MCS

RISK MANAGEMENT

Submitted By: SHARON PETER

20397121

The identification, evaluation, and prioritization of risks followed by coordinated and

economical application of resources to minimize, monitor, and control the probability
or impact of unfortunate events or to maximize the realization of opportunities.

Risks can come from various sources including uncertainty in international markets,
threats from project failures (at any phase in design, development, production, or
sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and
disasters, deliberate attack from an adversary, or events of uncertain or
unpredictable root-cause.

Strategies to manage threats (uncertainties with negative consequences) typically

include avoiding the threat, reducing the negative effect or probability of the threat,
transferring all or part of the threat to another party, and even retaining some or all of
the potential or actual consequences of a particular threat. The opposite of these
strategies can be used to respond to opportunities (uncertain future states with
benefits).
In ideal risk management, a prioritization process is followed whereby the risks with
the greatest loss (or impact) and the greatest probability of occurring are handled
first. Risks with lower probability of occurrence and lower loss are handled in
descending order. Again, ideal risk management minimizes spending (or manpower
or other resources) and also minimizes the negative effects of risks.

Method:
For the most part the following elements are performed more or less in the following
order,

1. Identify the threats

2. Assess the vulnerability of critical assets to specific threats
3. Determine the risk (i.e. the expected likelihood and consequences of specific
types of attacks on specific assets)
4. Identify ways to reduce those risks
5. Prioritize risk reduction measures
Principles:
The International Organization for Standardization (ISO) identifies the following
principles of risk management. Risk management should,

 Create value – resources expended to mitigate risk should be less than the

consequence of inaction
 Be an integral part of organizational processes
 Be part of decision making process
 Explicitly address uncertainty and assumptions
 Be a systematic and structured process
 Be based on the best available information
 Take human factors into account
 Be transparent and inclusive
 Be dynamic, iterative and responsive to change
 Be capable of continual improvement and enhancement
 Be continually or periodically re-assessed

Risk Management Process/Framework Development Steps:

Establishing the context:
This involves:

1. Observing the context

o The social scope of risk management
o The identity and objectives of stakeholders
o The basis upon which risks will be evaluated, constraints.
2. Defining a framework for the activity and an agenda for identification
3. Developing an analysis of risks involved in the process
4. Mitigation or solution of risks using available technological, human and
organizational resources.

Identification:
After establishing the context, the next step in the process of managing risk is to
identify potential risks. Risks are about events that, when triggered, cause problems
or benefits. Hence, risk identification can start with the source of problems and those
of competitors (benefit), or with the problem's consequences.

 Source analysis – Risk sources may be internal or external to the system that
is the target of risk management (use mitigation instead of management since by
its own definition risk deals with factors of decision-making that cannot be
managed).
Some examples of risk sources are: stakeholders of a project, employees of a
company or the weather over an airport.

 Problem analysis – Risks are related to identify threats. For example: the
threat of losing money, the threat of abuse of confidential information or the
threat of human errors, accidents and casualties. The threats may exist with
various entities, most important with shareholders, customers and legislative
bodies such as the government.
When either source or problem is known, the events that a source may trigger or the
events that can lead to a problem can be investigated. For example: stakeholders
withdrawing during a project may endanger funding of the project; confidential
information may be stolen by employees even within a closed network; lightning
striking an aircraft during takeoff may make all people on board immediate
casualties.
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development
of templates for identifying source, problem or event. Common risk identification
methods are:
 Objectives-based risk identification – Organizations and project teams have
objectives. Any event that may prevent an objective from being achieved is
identified as risk.
 Scenario-based risk identification – In scenario analysis different scenarios
are created. The scenarios may be the alternative ways to achieve an objective,
or an analysis of the interaction of forces in, for example, a market or battle. Any
event that triggers an undesired scenario alternative is identified as risk –
see Futures Studies for methodology used by Futurists.
 Taxonomy-based risk identification – The taxonomy in taxonomy-based risk
identification is a breakdown of possible risk sources. Based on the taxonomy
and knowledge of best practices, a questionnaire is compiled. The answers to
the questions reveal risks.
 Common-risk checking – In several industries, lists with known risks are
available. Each risk in the list can be checked for application to a particular
situation.
 Risk charting – This method combines the above approaches by listing
resources at risk, threats to those resources, modifying factors which may
increase or decrease the risk and consequences it is wished to avoid. Creating
a matrix under these headings enables a variety of approaches. One can begin
with resources and consider the threats they are exposed to and the
consequences of each. Alternatively one can start with the threats and examine
which resources they would affect, or one can begin with the consequences and
determine which combination of threats and resources would be involved to bring
them about.

Assessment
Once risks have been identified, they must then be assessed as to their potential
severity of impact (generally a negative impact, such as damage or loss) and to the
probability of occurrence. These quantities can be either simple to measure, in the
case of the value of a lost building, or impossible to know for sure in the case of an
unlikely event, the probability of occurrence of which is unknown. Therefore, in the
assessment process it is critical to make the best educated decisions in order to
properly prioritize the implementation of the risk management plan.
Even a short-term positive improvement can have long-term negative impacts. Take
the "turnpike" example. A highway is widened to allow more traffic. More traffic
capacity leads to greater development in the areas surrounding the improved traffic
capacity. Over time, traffic thereby increases to fill available capacity. Turnpikes
thereby need to be expanded in a seemingly endless cycles. There are many other
engineering examples where expanded capacity (to do any function) is soon filled by
increased demand. Since expansion comes at a cost, the resulting growth could
become unsustainable without forecasting and management.
The fundamental difficulty in risk assessment is determining the rate of occurrence
since statistical information is not available on all kinds of past incidents and is
particularly scanty in the case of catastrophic events, simply because of their
infrequency. Furthermore, evaluating the severity of the consequences (impact) is
often quite difficult for intangible assets. Asset valuation is another question that
needs to be addressed. Thus, best educated opinions and available statistics are the
primary sources of information. Nevertheless, risk assessment should produce such
information for senior executives of the organization that the primary risks are easy
to understand and that the risk management decisions may be prioritized within
overall company goals. Thus, there have been several theories and attempts to
quantify risks. Numerous different risk formulae exist, but perhaps the most widely
accepted formula for risk quantification is: "Rate (or probability) of occurrence
multiplied by the impact of the event equals risk magnitude."

Potential Risk Treatments:

Once risks have been identified and assessed, all techniques to manage the risk fall
into one or more of these four major categories:

 Avoidance (eliminate, withdraw from or not become involved)

 Reduction (optimize – mitigate)
 Sharing (transfer – outsource or insure)
 Retention (accept and budget)

Risk Management Plan:

Select appropriate controls or countermeasures to mitigate each risk. Risk mitigation
needs to be approved by the appropriate level of management. For instance, a risk
concerning the image of the organization should have top management decision
behind it whereas IT management would have the authority to decide on computer
virus risks.
The risk management plan should propose applicable and effective security controls
for managing the risks. For example, an observed high risk of computer viruses
could be mitigated by acquiring and implementing antivirus software. A good risk
management plan should contain a schedule for control implementation and
responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk
assessment phase consists of preparing a Risk Treatment Plan, which should
document the decisions about how each of the identified risks should be handled.
Mitigation of risks often means selection of security controls, which should be
documented in a Statement of Applicability, which identifies which particular control
objectives and controls from the standard have been selected, and why.
Implementation:
Implementation follows all of the planned methods for mitigating the effect of the
risks. Purchase insurance policies for the risks that it has been decided to transfer to
an insurer, avoid all risks that can be avoided without sacrificing the entity's goals,
reduce others, and retain the rest.

Review and Evaluation of the Plan:

Initial risk management plans will never be perfect. Practice, experience, and actual
loss results will necessitate changes in the plan and contribute information to allow
possible different decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There
are two primary reasons for this:

1. To evaluate whether the previously selected security controls are still

applicable and effective
2. To evaluate the possible risk level changes in the business environment. For
example, information risks are a good example of rapidly changing business
environment.

Limitations:
 Prioritizing the risk management processes too highly could keep an
organization from ever completing a project or even getting started. This is
especially true if other work is suspended until the risk management process
is considered complete.
 It is also important to keep in mind the distinction between risk
and uncertainty. Risk can be measured by impacts × probability.
 If risks are improperly assessed and prioritized, time can be wasted in dealing
with risk of losses that are not likely to occur. Spending too much time
assessing and managing unlikely risks is to be avoided. Unlikely events do
occur but if the risk is unlikely enough to occur it may be better to simply
retain the risk and deal with the result if the loss does in fact occur. Qualitative
risk assessment is subjective and lacks consistency. The primary justification
for a formal risk assessment process is legal and bureaucratic.