2. What is Risk & Risk Management?
• A Risk is a potential or future event that, should it
occur, will have a (negative) impact on the
Business Objectives of an Organization
A + T + V = R
That is, Asset + Threat + Vulnerability = Risk.
• Risk is a function of threats exploiting
vulnerabilities to obtain, damage or destroy
assets. Thus, threats (actual, conceptual, or
inherent) may exist, but if there are no
vulnerabilities then there is little/no risk.
Similarly, you can have a vulnerability, but if you
have no threat, then you have little/no risk.
3. What is Risk & Risk Management?
• “Risk Management is the process of
measuring, or assessing risk and then
developing strategies to manage the risk.”-
Wikipedia
4. Risk Life Cycle
Threat Agent
Vulnerability
Risk
Asset
Exposures
Safeguard
Leads to
Can damage
And cause an
Exploits
Can be
countermeasured by a
5. General Terms:
• Asset – People, property, and information. People
may include employees and customers along with
other invited persons such as contractors or
guests. Property assets consist of both tangible
and intangible items that can be assigned a
value. Intangible assets include reputation and
proprietary information. Information may include
databases, software code, critical company
records, and many other intangible items.
An asset is what we’re trying to protect.
6. Information Assets
IS
Components
People Procedures Data
Transmission
HW
SW
Employees
Non-
employees
People at
trusted
organizations
Authorized
Staff
Other staff Strangers
Standard
Procedures
Sensitive
Procedures
Process
Storage
Application
OS
Security
Component
System
Devises
Net Work
7. General Terms:
• Threat – Anything that can exploit a
vulnerability, intentionally or accidentally, and
obtain, damage, or destroy an asset.
A threat is what we’re trying to protect
against.
• Risk – The potential for loss, damage or
destruction of an asset as a result of a threat
exploiting a vulnerability.
Risk is the intersection of assets, threats,
and vulnerabilities.
8. General Terms:
• Vulnerability – Weaknesses or gaps in a
security program that can be exploited by
threats to gain unauthorized access to an
asset.
A vulnerability is a weakness or gap in our
protection efforts.
10. Identify Risks
Analyze Risks
Define Desired
Results
Select Strategy
Implement
Strategy
Monitor
Evaluate and
Adjust
The Process
is iterative
•The Processes are organized
• Each Step output considered
as an input for the next step
Risk
Control
Risk
Assessment
Risk Management Process
11. Risk Identification
• First step in the process of managing risk is to
identify potential risks. Risks are about events
that, when triggered, will cause problems.
• This is a crucial phase. If a risk is not identified
it cannot be evaluated and managed
• Any failure at this stage to identify risk may
cause a major loss for the organization.
• Risk identification provides the foundation of
risk management.
12. • Risk identification requires knowledge of the
organization, the market in which it operates,
the legal, social, economic, political, and
climatic environment in which it has its
impact.
Risk Identification
13. Risk Analysis
• Assessing risk is the process of determining
the likelihood of the threat being exercised
against the vulnerability and the resulting
impact from a successful compromise.
• The risk analyzing step assist in determining
which risks have a greater consequence or
impact than others.
14. Methods of Risk Analysis
Risk analysis is generally lumped into two main
categories: Qualitative and Quantitative.
• Qualitative Risk Analysis:
The root word of qualitative is “quality” and that is
what these techniques focus on. Qualifying risks under
this method involves making a simple list of the risks
themselves, along with ranking them and mapping
them out. The following are some common tricks used
for assessing risks from a qualitative aspect:
– Probability And Impact Assessment And Matrix: Analyzing
and rating risks using probability and impact on things like
cost, schedule and performance.
15. Methods of Risk Analysis
– Risk Categorization: Grouping risks by common
root causes to develop effective responses.
– Risk Urgency: The risk ranking from your
probability matrix combined with urgency can
help place risks priorities.
– Expert Judgment: Professional opinions from
people in the industry or with similar project
16. Methods of Risk Analysis
Quantitative Risk Analysis
These methods are more about definitive
measuring and probabilistic techniques. The
greatest risk of all is the risk of losing money
and you cannot use qualitative systems to
count your cost. The following are a few
simple ways in which organizations are
counting their risks:
– Probability distributions: Used in modeling and
simulation to represent the uncertainty of values
in things like task costs and labor.
17. Methods of Risk Analysis
– Cost and Schedule Risk Analysis: Cost estimates
and scheduling are used as input values that are
chosen randomly for each iteration.
– Sensitivity Analysis: This is a simple technique to
determine how much impact a risk poses to a
project.
– Expected Monetary Value analysis
(EMV): Calculating the average outcome of
scenarios that may or may not happen
18. Strategies: Selection &
Implementation
• Risk treatment is about considering options
for treating risks that were not considered
acceptable or tolerable.
• Risk treatment involves identifying options for
treating or controlling risk, in order to either
reduce or eliminate negative consequences, or
to reduce the likelihood of an adverse
occurrence.
19. Strategies: Selection &
Implementation
• Risk control should also aim to enhance positive
outcomes.
• Organizations can respond to risk in a variety of
ways. These include:
– (i) risk acceptance
– (ii) risk avoidance
– (iii) risk mitigation
– (iv) risk sharing
– (v) risk transfer
– (vi) a combination of the above.
20. Strategies: Selection &
Implementation
• Risk Acceptance: Risk acceptance is the
appropriate risk response when the identified
risk is within the organizational risk tolerance.
Organizations can accept risk deemed to be
low, moderate, or high depending on
particular situations or conditions.
21. Strategies: Selection &
Implementation
• Risk Avoidance: Risk avoidance may be the appropriate
risk response when the identified risk exceeds the
organizational risk tolerance. Organizations may
conduct certain types of activities or employ certain
types of information technologies that result in risk
that is unacceptable. In such situations, risk avoidance
involves taking specific actions to eliminate the
activities or technologies that are the basis for the risk
or to revise or reposition these activities or
technologies in the organizational mission/business
processes to avoid the potential for unacceptable risk
22. Strategies: Selection &
Implementation
• Risk Mitigation : Risk mitigation, or risk
reduction, is the appropriate risk response for
that portion of risk that cannot be accepted,
avoided, shared, or transferred.
• Risk mitigation involves taking action to
reduce an organization’s exposure
to potential risks and reduce the likelihood
that those risks will happen again.
23. Strategies: Selection &
Implementation
• Risk Sharing or Transfer : Risk sharing or risk
transfer is the appropriate risk response when
organizations desire and have the means to shift
risk liability and responsibility to other
organizations.
• Risk transfer shifts the entire risk responsibility or
liability from one organization to another
organization (e.g., using insurance to transfer risk
from particular organizations to insurance
companies).
24. Strategies: Selection &
Implementation
• It is important to note that risk transfer
reduces neither the likelihood of harmful
events occurring nor the consequences in
terms of harm to organizational operations
and assets, individuals, other organizations, or
the Nation.
25. Monitor and Review
• Monitor and review is an essential and
integral step in the risk management process.
• An owner of the organization must monitor
risks and review the effectiveness of the
treatment plan, strategies and management
system that have been set up to effectively
manage risk.
26. Monitor and Review
• Risks need to be monitored periodically to
ensure changing circumstances do not alter
the risk priorities. Very few risks will remain
static, therefore the risk management process
needs to be regularly repeated, so that new
risks are captured in the process and
effectively managed.