4. CrisisManagementFoundation
Risk
Meerkats have a sentinel or lookout role performed by
non-breeding members of the community. They watch
for possible predators and other potential threats to
the community. This behaviour is also called the raised
guarding position. This position rotates amongst
different members of the group in no particular order
or structure. Sentinels are usually around when the
group is foraging away from the burrow. The meerkat
on the lookout will sound an alarm by producing a
distinct bark. This allows the offspring to escape inside
the burrows and under protection of adults.Meerkats
are aware that life is full of risks, like cobra's and eagles
and thus plan to mitigate those risks. In the workplace
a person cannot be ignorant about the risks associated
with problems occurring. Evaluate what you have done
to mitigate those risks!
6. CrisisManagementFoundation
Risk
• It is crucial to be able mitigate the risk associated with problems
and thus an established risk analysis methodology needs to be
adopted and utilized. How will we know if the problem is required
to be solved or not?
• How will we know which problems need to be worked on and
prioritized over others?
• The risk assessment methodology needs to cover the landscape –
refer the TOYOTA logo
7. CrisisManagementFoundation
The three ellipses
There are three ellipses visible in the company’s logo. Each ellipse
represents the heart of the customer, the heart of the product and
the heart of technological progress.
8. CrisisManagementFoundation
The IT landscape / DA matrix
A matrix of overlapping areas with the
areas being people, process and
technology.
Many practitioners concentrate on a
single block but then that only addresses
a small area of risk that will be mitigated.
Each block has a present and future:
• Threat
• Opportunity
These are underpinned by perceived:
• Strengths
• Weaknesses
These blocks can be viewed as there
own SWOT (see example SWOT
template)
Areas
Disciplines
9. CrisisManagementFoundation
Disciples of risk in the IT landscape
To be able to highlight threats in each area of the IT landscape
there are three attributes that can be used on focus on:
• Confidentiality. Information and services is accessible only to
those authorized (unauthorized disclosure)(loss)
• Integrity. Safeguarding the accuracy and completeness of
information and services (unauthorized modification or
misuse)(error)
• Availability. Authorized customers have access to the information
and services when require (destruction)(failure)
derived from CRAMM
12. CrisisManagementFoundation
Rapid risk assessment
• Rapid framework
• Provide a mechanism process threats using lights, camera and action
methodology
derived from CRAMM and ITIL
Landscape
/ metric Description Type Assessment* Value Vulnerablity Assessment* Value Threat Risk level Control Countermeasures Decision Mitigation Responsibility Relevant policy
PC
Describe the risk (will maintain
intellectual property) Confidentiality Confidential 3 Loss Moderate 2 6 Medium
Not
applicable Provide countermeasures
Control &
countermeasure Insufficent Not applicable
PI
Describe the risk (sufficiently
trained) Integrity Moderate 2 Errors Significant 3 6 Medium
Not
applicable Provide countermeasures On hold Partial Not applicable
PA
Describe the risk (right seats on
the bus) Availablity Negligible 0 Failures High 4 0 Low
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
OC
Describe the risk (engineered not
to leak) Confidentiality Secure 4 Loss Moderate 2 8 Medium
Not
applicable Provide countermeasures
Control &
countermeasure Insufficent Not applicable
OI
Describe the risk (without
ambiquity) Integrity Catastrophic 4 Errors Significant 3 12 High
Not
applicable Provide countermeasures
Control &
countermeasure Partial Not applicable
OA Describe the risk (repeatable) Availablity Mandatory 4 Failures High 4 16 High
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
TC
Describe the risk (system
information protection
requirements) Confidentiality Secure 4 Loss Moderate 2 8 Medium Substitute Provide countermeasures
Control &
countermeasure Insufficent Not applicable
TI
Describe the risk (system
validation requiremenst) Integrity Catastrophic 4 Errors Significant 3 12 High
Not
applicable Provide countermeasures
Control &
countermeasure Partial Not applicable
TA
Describe the risk (system uptime
requirements) Availablity Negligible 0 Failures High 4 0 Low
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
Evaluation
People
Process
Technology
Mitigation
ActionLights Camera
Impact (consequence
of event)
Vulnerablity
(liklihood of
occurrence) Analysis
14. CrisisManagementFoundation
Process (lights, camera, action)
• Lights. List all of the dangers or possible situations associated
with the event activity that may expose services or information to
threats. List these in the template. Use experts or experienced
people to advise you on your risk assessment.
• Camera. Rate or assess what the vulnerability (likelihood) is of
services and information being exposed to threats and what the
impact (consequences) could be as a result of the threat
occurring.
• Action. Identify what practical measures could be put in place to
eliminate or reduce the likelihood of the threat occurring. This is
where changes are made to the event to reduce the risks. Use the
hierarchy of control system to minimise or eliminate threats by
putting in place potential to manage the threats once you have
assessed their risk level.
19. CrisisManagementFoundation
Impact (consequence of event)
• Catastrophic
• Multiple deaths, escalated and debilitating costs, adverse media coverage
• Major
• Serious health impacts for people or permanent disability, severe costs
incurred, widespread media coverage
• Moderate
• Rehabilitation required for injured persons, costs incurred, media and
community concerned
• Low
• Injuries resulting in lost time and claims, some costs incurred, minor isolated
concerns raised by stakeholders, customers
• Negligible
• Persons requiring first aid, insignificant costs incurred, minimum impact to
reputation
20. CrisisManagementFoundation
Vulnerability (likelihood of occurrence)
• High
• It is expected to occur in most circumstances, availability required (excluding
scheduled maintenance), there is a strong likelihood or danger of reoccurrence
• Significant
• Similar dangers have been recorded on a regular basis, availability recovered in
minutes, considered that it is likely that the event could occur
• Moderate
• Availability recovered in hours, incidents or dangers have occurred infrequently
in the past
• Low
• Very few known incidents of occurrence, availability recovered in days, has not
occurred yet, but it could occur sometime
• Negligible
• No known or recorded incidents of occurrence, remote chance, may only
occur in exceptional circumstance
22. CrisisManagementFoundation
Controls
• Eliminate (the threat)
• Remove or stop the threat if possible, remove the cause or source of the threat, by
eliminating the machine, task or work process. If this is not practical, then substitute.
• Substitute (the process)
• Use a less problematic process. If this is not practical, then engineer.
• Engineer (change the technology)
• Introduce different technology. Improve maintenance procedures. If this is not
practical, then:
• Isolate
• Separate or isolate the threat from people by relocation or by changing the operation.
If this is not practical, then administer
• Administer
• Design and communicate written or verbal procedures that prevent the threat from
occurring. If this is not practical, then protect
• Protect
• Provide protect measures appropriate to the risk. Provide training information and
supervision to ensure that the measures will be effective and efficient.
23. CrisisManagementFoundation
Decision
• Control & countermeasures
• Determine what controls are currently in place and which are appropriate to use in
relation to mitigation of issues which are likely to occur.
• Risk transference
• Transferring the cost of the risk occurring to another party such as an
insurer
• Risk acceptance
• Accepting a risk without implementing any mitigating measures
• Risk avoidance
• Disabling or stopping the activity which contributes most to the risk
potentially occurring.
Meerkats have a sentinel or lookout role performed by non-breeding members of the community. They watch for possible predators and other potential threats to the community. This behaviour is also called the raised guarding position. This position rotates amongst different members of the group in no particular order or structure. Sentinels are usually around when the group is foraging away from the burrow. The meerkat on the lookout will sound an alarm by producing a distinct bark. This allows the offspring to escape inside the burrows and under protection of adults.Meerkats are aware that life is full of risks, like cobra's and eagles and thus plan to mitigate those risks. In the workplace a person cannot be ignorant about the risks associated with problems occurring. Evaluate what you have done to mitigate those risks!
Addressing the IT risk management landscape
It is crucial to be able mitigate the risk associated with problems and thus an established risk analysis methodology needs to be adopted and utilized. How will we know if the problem is required to be solved or not?
How will we know which problems need to be worked on and prioritized over others?
The risk assessment methodology needs to cover the landscape – refer the TOYOTA logo
There are three ellipses visible in the company’s logo. Each ellipse represents the heart of the customer, the heart of the product and the heart of technological progress.
A matrix of overlapping areas with the areas being people, process and technology.
Many practitioners concentrate on a single block but then that only addresses a small area of risk that will be mitigated.
Each block has a present and future:
Threat
Opportunity
These are underpinned by perceived:
Strengths
Weaknesses
These blocks can be viewed as there own SWOT (see example SWOT template)
To be able to highlight threats in each area of the IT landscape there are three attributes that can be used on focus on:
Confidentiality. Information and services is accessible only to those authorized (unauthorized disclosure)(loss)
Integrity. Safeguarding the accuracy and completeness of information and services (unauthorized modification or misuse)(error)
Availability. Authorized customers have access to the information and services when require (destruction)(failure)
derived from CRAMM
Reference: https://lnkd.in/e3Wu8hc
SWOT
Download from www.deesmith.co.za Under Resources Tools, Rapid Risk Assessment Tool
Lights, camera, action
Lights. List all of the dangers or possible situations associated with the event activity that may expose services or information to threats. List these in the template. Use experts or experienced people to advise you on your risk assessment.
Camera. Rate or assess what the vulnerability (likelihood) is of services and information being exposed to threats and what the impact (consequences) could be as a result of the threat occurring.
Action. Identify what practical measures could be put in place to eliminate or reduce the likelihood of the threat occurring. This is where changes are made to the event to reduce the risks. Use the hierarchy of control system to minimise or eliminate threats by putting in place potential to manage the threats once you have assessed their risk level.
Lights
Camera
Camera
Camera
Catastrophic
Multiple deaths, escalated and debilitating costs, adverse media coverage
Major
Serious health impacts for people or permanent disability, severe costs incurred, widespread media coverage
Moderate
Rehabilitation required for injured persons, costs incurred, media and community concerned
Low
Injuries resulting in lost time and claims, some costs incurred, minor isolated concerns raised by stakeholders, customers
Negligible
Persons requiring first aid, insignificant costs incurred, minimum impact to reputation
High
It is expected to occur in most circumstances, availability required (excluding scheduled maintenance), there is a strong likelihood or danger of reoccurrence
Significant
Similar dangers have been recorded on a regular basis, availability recovered in minutes, considered that it is likely that the event could occur
Moderate
Availability recovered in hours, incidents or dangers have occurred infrequently in the past
Low
Very few known incidents of occurrence, availability recovered in days, has not occurred yet, but it could occur sometime
Negligible
No known or recorded incidents of occurrence, remote chance, may only occur in exceptional circumstance
Action
Eliminate (the threat)
Remove or stop the threat if possible, remove the cause or source of the threat, by eliminating the machine, task or work process. If this is not practical, then substitute.
Substitute (the process)
Use a less problematic process. If this is not practical, then engineer.
Engineer (change the technology)
Introduce different technology. Improve maintenance procedures. If this is not practical, then:
Isolate
Separate or isolate the threat from people by relocation or by changing the operation. If this is not practical, then administer
Administer
Design and communicate written or verbal procedures that prevent the threat from occurring. If this is not practical, then protect
Protect
Provide protect measures appropriate to the risk. Provide training information and supervision to ensure that the measures will be effective and efficient.
Control & countermeasures
Determine what controls are currently in place and which are appropriate to use in relation to mitigation of issues which are likely to occur.
Risk transference
Transferring the cost of the risk occurring to another party such as an insurer
Risk acceptance
Accepting a risk without implementing any mitigating measures
Risk avoidance
Disabling or stopping the activity which contributes most to the risk potentially occurring.