This document discusses risk management and provides definitions of risk. It summarizes the key steps in the risk management process as establishing context, identifying risks, analyzing risks, evaluating risks, treating risks, and monitoring and reviewing risks on an ongoing basis. Communication and consultation are also emphasized. Various risk management models and the benefits of risk management for organizations are outlined. Myths about risk management are dispelled.

1. © Continuity and Resilience – Copyright 2013
Risk Management and Models
CII – Nov. 05, 2015

2. Introductions
2

3. About Continuity and Resilience
(CORE)
• ISO 22301 Certified Management Consulting Firm
• Business Continuity Management
• Crisis Management
• IT Disaster Recovery
• Green IT
• Risk Management
• Information Security Management
• We Consult / Train / Assess and Certify in these
domains
3

4. A person who can foresee
problems / difficulties and
identify proactive solutions will
live happily
- Chanakya (350 – 283 BC), Author of Artha
Sasthra
4

5. 5
What is Risk?
• Risk is the potential that
something will go wrong as a
result of one or a series of
events.
To get profit without risk, experience without danger,
and reward without work, is as impossible as it is to live
without being born.
- A.P. Gouthe

6. Risk Definitions – the change over time
6
Source Definitions
ISO/IEC Guide
51:1999
Combination of the probability of occurrence of harm
and the severity of that harm
ISO/ IEC Guide
73:2002
Combination of the probability of an event and its
consequence
AS/NZS 4360:
2004
Chance of something happening that will have an impact
on objectives
COSO (2004) ERM
Integrated
Framework
Events with a negative impact represent risks, which can
prevent value creation or erode existing value. Events
with positive impact may offset negative impacts or
represent opportunities.
ISO 31000:2009 Effect of uncertainty on objectives
ISO 22301:2012 Effect of uncertainty on objectives

7. Harmonization of International Standards
• ISO/IEC 31000 - Risk management – Principles and
guidelines
• ISO/IEC 31010 - Risk management – Risk assessment
techniques
• ISO/IEC 27001 - Information technology – Security
techniques – Information security management systems –
Requirements
• ISO/IEC 27005 - Information technology – Security
techniques – Information security risk management systems

8. 8
Universe of Risks-1
www.ey.com

9. Universe of Risks - 2
Natural Manmade Accidental
Internal External

10. Potential Sources of Risk

11. Lessons from Animals-1
Don’t be a pigeon!
11

12. Why are we talking
about Risk?

13. Today’s networks are more
exposed to threats & risks
Gartner brought up an
interesting concept: "Perimeters
and firewalls are no longer
enough; every app needs to be
self-aware and self-protecting."
The risk environment is
constantly changing.
Financially-motivated, targeted
attacks are increasing – but
most security processes and
technologies are failing to keep
up.
Exposure points

14. 14
“Risk comes from
not knowing what
you’re doing”
- Warren Buffett
Well, then I
guess, we both
are in deep
trouble

15. About …
Risk Management
In assessing risks, technical
people tend to focus on
technical issues which have
occurred to them, but the
major risks for a product
may be business-related –
obstacles they don’t consider
as often..

16. What is Risk Management?
Who uses Risk Management?
How is Risk Management used?
Risk Management Models

17. • Good management practice
• Process steps that enable improvement
in decision making
• A logical and systematic approach
• Identifying opportunities
• Avoiding or minimizing losses
What is Risk Management?

18. Risk Management is the name given
to a logical and systematic method
of identifying, analysing, treating
and monitoring the risks involved in
any activity or process.
What is Risk Management?

19. Risk Management is a
methodology that helps managers
make best use of their available
resources
What is Risk Management?

20. Coordinated activities to direct and
control an organization with
regard to risk
What is Risk Management?

21. Risk Management - Benefits
21
Likelihood of
achieving
objectives is
increased
Proactive
management is
encouraged
Identification of
opportunities
and threats is
increased
Legal and
regulatory
compliance is
achieved
Improvement in
mandatory and
voluntary
reporting is
achieved
Governance is
improved
Interested
parties’
confidence and
trust is enhanced
Decision making
and planning is
improved
Resource
allocation is
effective

22. Risk Management - Benefits
22
Operational
effectiveness
and efficiency is
improved
Health and
safety
performance is
enhanced
Environmental
protection is
improved
Loss prevention
and incident
management is
improved
Losses are
minimised
Organisational
learning is
improved
Overall
improvement is
organisational
resilience is
achieved

23. Risk Management
practices are widely used
in public and the private
sectors, covering a wide
range of activities or
operations.
These include:
Who uses Risk Management?
• Finance and
Investment
• Insurance
• Health Care
• Public
Institutions
• Governments

24. • Effective Risk Management
is a recognized and valued skill.
• Educational institutions have formal study
courses and award degrees in Risk
Management.
• The Risk Management process is well
established. (International RM process
standards.)
Who uses Risk Management?

25. Risk Management is
now an integral part of business
planning.
Who uses Risk Management?

26. Risk Management -Myths
• “We can only do so much; then whatever happens,
happens.”
• “Don’t be concerned with Risk Management (RM); there
is nothing in it that applies to non-financial businesses.”
• “It’s hard to find someone who has the expertise to
address all risks across the organization. Isn’t that what
the CEO and CFO should be doing?”
• “Buying insurance manages the risk, doesn’t it?”
26

27. Risk Management -Myths
• “Risk management is only for large companies”
• “We have lots of insurance”
• “We already have a safety program”
• “We haven’t had any problems so far”
(but WE ARE ALWAYS ONE DISASTER BEHIND)
• “It’s too expensive to implement a program”
• “My company doesn’t have ethical risks.”
27

28. 28

29. The Risk Management
process steps are a
generic guide for
any organisation,
regardless of the
type of business,
activity or function.
How is Risk Management used?
There are
7 steps
in the RM
process

30. 30
“The first step in the
risk management
process is to
acknowledge the
reality of risk.
Denial is a common tactic
that substitutes deliberate
ignorance for thoughtful
planning.”
--Charles Tremper

31. The basic process steps are:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks

32. ‘Risk’ is dynamic and subject to constant
change, so the process includes
continuing:
Communication & consultation
Monitoring and review
and

33. The Risk Management process:
The strategic and organisational context in
which risk management will take place.
For example, the nature of your business,
the risks inherent in your business and
your priorities.
Communicate & consult
Establish the context

34. The Risk Management process:
Communicate & consult
Monitor and review
Defining types of risk, for instance,
‘Strategic’ risks to the goals and objectives
of the organisation.
• Identifying the stakeholders, (i.e.,who is
involved or affected).
• Past events, future developments.
Identify the risks

35. The Risk Management process:
Communicate & consult
Monitor and review
Analyse the risks
How likely is the risk event to happen?
(Probability and frequency?)
What would be the impact, cost or
consequences of that event occurring?
(Economic, political, social?)

36. The Risk Management process:
Communicate & consult
Monitor and review
Evaluate the risks
Rank the risks according to management
priorities, by risk category and rated by
likelihood and possible cost or
consequence.
Determine inherent levels of risk.

37. The Risk Management process:
Treat the risks
Develop and implement a plan with specific
counter-measures to address the identified
risks.
Consider:
• Priorities (Strategic and operational)
• Resources (human, financial and technical)
• Risk acceptance, (i.e., low risks)

38. The Risk Management process:
Document your risk management plan and
describe the reasons behind selecting the risk
and for the treatment chosen.
Record allocated responsibilities, monitoring or
evaluation processes, and assumptions on
residual risk.
Communicate & consult
Monitor and review
Treat the risks

39. The Risk Management process:
Communicate & consult
Risk Management policies and decisions
must be regularly reviewed.
Monitor and review
In identifying, prioritising and treating risks,
organisations make assumptions and decisions
based on situations that are subject to change,
(e.g., the business environment, trading
patterns, or government policies).

40. The Risk Management process:
Risk Managers must monitor activities and
processes to determine the accuracy of
planning assumptions and the effectiveness
of the measures taken to treat the risk.
Methods can include data evaluation, audit,
compliance measurement.
Communicate & consult
Monitor and review

41. The Risk Management process:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks

42. “Business as usual is business at risk”
- Deloitte Old whitepaper
42
“The problem in my life and other people’s lives is not
the absence of knowing what to do, but the absence
of doing it”
- Peter F Drucker
Famous Quotes

43. 43
“Good Risk Management fosters vigilance in times of calm
and instills discipline in times of crisis.”
--Dr. Michael Ong

44. 44
• “Risk management should be an enterprise-wide exercise
and engrained in the business culture of the
organization.”
-- Julie Dickson

45. 45
“If you treat risk management as a part-time job, you
might soon find yourself looking for one.”
--someone in Deloitte

46. 4 T’s of Risk Management
46
• Tolerate (what is within your risk appetite)
• Treat (by investing)
• Transfer (through insurance)
• Terminate (the risk / process itself)

47. Heat Diagram (before and after
treatment)
• Number of risks falling in the Red and Amber should
reduce after treatment
• These should further reduce after treatment of the
residual risks
• Which must further keep reducing over a period
• While new risks may also appear
47

48. Lessons from Animals-2
Don’t be a horse!
48

49. Risk Management Maturity Model
• There is no established Maturity Model for Risk
Management, exists now;
• But one can easily be developed and adopted
49
“If you can't describe what you are doing as a process,
you don't know what you're doing” W. Edward Deming

50. RM Maturity Model- Deloitte sample
50

51. RM Maturity Model
• Levels and Parameters defined by someone else
• Level 1: Ad hoc. Undocumented; in a state of dynamic
change; depends on individual heroics
• Level 2: Preliminary. Risk defined in different ways and
managed in silos. Process discipline is unlikely to be
rigorous.
• Level 3: Defined. A common risk assessment/response
framework is in place. Organization-wide view of risk is
provided to executive leadership. Action plans implemented
in response to high priority risks.
51

52. RM Maturity Model
• Levels and Parameters defined by someone else
• Level 4: Integrated. Risk management activities
coordinated across business areas. Common risk
management tools and processes used where appropriate,
with enterprise-wide risk monitoring, measurement and
reporting. Alternative responses analyzed with scenario
planning. Process metrics in place.
• Level 5: Optimized. Risk discussion is embedded in
strategic planning, capital allocation, and other processes
and in daily decision-making. Early warning system to notify
board and management to risks above established
thresholds.
52

53. Other RM Standards
• ISO 14971
• Medical devices – Application of risk management to medical
devices
• ISO /IEC 16085
• Systems and Software Engineering - Life cycle processes – Risk
management
• ISO 17666
• Space systems – Risk management
• ISO / IEC 27005
• Information technology – Security techniques – Information
security risk management
53

54. Other RM Standards
• AS/ NZS 4360
• Risk Management**
• COSO Enterprise Risk Management – Integrated
Framework
• NIST 800-30
• Risk Management Guide for Information Technology Systems
** Base standard for ISO 31000; is the first international standard on Risk Management
54

55. 1.
Define
1.1 Stakeholders
1.2 Risk Management Executive
1.3 Scope
2.4 Decide
Response
3
Select
Control
Criteria &
Implement
Controls
3.1 Choose
Controls
3.2 Implement
Controls
4.
Audit & Testing
of Controls
4.3 Accreditation
4.2 External
Testing/Auditing
4.1 Internal
Testing/Auditing
5.
Improvement
Plan
5.2 Monitor
5.1 Agree
6.4 Categorise
6.
Incident
Management
6.1 Monitor
6.3 Record
6.2 Respond
2
Risk Analysis2.1 Risk
Identification
2.3 Calculate Risk
2.2 Identify Appetite
Plan
Do
Check
Act
Deming
Cycle
BT Risk Process &
Activity Lifecycle
(PDCA Model)

56. Other Strategic Risks
• Recently, the following have been gaining a lot of
importance
• Sustainability Risks
• Cloud Computing Risks
56

57. 57
Risk Management Rules
1. Don’t underestimate your risks
2. Risks don’t go away (it exists as it is)
3. The certifications doesn’t make you ready
4. You can’t just rely on technology
5. Be careful of professional burnout
6. Look after your (precious) data
7. Risk Management? Incident Management?
8. Manage risks from top down
9. Don’t reveal your internal documents
10. Lies, damn lies and statistics…..

58. A Balanced Approach - Risks need to be
understood
Potential
Threats
to Assets
Potential
Vulnerability
Reality Check
Balanced
Solution
Risk Appetite
Solution for
Acceptable
Risk
Mitigation
Lo
w
Hig
h
Lo
w
Hig
h
Lo
w
Hig
h
Information
Security
Cost
Risk Usability
Risk Management is the
management of Trade-off

59. There must be a balance!

61. © Continuity and Resilience – Copyright 2013
Thank You

62. CONTINUITY & RESILIENCE
Email: info@continuityandresilience.com
Website: www.continuityandresilience.com
http://www.coreconsulting.ae/
62