Click here to buy toolkit now

XYZ LIMITED

RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Version: PGL/RA/01

Date of version: April 13, 2017

Created by: QMS TEAM

Approved by: Managing Director

Confidentiality level: High

 Click here to buy toolkit now

Change history
Date Version Created by Description of change
 Click here to buy toolkit now

Table of contents
1. PURPOSE, SCOPE AND USERS................................................................................................................... 4

2. REFERENCE DOCUMENTS ......................................................................................................................... 4

3 RISK MANAGEMENT POLICY AND STRATEGY

4. RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY ..................................................................... 6

4 RISK ASSESSMENT
4.1.1. The process ................................................................................................................................... 6
4.1.2. Assets, vulnerabilities and threats ................................................................................................ 6
4.1.3. Determining the risk owners ......................................................................................................... 7
4.1.4. Consequences and likelihood ........................................................................................................ 7
4.2. RISK ACCEPTANCE CRITERIA........................................................................................................................... 8
4.3. RISK TREATMENT ........................................................................................................................................ 8
4.4. REGULAR REVIEWS OF RISK ASSESSMENT AND RISK TREATMENT ............................................................................ 9
4.5. APPROVAL OF RISK TREATMENT PLAN ......................................................................................................... 9
4.6. REPORTING ............................................................................................................................................... 9

5. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT.............................................................. 9

6. VALIDITY AND DOCUMENT MANAGEMENT ........................................................................................... 10

7. APPENDICES ........................................................................................................................................... 10
Click here to buy toolkit now

1. Purpose, scope, users and strategy

The purpose of this document is to define the methodology for assessment and treatment of QMS
risks in XYZ LIMITED, and to define the acceptable level of risk according to the ISO 18788 standard.

2. Reference documents
• ISO 18788 standard,
• Security Operations Management Policy

3. Risk management policy and strategy

XYZ LIMITED is committed to identifying, assessing, evaluating and treating our strategic,
tactical and operational risks that can prevent us from achieving our organizational
objectives.

To drive this policy, we will:

• Identify and manage significant risks, including those associated with operating
conditions, emergency situations, accidents and potential undesirable and disruptive
events;
• Identify and manage significant human rights risks, in order to reduce or mitigate the
severity of the impacts of the organization’s security operations;
• Evaluate existing risk management practices and procedures, including those
associated with, subcontracting activities;
• Evaluate previous emergency situations and accidents, as well as previous measures
taken to prevent and respond to undesirable and disruptive events.

This policy shall be communicated to all relevant stakeholder to ensure conformity.

Our risk management policy will be reviewed as the need arises

Signed:

MANAGING DIRCTOR.
Click here to buy toolkit now

RISK MANAGEMENT STRATEGY

Our risk management STRATEGY INVOLVES identification, analysis, evaluation, treatment and re-
evaluation of risks related to the appropriate context. Our internal environment, external
environment and clients’ assets
 Click here to buy toolkit now
Risk assessment and risk treatment are applied to
1. Internal environmental issues
2. External environment issues
3. Needs and expectations of interested parties
4. Subcontractors/ External providers
5. Processes
6. Service
7. Client asset
8. Change management

Users of this document are all employees of XYZ LIMITED who take part in risk assessment and risk
treatment.

4. Risk Assessment and Risk Treatment Methodology

4.1. Risk assessment

4.1.1. The process

Risk assessment is implemented through the Risk Assessment Table. The risk assessment process is
coordinated by QMS Team, identification of threats and vulnerabilities is performed by risk
assessment team.

4.1.2. Assets, vulnerabilities and threats

9. The first step in risk assessment is the identification of all assets in the QMS scope –

Internal environmental issues, External environment issues, Needs and expectations of interested
parties, Subcontractors/External providers, Processes, Services, Customer satisfaction, Change
management

It is also necessary to identify their makers – the person or organizational unit responsible for
creating the risk and also the takers. Persons responsible for taking the risk.

The next step is to identify all threats and vulnerabilities associated with each asset. Threats and
vulnerabilities are identified using the catalogues included in the Risk Assessment Table. Every asset
may be associated with several threats, and every threat may be associated with several
vulnerabilities.
 XYZ LTD High

Click here to buy toolkit now

4.1.3. Determining the risk owners

For each risk, a risk owner has to be identified – the person or organizational unit treating each risk.
This person may or may not be the same as the risk taker or maker.

4.1.4. Consequences and likelihood

Once risk owners have been identified, it is necessary to assess consequences for each combination
of threats and vulnerabilities for an individual asset if such a risk materializes:

Low service impact causes hours or minute delay in delivery -

low
1 Causes a still acceptable deviation from specific, service loss < 10
consequence
thousand naira.
Intermediate service impact causes between one and two days
Intermediate
3 delay in production, causes some product deviation from specific,
consequence
service loss > 10 thousand naira but less than 1 million naira.

Severe
5 Severe service Impact causes more than 2 DAYS delay, Complete
consequence
service deviation from specific. service loss > 1 million naira.

After the assessment of consequences, it is necessary to assess the likelihood of occurrence of such a
risk, i.e. the probability that a threat will exploit the vulnerability of the respective asset:

Low
1 Highly unlikely
likelihood

Moderate
3 Unlikely
likelihood

High
5 Likely
likelihood

Risk Assessment and Risk Treatment Methodology Version 01 [13/4/17 Page 7 of 10

 Click here to buy toolkit now
XYZ LTD High

After the assessment of consequences and likelihood of occurrence, it is necessary to assess the
effectiveness of current controls in addressing the probability that a threat will exploit the
vulnerability of the respective asset:

Available 1 Controls available and very liable

Available
but not 3 Controls available but not really effective
reliable

No control 5 Current control is unreliable, ineffective or non-existent

By entering the values of consequence, likelihood of occurrence and current controls into the Risk
Assessment Table, the level of risk is calculated automatically by multiplying the three values.
Existing security controls are to be entered in the last column of the Risk Assessment Table.

4.2. Risk acceptance criteria

Values between 0-17, are acceptable risks; values between 18 -44 means the risk requires
reduction, attention/monitoring/treatment can be delayed; values between 45-78 are unacceptable
risks. Unacceptable risks must be treated.

3.2.1 Opportunities for improvement

Vulnerabilities and control deficiencies reveal opportunities for improvement which, are discovered
during risk assessment, significant risks and opportunities form the basis of risk treatment plans

4.3. Risk treatment

Risk treatment is implemented through the Risk Treatment Table, by copying all risks identified as
unacceptable from the Risk Assessment Table. Risk treatment plans are completed by QMS Team.

One or more treatment options must be selected for risks valued 75 - 125:

1. Selection of appropriate controls

2. Transferring the risks to a third party – e.g. by purchasing an insurance policy or signing a
contract with suppliers or partners
3. Avoiding the risk by discontinuing a business activity that causes such risk
4. Accepting the risk – this option is allowed only if the selection of other risk treatment
options would cost more than the potential impact should such risk materialize

The selection of options is implemented through the Risk Treatment Table. Usually, option 1 is
selected: selection of one or more controls. When several controls are selected for a risk, then
additional rows are inserted into the table immediately below the row specifying the risk.

The treatment of risks related to outsourced processes must be addressed through the contracts
with responsible third parties.

Risk Assessment and Risk Treatment Methodology Version 01 [13/4/17 Page 8 of 10

 Click here to buy toolkit now
XYZ LTD High

In the case of option 1 (selection of controls), it is necessary to assess the new value of consequence
and likelihood in the Risk Treatment Table, in order to evaluate the effectiveness of planned controls.

4.4. Regular reviews of risk assessment and risk treatment

Risk owners must review existing risks and update the Risk Assessment Table and Risk Treatment
Table in line with newly identified risks. The review is conducted as the need arises in the case of
significant organizational changes, significant change in technology, change of business objectives,
changes in the business environment, etc.

4.5. Approval of Risk treatment plan

QMS Team will prepare the Risk treatment plan in which the implementation of controls will be
planned. On behalf of the risk owners, Managing Director will approve the Risk treatment plan and
accept all residual risks on behalf of the risk owners.

4.6. Reporting

QMS Team will document the results of risk assessment and risk treatment, and all of the subsequent
reviews, in the Risk Assessment and Treatment Report.

QMS Team will monitor the progress of implementation of the Risk treatment plan and report the
results to Managing Director.

5. Managing records kept on the basis of this document

Record name Storage location Person Control for record Retention
responsible for protection time
storage
Risk Assessment [job title]'s [job title of the Only [job title] has the Data is
Table (electronic computer owner of the right to make entries stored
form – Excel Risk into and changes to the permanently.
document) Assessment Risk Assessment Table.
Table]

Risk Treatment [job title]'s [job title of the Only [job title] has the Data is
Table (electronic computer owner of the right to make entries stored
form – Excel Risk Treatment into and changes to the permanently.
document) Table] Risk Treatment Table.

Risk Assessment [job title]'s [job title of the The Report is prepared The Report is
and Treatment computer owner of the in read-only PDF format stored for a
Report (electronic Report] period of 3
form – PDF years
format)

Risk Assessment and Risk Treatment Methodology Version 01 [13/4/17 Page 9 of 10

 Click here to buy toolkit now
XYZ LTD High

Risk treatment [job title]'s [job title of the Only [job title] has the Older
plan (electronic computer person right to make entries versions of
form – Word responsible for into and changes to the Risk
document) the Risk Risk treatment plan treatment
treatment plan] plan are
stored for a
period of 3
years

Only document/record holder can grant other employees access to any of the above mentioned
documents.

6. Validity and document management

This document is valid as of April 13, 2017.

The owner of this document is Management of XYZ LIMITED, who must check and, if necessary,
update the document as the need arises.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be
considered:

• the number of incidents which occurred, but were not included in risk assessment
• the number of risks which were not treated adequately
• the number of errors in the risk assessment and risk treatment process because of unclear
definition of roles and responsibilities

7. Appendices
• Appendix 1: Form – Risk Assessment Table
• Appendix 2: Form – Risk Treatment Table
• Appendix 3: Form – Risk Assessment and Treatment Report

MANAGING DIRECTOR
ANDREW UTAH

_________________________
SIGNATURE
Risk Assessment and Risk Treatment Methodology Version 01 [13/4/17 Page 10 of 10