This document provides an overview of the risk assessment process as outlined in the British Standard BS25999-2:2007. It describes the key steps in risk assessment including identifying vulnerabilities, threats, potential damages, scoring severity and likelihood, evaluating current mitigation measures, and calculating a risk magnitude score. The document uses a risk assessment model and provides examples of how to analyze risks using criteria for scoring severity, likelihood, mitigation, and determining appropriate risk treatment actions. The goal is to understand risks to critical assets and activities, prioritize them, and determine actions to reduce risks to an acceptable level.
Safran shows how, in collaboration with SAP, all stakeholders in the design and delivery of Capital Projects can be successfully aligned behind a single strategy and governance process.
In today’s complex global supply chain, proper supplier qualification is essential for avoiding supply chain failures and maintaining traceability of products.
There have been numerous public health crises in various industries regulated by the US Food and Drug Administration (FDA) related to contamination or adulteration of material along the supply chain.
Under Food Safety modernization Act (FSMA) Food and Drug Administration (FDA) issued final rule for Foreign Supplier Verification Programs (FSVP) on November 13, 2015
Safran shows how, in collaboration with SAP, all stakeholders in the design and delivery of Capital Projects can be successfully aligned behind a single strategy and governance process.
In today’s complex global supply chain, proper supplier qualification is essential for avoiding supply chain failures and maintaining traceability of products.
There have been numerous public health crises in various industries regulated by the US Food and Drug Administration (FDA) related to contamination or adulteration of material along the supply chain.
Under Food Safety modernization Act (FSMA) Food and Drug Administration (FDA) issued final rule for Foreign Supplier Verification Programs (FSVP) on November 13, 2015
Military + Civilian Best Practices: Risk Management ver 1.1Alejandro Perez
Topic: Military Risk Management
Program: Officer Development Program
Institution: Army National Guard
Uniqueness of Presentation:
1. ) Innovative Practices applied to Risk Managements
2.) Military + Civilian Best Practices Utilization
3.) Iterative Philosophy Application
4.) Common Sense integration with MDMP (Military Decision Making Process and TLPs (Troop Leading Procedures)
This complete presentation has a set of thirtyseven slides to show your mastery of the subject. Use this ready-made PowerPoint presentation to present before your internal teams or the audience. All presentation designs in this Risk Mitigation Strategies Powerpoint Presentation Slides have been crafted by our team of expert PowerPoint designers using the best of PPT templates, images, data-driven graphs and vector icons. The content has been well-researched by our team of business researchers. The biggest advantage of downloading this deck is that it is fully editable in PowerPoint. You can change the colors, font and text without any hassle to suit your business needs.
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docxkarlhennesey
Part -1
Chapter 35: ERM at Malaysia’s Media Company Astro: Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies.
1. Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
2. Who should participate in the ERM process to ensure successful implementation of this ongoing program?
3. What should the CEO’s role be for the successful implementation and ongoing performance of an ERM process?
250 to 300 words
Part -2 Comments:- for 2 discussion below
RE: Chapter 35: ERM at Malaysia’s Media Company Astro
COLLAPSE
Top of Form
1. Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
Organizations implements and embedded ERM at their firms based on many factors such as risk analysis, goals and previous issues faced. Many firms invest in other companies (investee companies) to gain profits or advantages. When investing companies implements or embedded same ERM in investee companies it might not work because the investee company requirements might be different even it might be from different sector. The ERM implemented at investee companies also depends on investee company previous history, decisions made, investee company reputation in the market, risks which are not fully identified by investing company or no full cooperation from investee company people. Many incidents shows full its is highly impossible to conduct full risk review on investee company before acquisition which means the investing company don’t know full risks involved with investee company and ERM implemented without full risk analysis will lead to disasters.
2. Who should participate in the ERM process to ensure successful implementation of this ongoing program?
The most important people while implementing ERM at ASTRO are CEO, CFO, board of directors and its audit committee.
3. What should the CEO’s role be for the successful implementation and ongoing performance of an ERM process?
At ASTRO the CEO and CFO are accountable to board of directors for implementing strategies, procedures and policies for designing effective ERM program.
The CEO should participate in meetings with vice president of enterprise risk management (VPERM) explain current situations and risks levels for monitoring risks management at high level (Fraser, J. R. S., Narvaez, K., & Simkins, B. J., 2015).
Thank you
References
Fraser, J. R. S., Narvaez, K., & Simkins, B. J. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken, N.J: Wiley.
Bottom of Form
RE: Chapter 35: ERM at Malaysia’s Media Company Astro
COLLAPSE
Top of Form
1. Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
Following are some the reason that can be considered.
· Risk management methodology approach and objective ...
Military + Civilian Best Practices: Risk Management ver 1.1Alejandro Perez
Topic: Military Risk Management
Program: Officer Development Program
Institution: Army National Guard
Uniqueness of Presentation:
1. ) Innovative Practices applied to Risk Managements
2.) Military + Civilian Best Practices Utilization
3.) Iterative Philosophy Application
4.) Common Sense integration with MDMP (Military Decision Making Process and TLPs (Troop Leading Procedures)
This complete presentation has a set of thirtyseven slides to show your mastery of the subject. Use this ready-made PowerPoint presentation to present before your internal teams or the audience. All presentation designs in this Risk Mitigation Strategies Powerpoint Presentation Slides have been crafted by our team of expert PowerPoint designers using the best of PPT templates, images, data-driven graphs and vector icons. The content has been well-researched by our team of business researchers. The biggest advantage of downloading this deck is that it is fully editable in PowerPoint. You can change the colors, font and text without any hassle to suit your business needs.
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docxkarlhennesey
Part -1
Chapter 35: ERM at Malaysia’s Media Company Astro: Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies.
1. Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
2. Who should participate in the ERM process to ensure successful implementation of this ongoing program?
3. What should the CEO’s role be for the successful implementation and ongoing performance of an ERM process?
250 to 300 words
Part -2 Comments:- for 2 discussion below
RE: Chapter 35: ERM at Malaysia’s Media Company Astro
COLLAPSE
Top of Form
1. Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
Organizations implements and embedded ERM at their firms based on many factors such as risk analysis, goals and previous issues faced. Many firms invest in other companies (investee companies) to gain profits or advantages. When investing companies implements or embedded same ERM in investee companies it might not work because the investee company requirements might be different even it might be from different sector. The ERM implemented at investee companies also depends on investee company previous history, decisions made, investee company reputation in the market, risks which are not fully identified by investing company or no full cooperation from investee company people. Many incidents shows full its is highly impossible to conduct full risk review on investee company before acquisition which means the investing company don’t know full risks involved with investee company and ERM implemented without full risk analysis will lead to disasters.
2. Who should participate in the ERM process to ensure successful implementation of this ongoing program?
The most important people while implementing ERM at ASTRO are CEO, CFO, board of directors and its audit committee.
3. What should the CEO’s role be for the successful implementation and ongoing performance of an ERM process?
At ASTRO the CEO and CFO are accountable to board of directors for implementing strategies, procedures and policies for designing effective ERM program.
The CEO should participate in meetings with vice president of enterprise risk management (VPERM) explain current situations and risks levels for monitoring risks management at high level (Fraser, J. R. S., Narvaez, K., & Simkins, B. J., 2015).
Thank you
References
Fraser, J. R. S., Narvaez, K., & Simkins, B. J. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken, N.J: Wiley.
Bottom of Form
RE: Chapter 35: ERM at Malaysia’s Media Company Astro
COLLAPSE
Top of Form
1. Identify some reasons why risk management practices might not take off and/or be embedded effectively in an investee company.
Following are some the reason that can be considered.
· Risk management methodology approach and objective ...
2. Executive Summary
This document attempts to The standard does not prescribe
provide an understanding of the any specific method of doing the
Risk Management process risk assessment
The British Standard, BS25999- This document provides an
2:2007 requires Risk example method of doing risk
Assessment to be done as a assessment which borrows
part of the ‘Understanding the heavily from Failure Modes and
organisation’ Effects Analysis (FMEA)
A flow chart illustrates the flow Using the concepts from FMEA
of the RM process per Clause helps in a couple of ways:
FMEA has been in use for quite some time
4.1.1 of the standard and also now and the writer assumes that the
deals with ‘Determining choices’ knowledge of using FMEA is prevalent
It provides numerical values for easy
– 4.1.3 prioritisation and action.
02/08/2010 Dipankar Ghosh 2
3. Section 4.1.1 Of BS25999-2:2007
4.1.2 Risk Assessment
4.1.2.1 There shall be defined, documented and appropriate
method of risk assessment that will enable the organisation
to understand the threats to and vulnerabilities of its critical
activities and supporting resources, including those provided
by suppliers and outsource partners
4.1.2.2 The organisation shall understand the impact that would
arise if an identified threat became an incident and caused a
business disruption
02/08/2010 Dipankar Ghosh 3
6. Risk Assessment Model
RMS After Actions
Taken
11
Identified Potential Potential Severity Likelihood of Current Mitigation Risk Recommended Responsibility S L M R
Vulnerabili- Threats Damages Of Occurrence Mitigation Score Magnitude Actions and Target Date M
ties Damages Score (1-5) Measures (1-5) Score (1-125) S
Score [
(1-5) S
X
[S] [L] [M] L
[RMS=SxLxM] X
M
]
1 2 3 4 5 6 7 8 9 10
1. Identified Vulnerabilities – These are weaknesses that has been identified which can result in a potential damaging impact on the
business. (e.g. Fuel storage near electrical substation). Vulnerabilities are ‘internal’ to the ‘system’.
2. Potential Threats – These are ‘external’ causes which can exploit vulnerabilities to cause damage. (e.g. electrical short circuits and
sparks can ignite the fuel nearby resulting in a fire)
3. Potential Damages – These are the effects or damages that are inflicted on the business and its assets. (e.g. loss of life due to fire,
loss of building, equipment etc. due to fire). Note that risk exists only if an external threat exploits an internal vulnerability to cause
damage or loss to your asset. You may have an empty house (no asset to be damaged/lost) with an unlocked door (vulnerability) and
a thief lurking around (threat). But you face no risk!
02/08/2010 Dipankar Ghosh 6
7. Risk Assessment Model
4. Severity Of Effects Score – This is a score on a scale of 1-5 which reflects the assessment of the seriousness of the damages listed
in 3. This is based on the Severity Score Criteria listed in the table below. Higher the severity higher is the score. Note that the criteria
in this and the following tables are not sacrosanct and are for example purposes. Practitioners may want to adapt these according to
their experience.
Severity Of Effects Severity Score Criteria Score
Hazardous or Catastrophic 1. May cause loss of lives, buildings or sites 5
2. The duration of recovery is very long
Very high 1. May cause severe injuries 4
2. May lead to severe damage to buildings,
equipment and goods
3. May cause severe hardships to customers,
employees and suppliers and may lead to severe
financial losses for all of them and the company
4. The duration of recovery is long
High 1. May cause major injuries 3
2. May lead to major damage to buildings,
equipments and goods
3. May cause hardships to customers, employees
and suppliers and may lead to financial losses for
all of them and the company
4. The duration of recovery is quite long
Moderate 1. May cause minor injuries 2
2. May lead to moderate damage to buildings,
equipments and goods
3. May cause moderate hardships to customers,
employees and suppliers and may lead to some
financial losses for all of them and the company
4. The duration of recovery is moderate
None or Minor 1. No injuries caused 1
2. None or minor damage to buildings, equipments
and goods
3. Insignificant hardships caused to customers,
employees and suppliers and may lead to minor
financial losses for all of them and the company
4. The duration of recovery is short
02/08/2010 Dipankar Ghosh 7
8. Risk Assessment Model
5. Likelihood Of Occurrence Score – This score measures on a scale of 1-5 the likelihood of occurrence of the identified risk event
arising from the potential cause based on the guideline provided in the table below. More the likelihood more is the score.
Likelihood of Occurrence Probability Score Criteria Score
>90% chance of happening Almost Certain 5
70%-90% chance of happening Likely 4
50%-70% chance of happening Possible 3
30%-50% chance of happening Unlikely 2
0%-30% chance of happening Rare 1
6. Current Mitigation Measures – Risk mitigation is a three-pronged weapon to alleviate the effects of risks.
Firstly, there need to be Prevention measures in place so that the risk event is prevented from occurring. (e.g. in the case of
fire because of short circuit there could be prevention measure of having adequate air gaps between conductors, the best
class of insulators may be provided etc.)
Next, there need to exist Detection measures, in case the risk event occurs, or better still if the possible occurrence of the
event can be detected even before the event occurs. (e.g. in the case of fire, fire and smoke detectors may be installed for
early detection)
And finally, there needs to be a Response mechanism in place, in case the event does occur. (e.g. availability of fire fighting
equipment, trained personnel who know how to handle fires, ready availability of fire tenders nearby and above all a well
documented and tested plan to handle the situation). A well tested business continuity plan is also a part of the response
mechanism.
02/08/20010 Dipankar Ghosh 8
9. Risk Assessment Model
7. Mitigation Score – This score measures on a scale of 1-5 the assessment of availability of mitigation measures for the identified risk
event based on an evaluation criteria provided by the table below. Weaker the current measures in place higher is the score.
Current Mitigation Mitigation Score Criteria Score
Measures
Highly Ineffective 1. Prevention is impossible or prevention measures are not in place 5
2. No known detection method is available or even if available it has
not been implemented
3. No response mechanism, in case of the event occurring, has
been put in place
Ineffective 1. Prevention is possible but prevention measures are not in place, 4
or even if in place they are not effective
2. Known detection method(s) is/are available but it/they have not
been implemented, or even if implemented they do not work
effectively or work only sporadically.
3. Response mechanism is in place but is not effective
Moderately Effective 1. Prevention measures in place and are somewhat effective 3
2. Detection methods have been implemented and are somewhat
effective
3. Response mechanism is in place and is somewhat effective
Effective 1. Prevention measures in place and are quite effective 2
2. Detection methods have been implemented and are quite
effective
3. Response mechanism is in place and is quite effective
Very Effective 1. Prevention measures in place and are very effective 1
2. Detection methods have been implemented and are very effective
3. Response mechanism is in place and is very effective
02/08/2010 Dipankar Ghosh 9
10. Risk Assessment Model
8. Risk Magnitude Score (RMS) – This is the score obtained by multiplying the three scores – Severity (S), Likelihood (L) and
Mitigation(M). That is: RMS = S X L X M
The RMS value can range from 1 to 125 and helps rank the identified risk events and the causes in order of priority. Higher scores
will generally require higher priority in terms of actions to be taken.
9. Recommended Actions – This column specifies the actions that are recommended to be taken to bring down the RMS of the
identified risk event. These actions should be directed towards reducing the severity of effects, towards reducing the likelihood of
occurrence and also towards bringing in mitigation measures of prevention, detection and response.
10. Responsibility and Target Date – This column contains the names of persons charged with the responsibility of completing the
recommended actions and the target date of completion.
11. RMS After Actions Taken – Once the actions have been taken a re-assessment of the risk is done and the new RMS score is
obtained. Needless to say, if the actions taken have been effective then the score would come down.
02/08/2010 Dipankar Ghosh 10
11. Risk Assessment Model
Criteria For Risk Treatment
It may be noted that not all Risks will require mitigating measures to be adopted. Based on the RMS score a risk may be:
Tolerated or Accepted – in case of low risk
Transferred (e.g. to insurance companies) – in case of medium to high risk, especially if it makes financial sense to transfer
rather than mitigate from the return of investment point of view
Mitigated (using controls for prevention, detection and response as discussed earlier) – in case of medium to high risk
Take urgent corrective actions – in case of very high risks
The table below provides the evaluation criteria which may be used to decided if a risk will be tolerated/accepted, transferred or
mitigated. Please note that this is only indicative and practitioners must apply their own judgment when creating their own criteria table.
RMS Score Treatment RMS
Score
90-125 Take urgent actions 90-125
27-90 Mitigate or Transfer 27-90
0-27 Tolerate/Accept 0-27
02/08/2010 Dipankar Ghosh 11