SlideShare a Scribd company logo

Outsourcing Risk Management

PECB
PECB

The document discusses outsourcing risk management. It defines outsourcing and provides examples of common outsourcing models. It discusses the ISO 37500 standard for outsourcing governance and risk management. The presentation covers performing risk analysis, identifying risks, analyzing risks using techniques like probability/impact matrices, evaluating risks, treating risks through options like risk modification or sharing, and accepting residual risks. It emphasizes the importance of risk assessment and treatment in outsourcing governance.

Education
1 of 28
Outsourcing Risk Management
Barbro Thöyrä Owner of CeBeLOT AB Barbro Thöyrä is owner of CeBeLOT AB, BCMS consultant and trainer and a PECB Certified Trainer. Ms Thöyrä is certified for ISO 22301 Master, ISO 22301 Lead Auditor, ICT Disaster Recovery Manager, ISO 28000 Provisional Implementer, and for Outsourcing Manager from PECB. +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra
General information - About me - Content of this webinar - Duration of the webinar - Questions
Definition of outsourcing Outsourcing is the contracting out of business processes or activities to another party.
Why outsourcing • Financial aspects • Back to core business • Lack of competence • Lack of equipment in production • Reduction of business
Models of outsourcing: - Offshoring - Nearshoring - Co-sourcing - In-sourcing - Crowdsourcing - Multi sourcing - Cloud Computing
ISO 37500: The standard provides clear guidance in the space of outsourcing considering an outsourcing lifecycle model which consists of four phases with outsourcing governance being at the heart of the standard. SelectionStrategy analysis Transition Deliver value Outsourcing governance
• Risk assessment
When do you perform risk analysis Risks will occurs along the outsourcing process. Risk analysis is therefor critical to overall outsourcing governance.
Align with ISO 31000: the generic framework on risk management Risk identification Risk analysis Risk evaluation Risk treatment Risk acceptance Risk assessment
What risks are there with outsourcing Risk Assessment should at least include areas like: • Security • Legal • Safety • Environment/geographic • Finance • Reputation • Operational service risk • Availability • Media
Techniques and tools to use with risk assessment • Brainstorming • Work shops • Scenarios • Decision tree • Hazard analysis • Consequence/probability matrix • Cost/benefit analysis • Interviews • Questionnaire • ……..
Risk Identification • Identify Assets and Processes • Identify Threats , take into account Owners Users Employees Specialists Insurances • Identify controls in place • Identify consequences Service outage Increased complaints Loss of customers Legality Reputation
• Identify threats to which the asset/process is subject • Assess the probability that a threat will affect the asset/process • Assess the vulnerability to the threats • Identify preventive measures which could be implemented to reduce risk should the threat occur • Analyse measures already in place to reduce risk should the threat occur Risk Analysis process
Scale of impact Scale Impact Insignificant 0 Low 1 Medium 2 High 3 Very high 4
Guidelines 1. Rate the Probability(P) or likelihood of this threat occurring 2. Rate the Vulnerability(V) of asset/process to each threat identified 3. Rate the level of controls(C) in place to protect against this threat
Scoring/Grading of Threats Probability refers to the likelihood of this threat occurring Rate as H= High, M=Medium, L= Low Vulnerability refers to a measure of the effect such threats may have ie identifies weaknesses Controls refers to the existing measures to counteract the effects of these threats Rate as H= High, M=Medium, L= Low Rate as H= High, M=Medium, L= Low H=very good controls in place M=some controls in place L=inadequate controls in place
Risk Evaluation High impact Low impact Medium impact High High None SomeMedium Medium Low Low Many
Content of this webinar • Risk assessment • Risk treatment • Risk acceptance
• Compare the estimated level of risk against risk evaluation and acceptance criteria • Identify preventive controls which could be implemented to reduce risk should the threat occur. • Analyse controls already in place to reduce risk should the threat occur. • Assess the cost to the company should a control be implemented. • Which risks will be treated with priority, ranking of the threats Risk Evaluation
• Risk treatment
Risk Treatment The options for risk treatment are: • Risk modification • Risk retention • Risk avoidance • Risk sharing Set up a Risk treatment plan Residual risk
• Risk acceptance
Risk Acceptance Criteria for risk acceptance Acceptance of residual risks
Reduce outsourcing risks - Call for tenders and evaluate propositions before deciding - Sign a contract which takes into consideration: - Quality and result expectations - Definition of roles and responsibilities - Means of control and audit - Intellectual property - Confidentiality agreement - Implement monitoring and review processes to ensure contractual and service level requirement are being met - Implement third party change management processes - Security aspects etc - Determine premiums for reach of verifiable results
Review of risk assessment and risk treatment Risk and Impact assessments should be conducted on a regular basis and reviewed at key intervals by the relevant governance committees. This will allow suitable decisions to be made and risks to be effectively managed before they become specific issues which need to be managed.
2016-03-22 27 “By failing to prepare you are preparing to fail.” — Ben Franklin
? QUESTIONS THANK YOU +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra

Recommended

Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
Kannan Subbiah
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
NehaKamboj10
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
Risk management
Risk managementRisk management
Risk management
Manish Tiwari
 
Risk management
Risk managementRisk management
Risk management
Babasab Patil
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
ECC International
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Eric Campbell
 

Recommended

Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
Kannan Subbiah
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
NehaKamboj10
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
Risk management
Risk managementRisk management
Risk management
Manish Tiwari
 
Risk management
Risk managementRisk management
Risk management
Babasab Patil
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
ECC International
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Eric Campbell
 
Risk management
Risk managementRisk management
Risk management
Harold Malamion
 
Project risk management
Project risk managementProject risk management
Project risk management
Aswin prakash i , Xantus Technologies
 
Risk Management
Risk ManagementRisk Management
Risk Management
cgeorgeo
 
Fraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management ConsultantsFraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management Consultants
EMAC Consulting Group
 
Operational Risk for Bank
Operational Risk for BankOperational Risk for Bank
Operational Risk for Bank
Rahmat Mulyana
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in Telecoms
Global Risk Forum GRFDavos
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
Project Risk Management PMBOK
Project Risk Management PMBOKProject Risk Management PMBOK
Project Risk Management PMBOK
GeoDiga
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
rafeeqameen
 
Risk management
Risk managementRisk management
Risk management
Jubayer Alam Shoikat
 
Risk management
Risk managementRisk management
Risk management
MECandPMV
 
Advanced program management risk mitigation and management
Advanced program management risk mitigation and managementAdvanced program management risk mitigation and management
Advanced program management risk mitigation and management
Marcus Vannini
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
Saras Singh
 
Risk evaluation presentation power point
Risk evaluation presentation power pointRisk evaluation presentation power point
Risk evaluation presentation power point
Alberto Mico
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
Eneni Oduwole
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
FAA Safety Team Central Florida
 
Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniques
ILRI
 
Project Risk Register
Project Risk Register Project Risk Register
Project Risk Register
simplesteps
 
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
Instansi
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB
 
IT Outsourcing Risks In Financial Sector
IT Outsourcing Risks In Financial SectorIT Outsourcing Risks In Financial Sector
IT Outsourcing Risks In Financial Sector
UKNGroupLtd
 
Is4632 outsourcing strategies (final) (5)
Is4632 outsourcing strategies (final) (5)Is4632 outsourcing strategies (final) (5)
Is4632 outsourcing strategies (final) (5)
tsangchingching
 

More Related Content

What's hot

Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
Saras Singh
 
Risk evaluation presentation power point
Risk evaluation presentation power pointRisk evaluation presentation power point
Risk evaluation presentation power point
Alberto Mico
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
Eneni Oduwole
 

What's hot (20)

Risk management
Risk managementRisk management
Risk management
 
Project risk management
Project risk managementProject risk management
Project risk management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Fraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management ConsultantsFraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management Consultants
 
Operational Risk for Bank
Operational Risk for BankOperational Risk for Bank
Operational Risk for Bank
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in Telecoms
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
 
Project Risk Management PMBOK
Project Risk Management PMBOKProject Risk Management PMBOK
Project Risk Management PMBOK
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Risk management
Risk managementRisk management
Risk management
 
Risk management
Risk managementRisk management
Risk management
 
Advanced program management risk mitigation and management
Advanced program management risk mitigation and managementAdvanced program management risk mitigation and management
Advanced program management risk mitigation and management
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
 
Risk evaluation presentation power point
Risk evaluation presentation power pointRisk evaluation presentation power point
Risk evaluation presentation power point
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
 
Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniques
 
Project Risk Register
Project Risk Register Project Risk Register
Project Risk Register
 
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
ISO 37001 : Anti Bribery Management System Fraud & Bribery Concepts, Laws & R...
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
 

Viewers also liked

Is4632 outsourcing strategies (final) (5)
Is4632 outsourcing strategies (final) (5)Is4632 outsourcing strategies (final) (5)
Is4632 outsourcing strategies (final) (5)
tsangchingching
 
很完整的健康方案
很完整的健康方案很完整的健康方案
很完整的健康方案
honan4108
 
Не_виплачують_заробітної_плати
Не_виплачують_заробітної_платиНе_виплачують_заробітної_плати
Не_виплачують_заробітної_плати
Vitalij Misjats
 
resumen de investigación consultada
resumen de investigación consultadaresumen de investigación consultada
resumen de investigación consultada
manuelyunga
 
Universidad nacional de chimborazo(Nellyta)
Universidad nacional de chimborazo(Nellyta)Universidad nacional de chimborazo(Nellyta)
Universidad nacional de chimborazo(Nellyta)
UNACH
 
Android开发工程师必备
Android开发工程师必备Android开发工程师必备
Android开发工程师必备
mornone
 
Basic Planning Principles Of Assyrian, Egyptian, Roman and Greek Cities
Basic Planning Principles Of Assyrian, Egyptian, Roman and Greek CitiesBasic Planning Principles Of Assyrian, Egyptian, Roman and Greek Cities
Basic Planning Principles Of Assyrian, Egyptian, Roman and Greek Cities
Rajat Katarne
 
Alphaworks deck v2
Alphaworks deck v2Alphaworks deck v2
Alphaworks deck v2
alphaworks
 
How effective is the combination of your main q4 eval
How effective is the combination of your main q4 evalHow effective is the combination of your main q4 eval
How effective is the combination of your main q4 eval
lferd
 

Viewers also liked (20)

IT Outsourcing Risks In Financial Sector
IT Outsourcing Risks In Financial SectorIT Outsourcing Risks In Financial Sector
IT Outsourcing Risks In Financial Sector
 
Is4632 outsourcing strategies (final) (5)
Is4632 outsourcing strategies (final) (5)Is4632 outsourcing strategies (final) (5)
Is4632 outsourcing strategies (final) (5)
 
很完整的健康方案
很完整的健康方案很完整的健康方案
很完整的健康方案
 
data science in academia and the real world
data science in academia and the real worlddata science in academia and the real world
data science in academia and the real world
 
Не_виплачують_заробітної_плати
Не_виплачують_заробітної_платиНе_виплачують_заробітної_плати
Не_виплачують_заробітної_плати
 
resumen de investigación consultada
resumen de investigación consultadaresumen de investigación consultada
resumen de investigación consultada
 
Universidad nacional de chimborazo(Nellyta)
Universidad nacional de chimborazo(Nellyta)Universidad nacional de chimborazo(Nellyta)
Universidad nacional de chimborazo(Nellyta)
 
Android开发工程师必备
Android开发工程师必备Android开发工程师必备
Android开发工程师必备
 
Problemas de diseño de mezcla ultimo
Problemas de diseño de mezcla ultimoProblemas de diseño de mezcla ultimo
Problemas de diseño de mezcla ultimo
 
Freitas aula 4
Freitas aula 4Freitas aula 4
Freitas aula 4
 
News Analysis - Is HP getting lean or falling apart?
News Analysis - Is HP getting lean or falling apart?News Analysis - Is HP getting lean or falling apart?
News Analysis - Is HP getting lean or falling apart?
 
Basic Planning Principles Of Assyrian, Egyptian, Roman and Greek Cities
Basic Planning Principles Of Assyrian, Egyptian, Roman and Greek CitiesBasic Planning Principles Of Assyrian, Egyptian, Roman and Greek Cities
Basic Planning Principles Of Assyrian, Egyptian, Roman and Greek Cities
 
HAPPYWEEK 186 - 2016.09.19.
HAPPYWEEK 186 - 2016.09.19.HAPPYWEEK 186 - 2016.09.19.
HAPPYWEEK 186 - 2016.09.19.
 
Evaluation question 1 music video
Evaluation question 1 music videoEvaluation question 1 music video
Evaluation question 1 music video
 
Entrepreneurial ecosystem markers -slides
Entrepreneurial ecosystem markers -slidesEntrepreneurial ecosystem markers -slides
Entrepreneurial ecosystem markers -slides
 
H7
H7H7
H7
 
INDEPEDENT OUTSOURCING ASSURANCE
INDEPEDENT OUTSOURCING ASSURANCEINDEPEDENT OUTSOURCING ASSURANCE
INDEPEDENT OUTSOURCING ASSURANCE
 
Alphaworks deck v2
Alphaworks deck v2Alphaworks deck v2
Alphaworks deck v2
 
How effective is the combination of your main q4 eval
How effective is the combination of your main q4 evalHow effective is the combination of your main q4 eval
How effective is the combination of your main q4 eval
 
The Secrets to Building a Dominant Media Property - Confab MN Central 2014
The Secrets to Building a Dominant Media Property - Confab MN Central 2014The Secrets to Building a Dominant Media Property - Confab MN Central 2014
The Secrets to Building a Dominant Media Property - Confab MN Central 2014
 

Similar to Outsourcing Risk Management

Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
Project Risk Management
Project Risk Management Project Risk Management
Project Risk Management
Hayat Denzi
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdf
MUST
 

Similar to Outsourcing Risk Management (20)

Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Topic 1 - Risk Auditing 1-17.pdf
Topic 1 - Risk Auditing 1-17.pdfTopic 1 - Risk Auditing 1-17.pdf
Topic 1 - Risk Auditing 1-17.pdf
 
Session 18 -2 PMP 4th edition
Session 18 -2 PMP 4th editionSession 18 -2 PMP 4th edition
Session 18 -2 PMP 4th edition
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
BiznetGio Presentation Business Continuity
BiznetGio Presentation Business ContinuityBiznetGio Presentation Business Continuity
BiznetGio Presentation Business Continuity
 
Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
28000
2800028000
28000
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 
Risk Assessments Demonstation Powerpoint
Risk Assessments Demonstation PowerpointRisk Assessments Demonstation Powerpoint
Risk Assessments Demonstation Powerpoint
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
Project Risk Management
Project Risk Management Project Risk Management
Project Risk Management
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Integrating risk and benefits management
Integrating risk and benefits managementIntegrating risk and benefits management
Integrating risk and benefits management
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdf
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessments
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Recently uploaded

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
Excellence Foundation for South Sudan
 

Recently uploaded (20)

Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERP
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
Advances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdfAdvances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdf
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 
Application of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matricesApplication of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matrices
 

Outsourcing Risk Management

  • 2. Barbro Thöyrä Owner of CeBeLOT AB Barbro Thöyrä is owner of CeBeLOT AB, BCMS consultant and trainer and a PECB Certified Trainer. Ms Thöyrä is certified for ISO 22301 Master, ISO 22301 Lead Auditor, ICT Disaster Recovery Manager, ISO 28000 Provisional Implementer, and for Outsourcing Manager from PECB. +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra
  • 3. General information - About me - Content of this webinar - Duration of the webinar - Questions
  • 4. Definition of outsourcing Outsourcing is the contracting out of business processes or activities to another party.
  • 5. Why outsourcing • Financial aspects • Back to core business • Lack of competence • Lack of equipment in production • Reduction of business
  • 6. Models of outsourcing: - Offshoring - Nearshoring - Co-sourcing - In-sourcing - Crowdsourcing - Multi sourcing - Cloud Computing
  • 7. ISO 37500: The standard provides clear guidance in the space of outsourcing considering an outsourcing lifecycle model which consists of four phases with outsourcing governance being at the heart of the standard. SelectionStrategy analysis Transition Deliver value Outsourcing governance
  • 9. When do you perform risk analysis Risks will occurs along the outsourcing process. Risk analysis is therefor critical to overall outsourcing governance.
  • 10. Align with ISO 31000: the generic framework on risk management Risk identification Risk analysis Risk evaluation Risk treatment Risk acceptance Risk assessment
  • 11. What risks are there with outsourcing Risk Assessment should at least include areas like: • Security • Legal • Safety • Environment/geographic • Finance • Reputation • Operational service risk • Availability • Media
  • 12. Techniques and tools to use with risk assessment • Brainstorming • Work shops • Scenarios • Decision tree • Hazard analysis • Consequence/probability matrix • Cost/benefit analysis • Interviews • Questionnaire • ……..
  • 13. Risk Identification • Identify Assets and Processes • Identify Threats , take into account Owners Users Employees Specialists Insurances • Identify controls in place • Identify consequences Service outage Increased complaints Loss of customers Legality Reputation
  • 14. • Identify threats to which the asset/process is subject • Assess the probability that a threat will affect the asset/process • Assess the vulnerability to the threats • Identify preventive measures which could be implemented to reduce risk should the threat occur • Analyse measures already in place to reduce risk should the threat occur Risk Analysis process
  • 15. Scale of impact Scale Impact Insignificant 0 Low 1 Medium 2 High 3 Very high 4
  • 16. Guidelines 1. Rate the Probability(P) or likelihood of this threat occurring 2. Rate the Vulnerability(V) of asset/process to each threat identified 3. Rate the level of controls(C) in place to protect against this threat
  • 17. Scoring/Grading of Threats Probability refers to the likelihood of this threat occurring Rate as H= High, M=Medium, L= Low Vulnerability refers to a measure of the effect such threats may have ie identifies weaknesses Controls refers to the existing measures to counteract the effects of these threats Rate as H= High, M=Medium, L= Low Rate as H= High, M=Medium, L= Low H=very good controls in place M=some controls in place L=inadequate controls in place
  • 18. Risk Evaluation High impact Low impact Medium impact High High None SomeMedium Medium Low Low Many
  • 19. Content of this webinar • Risk assessment • Risk treatment • Risk acceptance
  • 20. • Compare the estimated level of risk against risk evaluation and acceptance criteria • Identify preventive controls which could be implemented to reduce risk should the threat occur. • Analyse controls already in place to reduce risk should the threat occur. • Assess the cost to the company should a control be implemented. • Which risks will be treated with priority, ranking of the threats Risk Evaluation
  • 22. Risk Treatment The options for risk treatment are: • Risk modification • Risk retention • Risk avoidance • Risk sharing Set up a Risk treatment plan Residual risk
  • 24. Risk Acceptance Criteria for risk acceptance Acceptance of residual risks
  • 25. Reduce outsourcing risks - Call for tenders and evaluate propositions before deciding - Sign a contract which takes into consideration: - Quality and result expectations - Definition of roles and responsibilities - Means of control and audit - Intellectual property - Confidentiality agreement - Implement monitoring and review processes to ensure contractual and service level requirement are being met - Implement third party change management processes - Security aspects etc - Determine premiums for reach of verifiable results
  • 26. Review of risk assessment and risk treatment Risk and Impact assessments should be conducted on a regular basis and reviewed at key intervals by the relevant governance committees. This will allow suitable decisions to be made and risks to be effectively managed before they become specific issues which need to be managed.
  • 27. 2016-03-22 27 “By failing to prepare you are preparing to fail.” — Ben Franklin
  • 28. ? QUESTIONS THANK YOU +46 (0)708794652 https://se.linkedin.com/in/barbro-thöyrä-119b0427 barbro@thoyra.eu www.cebelot.se https://www.facebook.com/barbro.thoyra