2. Learning Objectives:
Discuss the concepts and classifications of risk
and management.
Describe the main approaches to the analysis
and evaluation of risk.
Distinguish the main features of risk control
techniques
3. D. Risk Assessment 1: Introduction
and Identification
1.Risk Assessment Consideration
2.Risk Classification systems (Risk
Identification)
3.Risk Causes (Sources) and
Consequences
4. 1. Risk assessment considerations
Risk assessment is identifying hazards in a
workplace and formulating control measures
against them. A risk assessment involves
identifying hazards and risk factors, analyzing and
evaluating the likelihood of their occurrence,
determining ways to eliminate or control them and
documenting your findings.
5. Key Elements of Risk Assessment:
Scope. Assessing a product, an organizational process,
a workplace area.
Resources Needed. Type of training tools and
equipment needed to effectively carry out a risk
assessment.
Key persons. Identify the personnel involve in the risk
assessment planning and implementation. They can be
the managers, supervisors, workers, vendors, suppliers.
Laws, regulations and internal policies. Non-
compliance could lead to hefty fines and other offenses.
6. How to Perform Risk Assessment in
4 Steps?
Understand and identify the hazards and risks.
Hazard. Something that has the potential of causing
harm to people, property or the environment.
Risk. Likelihood of a hazard to cause harm or damage
under defined circumstances.
Evaluate the risks. Consider how, where, how much,
and how long individuals are typically exposed to a
potential hazard.
7. How to Perform Risk Assessment in
4 Steps?
Decide on the control measure to implement. The
National Institute for Occupational Safety and Health’s
Hierarchy of controls establish five control measures for
each hazard identified.
Document your findings. All risk assessment should
be formally kept for future review and updates.
8. 2. Risk classification systems (Risk Identification)
There are six aspects of risk classification system such as:
Political. This factor determines the extent to which a government may
influence the economy or a certain industry. These political factors include
tax policies, fiscal policy, trade tariffs which may levy around the fiscal year
and it may affect the business environment.
Economic. This factor determines of an economy’s performance that directly
impacts a company and have resonating long term effects. Economic factors
include inflation rate, interest rates, foreign exchange rates, economic growth
patterns.
Social. This factor determines into consideration all events that affect the
market and community socially. Social factors include cultural expectations,
norms, population dynamics, healthy consciousness, career altitudes, global
warming.
9. 2. Risk classification systems (Risk Identification)
There are six aspects of risk classification system such as:
Technological. This factor determines of innovations in technology that may
affect the operations of the industry and the market favorably or unfavorably.
Technological factors include automation, research and development and the
amount of technological awareness in market possesses.
Legal. This factor determines into account both of these angles and then
charts out the strategies in light of these legislations. Legal factors include
consumer laws, safety standards, labor laws.
Ethical or Environmental. This factor is determined by the surrounding
environment. Environmental factors include but are not limited to climate,
weather, geographical location, global changes in climate, environmental
offsets, ground conditions, ground contamination, nearby water sources.
10. There are several timescales of risk
classification systems such as:
A short-term risk (Immediately) has the ability to
impact the objectives, key dependencies and core
processes, with the impact being immediate. These
risks can cause disruption to operations immediately
when the event occurs.
A medium-term risk (up to 1 year or decision
makes) has the ability to impact the organization
following a (short) delay after the event occurs. The
impact of a medium-term risk would not be apparent
immediately but would be apparent within months, or
at most a year after the event.
11. There are several timescales of risk
classification systems such as:
A long-term risk (up to 5 years) has the ability to
impact the organization sometime after the event
occurs. This impact could occur between one and five
years or more after the event.
12. There are following of risk classification system
which adopted for capturing the result of risk
assessment with three scoring level such as:
High risk. Risk which potential protection are required by law
or that, if compromised can lead to significant impact on
organization’s business, safety or finances. These examples
are personal data, financial data, central data center, central
administrative systems.
Moderate-risk. Risk which has potential compromised, this
risk can lead to noticeable impact on organization’s
business, safety or finances. These examples are
operational systems, official web sites, office computer, etc.
13. There are following of risk classification system
which adopted for capturing the result of risk
assessment with three scoring level such as:
Low-Risk. Risk which are not classified as high-
risk or moderate-risk. These examples are demo
systems, published research data.
14. This is the example scoring level of risk
classification:
15. 3. Risk causes (sources) and consequences.
Risk statements across the various teams have
different audiences, but they should all follow the same
structure with the following elements:
Risk Cause – This is why something could go wrong.
It is here that we consider what needs to be done to
prevent it.
Risk Event – This is what could go wrong. This is
where the uncertainty lies—the existence of the cause
does not mean the event will happen. But if it does,
there will most likely be an impact.
16. 3. Risk causes (sources) and consequences.
Consequence – This is the potential outcome of the
event. It is the impact on the Critical Success Factors
and highlights why we must pay attention to the risk..
17. E. Risk Assessment: Risk Analysis
and Evaluation
1. Introduction to risk analysis, risk likelihood and
impact, loss control
2. Defining the upside risk
3. The importance of risk appetite (Risk
Evaluation)
18. 1. Introduction to risk analysis, risk likelihood
and impact, loss control
Risk Analysis
The process of identifying and analyzing potential
issues that could negatively impact key business initiatives or
projects. This process is done in order to help organizations
avoid or mitigate those risks.
Performing a risk analysis includes considering the
possibility of adverse events caused by either natural
processes, like severe storms, earthquakes or floods, or
adverse events caused by malicious or inadvertent human
activities. An important part of risk analysis is identifying the
potential for harm from these events, as well as the
likelihood that they will occur.
19. Why is risk analysis important?
Anticipate and reduce the effect of harmful results from adverse events.
Evaluate whether the potential risks of a project are balanced by its benefits
to aid in the decision process when evaluating whether to move forward
with the project;
Plan responses for technology or equipment failure or loss from adverse
events, both natural and human-caused; and
Identify the impact of and prepare for changes in the enterprise
environment, including the likelihood of new competitors entering the
market or changes to government regulatory policy.
20. Risk likelihood and impact
Risk likelihood
is the state of being probable or
chance of a threat occurring.
21. Risk likelihood and impact
You don’t need a complex system in order to
improve or support your organization’s security
environment. However, your organization’s
leaders need tools that show them where to
spend time and resources in order to reduce
potential risks to the company. That’s how risk
assessments can shed light on the key factors in
this decision-making process.
22. Risk likelihood and impact
The standard described implies that a realistic
assessment of risk requires an understanding of
these areas:
Threats to an organization
Potential vulnerabilities within the organization
Likelihood and impacts of successfully
exploiting the vulnerabilities with those threats
23. Risk likelihood and impact
For handling the most basic level of risk assessment,
risk managers can follow this simple formula:
Risk = (Threat x Vulnerabilities) x Impact
24. Risk likelihood and impact
The first part of the formula (Threats x Vulnerabilities) identifies
the likelihood of a risk. For example, if there’s a known security flaw
in older versions of software you use, there’s the threat of hackers
exploiting that particular vulnerability to compromise your system.
But if you’ve applied the latest software patches that fix the problem,
then the vulnerability cannot be exploited, and the threat has been
eliminated.
Impact measures how much disruption you’ll face if the threat
actually occurs. Combining likelihood and impact produces a residual
risk rating of Low, Medium or High. Each organization’s residual risk
rating may differ based on the likelihood and impact that each
control deficiency introduces.
25. Risk likelihood and impact
You could also represent this concept with a simple chart
like this one:
26. Loss Control
A risk management technique that seeks to
reduce the possibility that a loss will occur and
reduce the severity of those that do occur. A loss
control program should help reduce claims, and
insurance companies reduce losses through safety
and risk management information and services.
27. 2. Defining Upside of Risk
Upside of risk is the chance than an asset
or investment will increase in value beyond the
expectations. It is an example of positive risk,
or the chance that you’ll achieve too much of a
good thing.
28. 2. Defining Upside of Risk
There is a belief amongst risk
management practitioners that risk management
makes a significant contribution to the operation of
the organization and this contribution is often
described as the upside of risk. In simple terms, the
upside of risk is achieved when the benefits obtained
from taking the risk are greater than any benefit that
would have resulted from not taking it.
29. 3.The Importance of Risk Appetite (Risk
Evaluation)
Risk appetite is the amount of risk an
organization is willing to take in pursuit of
objectives it deems have value.
Risk appetite can also be described as an
organization's risk capacity, or the maximum
amount of residual risk it will accept after
controls and other measures have been put in
place.
30. 3.The Importance of Risk Appetite (Risk
Evaluation)
Factors that influence risk appetite
Culture of an organization
Industry an organization is in
Competitors
Types of initiatives pursued
Current industry position and/ or financial
strength
31. (F. Risk responses and risk treatment)
1. Introduction to risk treatment and risk response
2. The 4Ts
3. Risk control techniques (PCDDD)
4. Control of selected hazard risks
5. Introduction to monitoring and review
6. Insurance and risk transfer
7. Business continuity planning
32. 1. Introduction to risk treatment and risk
response
Risk treatment is the process of selecting and
implementing of measures to modify risk. Risk
treatment measures can include avoiding,
optimizing, transferring or retaining risk.
Risk response Leadership’s response or action
towards the existence of a risk.
33. There are four possible risk response strategies
for negative risks:
Avoid. Eliminate the threat to protect the
project from the impact of the risk. An example
of this is cancelling the project.
Transfer. Shifts the impact of the threat to as
third party, together with ownership of the
response. An example of this is insurance.
34. There are four possible risk response strategies
for negative risks:
Mitigate. Act to reduce the probability of
occurrence or the impact of the risk. An
example of this is choosing a different supplier.
Accept. Acknowledge the risk, but do not take
any action unless the risk occurs. An example
of this is documenting the risk and putting
aside funds in case the risk occurs.
35. There are also four possible risk responses
strategies for positive risks, or opportunities:
Exploit. Eliminate the uncertainty associated
with the risk to ensure it occurs. An example of
this is assigning the best workers to a project to
reduce time to complete.
Enhance. Increases the probability or the
positive impacts of an opportunity. An example
of this adding more resources to finish early.
36. There are also four possible risk responses
strategies for positive risks, or opportunities:
Share. Allocating some or all of the ownership
of the opportunity to a third party. An example
of this is teams.
Acceptance. Being willing to take advantage of
the opportunity if it arises but not actively
pursuing it. An example of this is documenting
the opportunity and calculating benefit if the
opportunity occurs.
37. 2. The 4Ts
Risk management creates and protects
organizational value. As such, it should be a
natural and inherent part of what every
company does. Risk management is an
integral part of decision-making because it
explicitly addresses uncertainty.
38. 2. The 4Ts
A good way to summarize the different
responses is with the 4Ts of risk
management: tolerate, terminate, treat and
transfer.
39. 2. The 4Ts
Tolerate. Sometimes it’s okay to do nothing.
The likelihood and impact of the risk is low.
You may decide to simply retain the risk
because it is acceptable without further
actions. Log and monitor the risk because
retaining a risk should always be an informed
decision. You should not find that your
organization has retained a risk by default.
40. 2. The 4Ts
Terminate. Sometimes a risk is so far outside
your risk appetite. Or is assessed as having
such a severe impact on your business that
you have stop (i.e. terminate) the activity
causing it. For example, you may decide not
to start or continue a business activity in a
particular country. Or withdraw a product or
service from market that gives rise to
unacceptable risk.
41. 2. The 4Ts
Treat. You will almost certainly decide to take
action on the most severe risks. You may act
to reduce the likelihood of the risk occurring,
or the severity of the consequences if it does.
For example, install a firewall to reduce the
likelihood of an external intrusion to your IT
systems. And implement network segregation
if an intruder does gain access.
42. 2. The 4Ts
Transfer. Insurance isn’t available for
everything. Sometimes while it’s possible to
transfer the activity to a third party, you still
retain the liability if things go wrong. In the
case of the payment card industry data
security standards (PCI DSS), a third party
arrangement outsources merely the function,
not the responsibility or liability for PCI
compliance.
43. 3. Risk Control Techniques (PCDD)
Management’s responsibility to design and put in place
a suitable system of internal controls. Internal controls are
designed to deal with financial, operational, and
compliance risks.
Organizations prepare the risks and control matrix,
where risks and related controls are documented. Such a
matrix enables the management to review the risks and
related controls according to the risk classification,
inherent and residual risk assessments, and any apparent
weaknesses in the controls.
44. Risk Control Techniques (PCDD)
Further, the controls are marked into different
control categories according to the nature of
the controls, as follows:
45. Risk Control Techniques (PCDD)
Preventive Controls
Prevention of errors and irregularities should be the aim of
the organizations. However, in practical scenarios, some errors
and risks occur despite implementing of preventive controls. It
aims to prevent the occurrence of an error in a process and
includes the maker checker concept and authorizations. For
example, to prevent the purchase of unauthorized fixed assets,
the management has built preventive controls in the form of
authorization and approval of fixed asset purchases by the senior
management or the asset purchase committee. Such controls
ensure that unauthorized asset purchases are discouraged and
only those assets shall be purchased and reflected in the financial
statements, which the senior management or appropriate
committee approves
46. Risk Control Techniques (PCDD)
Preventive controls are designed to stop
errors or anomalies from occurring.
Examples of preventive controls are:
Adequate segregation of duties
Proper authorization of transactions
Adequate documentation and control assets
47. Risk Control Techniques (PCDD)
Corrective Controls
Corrective controls are designed to correct the errors and irregularities and
ensure that similar errors are not repeated once they are discovered.
Corrective controls are built in the form of procedures and manuals for the
reference of the employees. Some controls are built into the system, which
automatically corrects the errors or prevents the occurrence of errors.
Examples of corrective controls are:
Policies procedures for reporting errors and irregularities so they can be
corrected.
Training employees on new policies and procedures developed as part of the
corrective actions.
Positive discipline to prevent employees from making futures errors.
Continuous improvement processes to adopt the latest operational
techniques.
48. Risk Control Techniques (PCDD)
Directive Controls
Directive controls aim to ensure that identified
risks are managed through formal directions
provided in various forms to the management
and employees of the organization. Directive
control requires cross-departmental process
understanding, including the embedded
regulatory requirements, which are converted
into policies and procedures.
49. Risk Control Techniques (PCDD)
Directive Controls
These policies and procedures also lead to the
development of standard operating procedures and formal
directions in specific areas. For example, management
prepares the Compliance policy to ensure that broader
regulatory requirements are complied. However,
management also develops specific operating procedures
for the employees, such as procedures or directives to deal
with customers before onboarding them. These directions
shall refer to the compliance policy and the regulatory
requirements which deal with the customer onboarding
process.
50. Risk Control Techniques (PCDD)
Directive Controls
Similarly, management identifies broader risks
and their integration to ensure that relevant
directives are prepared and approved for
compliance purposes.
51. Risk Control Techniques (PCDD)
Detective Controls
Errors in a process need to be detected to ensure
corrective measures are taken to minimize the impact
on the whole process or activity. Detective controls
should aim to detect errors on a timely basis. If the
errors are not detected on a timely basis, the
effectiveness of detective controls would be marked
as ineffective. A strong internal control system always
considers the implementation of effective detective
controls.
52. Risk Control Techniques (PCDD)
Detective Controls
These controls are designed to find errors or
irregularities after they have occurred.
• Examples of detective controls are:
Exception reports: Identifying unexpected results
or unusual conditions that require follow-up.
Reconciliations: An employee relates different data
sets to one another, identifies and investigates
differences, and takes corrective action when
necessary.
Periodic audits: Internal and independent external
audits detect errors, irregularities, and non-
compliance with laws and regulations.
53. 4. Control of selected hazard risks
Control measures include actions that can be
taken to reduce the potential of exposure to the
hazard, or the control measure could be to remove
the hazard or to reduce the likelihood of the risk of
the exposure to that hazard being realized. A
simple control measure would be the secure
guarding of moving parts of machinery eliminating
the potential for contact. When we look at control
measures, we often refer to the hierarchy of
control measures.
55. Hierarchy of Controls
Eliminate the hazard. Elimination of the hazard
is not always achievable though it does totally
remove the hazard and thereby eliminates the risk
of exposure.
56. Hierarchy of Controls
Substitute the hazard with a lesser risk.
Substituting the hazard may not remove all of the
hazards associated with the process or activity and
may introduce different hazards but the overall
harm or health effects will be lessened. In
laboratory research, toluene is now often used as a
substitute for benzene. The solvent-properties of
the two are similar but toluene is less toxic and is
not categorized as a carcinogen although toluene
can cause severe neurological harm.
57. Hierarchy of Controls
Isolate the hazard. Isolating the hazard is
achieved by restricting access to plant and
equipment or in the case of substances locking
them away under strict controls. When using
certain chemicals then a fume cupboard can
isolate the hazard from the person, similarly
placing noisy equipment in a non-accessible
enclosure or room isolates the hazard from the
person(s).
58. Hierarchy of Controls
Use engineering controls. Engineering Controls
involve redesigning a process to place a barrier
between the person and the hazard or remove the
hazard from the person, such as machinery
guarding, proximity guarding, extraction systems
or removing the operator to a remote location
away from the hazard.
59. Hierarchy of Controls
Use administrative controls. Administrative
controls include adopting standard operating
procedures or safe work practices or providing
appropriate training, instruction or information
to reduce the potential for harm and/or adverse
health effects to person(s). Isolation and permit
to work procedures are examples of
administrative controls.
60. Hierarchy of Controls
Use personal protective equipment. Personal protective
equipment (PPE) includes gloves, glasses, earmuffs, aprons, safety
footwear, dust masks which are designed to reduce exposure to the
hazard. PPE is usually seen as the last line of defense and is usually
used in conjunction with one or more of the other control measures.
An example of the weakness of this control measure is that it is
widely recognized that single-use dust masks cannot consistently
achieve and maintain an effective facepiece-to-face seal, and cannot
be adequately fit-tested and do not offer much, if any real protection
against small particulates and may lead to a false sense of security
and increase risk. In such instances an extraction system with fitted
respirators may be preferable where the hazard may have significant
health effects from low levels of exposure such as using isocyanate
containing chemicals.
61. 5. Introduction to monitoring and
review
Monitoring and review should be a planned
part of the risk management process and involve
regular checking or surveillance. The results should
be recorded and reported externally and internally,
as appropriate. The results should also be an input
to the review and continuous improvement of the
risk management framework.
62. 5. Introduction to monitoring and review
Responsibilities for monitoring and review should be clearly
defined. The firm's monitoring and review processes should
encompass all aspects of the risk management process for the
purposes of:
Ensuring that controls are effective and efficient in both design and
operation.
Obtaining further information to improve risk assessment
Analyzing and learning lessons from risk events, including near-
misses, changes, trends, successes and failures.
Detecting changes in the external and internal context, including
changes to risk criteria ad to the risks, which may require revision
of risk treatments and priorities.
Identifying emerging risks.
64. 6. Insurance and Risk Transfer
Life is inherently risky and it would be impossible
to protect yourself against every potential risk you
face. But if you are going to work hard, put money
aside and invest it in things that are important to
you or improve your life, it makes sense to protect
those things as best you can.
65. 6. Insurance and Risk Transfer
Managing your risk involves a little bit of thought
and planning to identify where you might be
vulnerable to loss or damage. You do your best to
protect your property, but you can also protect
yourself from the impact of a natural disaster or if
an unexpected event happens.
66. 6. Insurance and Risk Transfer
Insurance helps you to manage a risk if
something happens to you or your property and
helps you recover from the difficulties and financial
hardship caused by unexpected events that cause
injury and/or a financial loss. The person who buys
the policy is known as the policyholder or
the insured.
67. 6. Insurance and Risk Transfer
In return, the insurance company who issues the policy to
you promises it will compensate you under certain loss or
damage circumstances as set out in the policy.
Before you make the decision to buy insurance, it makes
sense to review your own risks and work out how you can
reduce the chance of them occurring and if they do occur,
how you might reduce the impact on your life.
For example, you can reduce the risk of bushfire by making
sure you have cleared flammable materials away from your
house.
You can then take out insurance cover so that you are not
risking severe financial consequences in the unlikely event
your house is damaged or destroyed by bushfire. You are only
protected once you pay your premium and, in some
circumstances, the policy may not take effect for a
predetermined time
68. 6. Insurance and Risk Transfer
Risk transfer refers to a risk management
technique in which risk is transferred to a third
party. In other words, risk transfer involves one
party assuming the liabilities of another party.
Purchasing insurance is a common example of
transferring risk from an individual or entity to an
insurance company.
70. 6. Insurance and Risk Transfer
How it works:
Risk transfer is a common risk management technique where the potential loss
from an adverse outcome faced by an individual or entity is shifted to a third
party. To compensate the third party for bearing the risk, the individual or
entity will generally provide the third party with periodic payments.
The most common example of risk transfer is insurance. When an individual or
entity purchases insurance, they are insuring against financial risks. For
example, an individual who purchases car insurance is acquiring financial
protection against physical damage or bodily harm that can result from traffic
incidents.
As such, the individual is shifting the risk of having to incur significant financial
losses from a traffic incident to an insurance company. In exchange for bearing
such risks, the insurance company will typically require periodic payments from
the individual.
71. 6. Insurance and Risk Transfer
Methods of Risk Transfer
Insurance Policy. As outlined above, purchasing insurance is a common
method of transferring risk. When an individual or entity is purchasing
insurance, they are shifting financial risks to the insurance company. Insurance
companies typically charge a fee – an insurance premium – for accepting such
risks.
Indemnification clause in contracts. Contracts can also be used to help an
individual or entity transfer risk. Contracts can include an indemnification clause
– a clause that ensures potential losses will be compensated by the opposing
party. In simplest terms, an indemnification clause is a clause in which the
parties involved in the contract commit to compensating each other for any
harm, liability, or loss arising out of the contract.
For example, consider a client that signs a contract with an indemnification
clause. The indemnification clause states that the contract writer will indemnify
the client against copyright claims. As such, if the client receives a copyright
claim, the contract writer would (1) be obliged to cover the costs related to
defending against the copyright claim, and (2) be responsible for copyright
claim damages if the client is found liable for copyright infringement.
72. Business Continuity Planning
Business Continuity Planning. The process
involved in creating a system of prevention and
recovery from potential threats to a company. The
plan ensures that personnel and asserts are
protected and are able to function quickly in the
event of a disaster.
73. Business Continuity Planning
Key take aways:
Business continuity plans (BCPs) are prevention
and recovery systems for potential threats, such
as natural disasters or cyber-attacks.
BCP is designed to protect personnel and assets
and make sure they can function quickly when
disaster strikes.
BCPs should be tested to ensure there are no
weaknesses, which can be identified and
corrected.
74. Understanding Business Continuity Plans (BCPs)
BCP involves defining any and all risks that
can affect the company's operations, making it an
important part of the organization's risk
management strategy. Risks may include natural
disasters—fire, flood, or weather-related events—
and cyber attacks. Once the risks are identified,
the plan should also include:
75. Understanding Business Continuity Plans (BCPs)
• Determining how those risks will affect operations
• Implementing safeguards and procedures to
mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to
date
76. Business Continuity Planning
There are several steps many companies must follow to
develop a solid BCP. They include:
Business Impact Analysis: Here, the business will identify
functions and related resources that are time-sensitive.
Recovery: In this portion, the business must identify and
implement steps to recover critical business functions.
Organization: A continuity team must be created. This
team will devise a plan to manage the disruption.
Training: The continuity team must be trained and tested.
Members of the team should also complete exercises that go
over the plan and strategies.
77. “Risk management is a more realistic term than
safety. It implies that hazards are ever-present,
that they must be identified, analyzed,
evaluated and controlled or rationally
accepted.“
- Jerome F. Lederer