
Vulnerability Cont.
 Asset: system administrator:
 threat: unavailability of this person; vulnerability: there
is no replacement for this position (potential loss of
availability)
 threat: frequent errors; vulnerability: lack of training
(potential loss of integrity and availability)
 etc.

18. How much is enough?
 Very often you hear people ask how many risks
should they identify? If they start being really
thorough, for each asset they could find 10 threats,
and for each threat at least 5 vulnerabilities – this is
quite realistic, isn’t it?
 Now if you are a small company with 50 assets, this
would mean you would end up with 2,500 risks, which
would probably be overkill for this size of a company.
This is why you should focus only on the most
important threats and vulnerabilities, while including
all the assets; that would mean that per each asset
you should identify on average 5 threats, and for each
threat on average 2 vulnerabilities. This way you
would end up with 500 risks for a smaller company
with 50 assets, which is quite manageable..

19. ISO 28000 Training Courses
 ISO 28000 Introduction
1 Day Course
 ISO 28000 Foundation
2 Days Course
 ISO 28000 LEAD IMPLEMENTER
5 Days Course
 ISO 28000 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-28000-training-courses| www.pecb.com/events

20. THANK YOU
?
Add your number please
samuel@biwdant.com
www.biwdant.com
https://ng.linkedin.com/in/samuel-mazoya-b