Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

PROJECT RISK MANAGEMENT
Control and Accounting Information Systems
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Systems Analysis and Design Feasibility Study. Introduction The Feasibility Study is the preliminary study that determines whether a proposed systems.
Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Project Risk Management
Project Risk Management
1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Lecture 8: Risk Management Controlling Risk
Managing Project Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Risk Assessment Frameworks
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Security Risk Management Paula Kiernan Ward Solutions.
Chapter 4 Internal Controls McGraw-Hill/Irwin
PRM 702 Project Risk Management Lecture #28
Chapter 11: Project Risk Management
Conostix S.A. Sensible defence.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Chapter 10 Contemporary Project Management Kloppenborg
Security Risk Management
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 3-1 Chapter Three Risk Assessment and Materiality Chapter Three.
Risk Management for Technology Projects Geography 463 : GIS Workshop May
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
Quick Recap Monitoring and Controlling. Phases of Quality Assurance Acceptance sampling Process control Continuous improvement Inspection before/after.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Chapter 11: Project Risk Management
This Lecture Covers IT Control Frameworks. Liberating Control from Fin Reptg ITCG COBIT New frameworks such as AICPA/CICA SysTrust Principles and Criteria.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Chapter 3 Project Management Chapter 3 Project Management Organising, planning and scheduling software projects.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
PMP Study Guide Chapter 6: Risk Planning. Chapter 6 Risk Planning Planning for Risks Plan Risk Management Identifying Potential Risk Analyzing Risks Using.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
SOFTWARE PROJECT MANAGEMENT
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Certified Protection Officer Program. Chapter 1 Unit 1 Concepts and Theories of Asset Protection Pages 3-11.
Introduction to Project Management Chapter 9 Managing Project Risk
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Risk Management Chapter 20.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
1 Controls in Strategic management Dr. Fred Mugambi Mwirigi JKUAT.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants
Chapter 13 Risk Management. Chapter Objectives 1.Define risk and risk management 2.Outline key risk issues and types of risk 3.Identify concrete methods.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Risk Assessment: A Practical Guide to Assessing Operational Risk
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Headquarters U.S. Air Force
Information Systems Security
Risk Management.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Risk Management for Technology Projects
CHAPTER11 Project Risk Management
The Importance of Project Risk Management
Software Project Management (SPM)
Chapter 7: RISK ASSESSMENT, SECURITY SURVEYS, AND PLANNING
Mumtaz Ali Rajput +92 – SOFTWARE PROJECTMANAGMENT Mumtaz Ali Rajput +92 –
Project Risk Management
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Lesson 20-Risk Management

Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights and unexpected problems.  Industry best practices state that effective risk management involves treating it as an ongoing process.

Objectives Upon completion of this lesson, the learner will be able to:  Explain the purpose of risk management and describe an approach to effectively manage risk.  Describe differences between qualitative and quantitative risk assessment.  Explain, by example, how both approaches, qualitative and quantitative risk assessment, are necessary to effectively manage risk.  Define important terms associated with risk management.  Describe various tools related to risk management.

Risk Management: An Overview  Risk management is an essential element of management.  It encompasses all the actions to: – Reduce complexity. – Increase objectivity. – Identify important decision factors.

Risk Management: An Overview  Businesses need to take risks to retain their competitive edge.  As a result, risk management must be done as part of managing any project.  To succeed, one needs to manage risks better.

Risk Management: An Overview  Risk management is both a skill and a task.  Depending on the size of the project and the amount of risk involved, risk management can be simple or complex.

Macro-Level Example of Risk Management: International Banking  The Basel Committee on Banking Supervision is composed of government central-bank governors from around the world.  This body created a basic, global risk management framework for market and credit risk.

Macro-Level Example of Risk Management: International Banking  The Basel Committee implemented capital charge to banks at flat 8 percent internationally to manage bank risks.  This means for every $100 a bank makes in loans, it must have $8 in reserve to be used in the event of financial difficulties.  However, if banks can show they have very strong risk mitigation procedures and controls in place, that capital charge can be reduced to as low as $0.37 (0.37 percent).  If a bank has poor procedures and controls, then capital charge can be as high as $45 (45 percent).

Understanding Risk Management Key terms: – Risk - the possibility of suffering a loss. – Risk management - the decision-making process of identifying threats and vulnerabilities and their potential impacts. – Risk assessment (or risk analysis) - the process of analyzing an environment to identify the threats, vulnerabilities, and mitigating actions to determine the impact of an event on a project, program, or business.

Understanding Risk Management Key terms (continued): – Asset - a resource or information required by an organization to conduct its business. – Threat - any circumstance or event that may cause harm to an asset. – Vulnerability - the characteristic of an asset that can be exploited by a threat to cause harm. – Impact - the loss when a threat exploits a vulnerability.

Understanding Risk Management Key terms (continued): – Control (countermeasure or safeguard) - a measure to detect, prevent, or mitigate the risk associated with a threat. – Qualitative risk assessment - the process of subjectively determining the impact of an event that affects a project, program, or business. – Quantitative risk assessment - the process of objectively determining the impact of an event that affects a project, program, or business.

Understanding Risk Management Key terms (continued): – Mitigate - action taken to reduce the likelihood of a threat occurring. – Single loss expectancy (SLE) - the monetary loss or impact of each occurrence of a threat. – Exposure factor - a measure of the magnitude of loss of an asset. It is used in the calculation of single loss expectancy. – Annualized rate of occurrence (ARO) - the frequency with which an event is expected to occur on an annualized basis. – Annualized loss expectancy (ALE) - the estimate of how much an event is expected to cost per year.

Risk Management  The dictionary defines risk as the possibility of loss.  Carnegie Mellon University’s Software Engineering Institute (SEI) defines continuous risk management as: processes, methods, and tools for managing risks in a project. – It provides a disciplined environment for proactive decision-making to: Assess what could go wrong (risks). Determine which risks are important. Implement strategies to deal with those risks.

Risk Management  The Information Systems Audit and Control Association (ISACA) states, “In modern business terms, risk management is the process of identifying vulnerabilities and threats to an organization’s resources and assets and deciding what countermeasures, if any, should be taken to reduce the level of risk to an acceptable level based on the value of the asset to the organization.”

Risk Management A planning decision flowchart for risk management

Business Risks In today’s technology-dependent business environment, risk is often divided into two areas: – Business risk – Technology risk

Examples of Business Risks The most common business risks include: – Treasury management – Revenue management – Contract management – Fraud – Environmental risk management – Regulatory risk management – Business continuity management – Technology

Examples of Technology Risks The most common technology risks include: – Security and privacy. – Information technology operations. – Business systems control and effectiveness. – Business continuity management. – Information systems testing. – Reliability and performance management. – Information technology asset management. – Project risk management. – Change management.

Risk Management Models  There are several risk management models for managing risk through its various phases.  The chosen models should align with the business objectives and strategies.  The two risk management models are: general risk management model and the Software Engineering Institute model.

General Risk Management Model  General risk management model includes the following steps: – Asset identification. – Threat assessment. – Impact definition and quantification. – Control design and evaluation. – Residual risk management.

Asset Identification  In this step, the assets, systems, and processes that need protection need to be identified and classified, as they are vulnerable to threats.  This classification helps to prioritize assets, systems, and processes and to evaluate the costs of addressing the associated risks.

Asset Identification  Assets include: – Inventory and buildings. – Cash. – Information and data. – Hardware and software. – Services, documents, and personnel. – Brand recognition and organization reputation. – Goodwill.

Threat Assessment  Threats can be defined as any circumstance or event with the potential to harm an asset.  In this step, the possible threats and vulnerabilities associated with each asset and the likelihood of their occurrence is identified.

Threat Assessment  Common classes of threat include: – Natural disasters. – Man-made disasters. – Terrorism. – Errors. – Malicious damage or attacks. – Fraud. – Theft. – Equipment or software failure.

Threat Assessment  Vulnerabilities are characteristics of resources that can be exploited by a threat to cause harm.  Examples of vulnerabilities include: – Unprotected facilities. – Unprotected computer systems. – Unprotected data. – Insufficient procedures and controls. – Insufficient or unqualified personnel.

Impact Definition and Quantification  When a threat is realized, it turns risk into impact.  An impact is the loss created when a threat exploits a vulnerability.  Impacts can be either tangible or intangible.

Impact Definition and Quantification  Tangible impacts include: – Direct loss of money. – Endangerment of staff or customers. – Loss of business opportunity. – Reduction in operational efficiency or performance. – Interruption of a business activity.

Impact Definition and Quantification  Intangible impacts include: – Breach of legislation or regulatory requirements. – Loss of reputation or goodwill (brand damage). – Breach of confidence.

Control Design and Evaluation  Controls are designed to control risk by reducing vulnerabilities to an acceptable level.  Controls can be actions, devices, or procedures.  They can be: – Preventive controls - prevent the vulnerability from being exploited by a threat, thus causing an impact. – Detective controls - detect a vulnerability that has been exploited by a threat so that action can be taken.

Residual Risk Management  Any risks that remain after implementing controls are termed residual risks.  Residual risks can be further evaluated to identify where additional controls are required to further reduce risk.  Business process reengineering or organizational changes can create new risks or weaken existing control activities.

Software Engineering Institute Model  The Software Engineering Institute model lists the following steps for risk management: – Identify - look for risks before they become problems. – Analyze – convert the data into information that can be used to make decisions. – Plan - review and evaluate the risks and decide the actions to mitigate them. – Track - monitor the risks and the mitigation plans. – Control - make corrections for deviations from the risk mitigation plans.

Risk Management Model Risk complexity versus project size

Qualitatively Assessing Risk  To qualitatively assess risk, the impact of the threat needs to be compared with the probability of occurrence.  For example, if a threat has a high impact and a high probability of occurring, the risk exposure is high.  Conversely, if the impact is low with a low probability, the risk exposure is low.

Qualitatively Assessing Risk Binary Assessment

Qualitatively Assessing Risk Three levels of analysis

Qualitatively Assessing Risk A 3 by 5 level analysis

Qualitatively Assessing Risk Example of a combination assessment

Quantitatively Assessing Risk  Quantitative risk assessment applies historical information and trends to predict future performance.  It is dependent on historical data, gathering which can be difficult.

Quantitatively Assessing Risk  Quantitative risk assessment may also rely on models.  These models provide decision-making information in the form of quantitative metrics, which attempt to measure risk levels across a common scale.

Quantitatively Assessing Risk  Key assumptions underlie any model, and different models will produce different results even when the input data is the same.  Despite research in improving and refining the various risk analysis models, expertise and experience are considered essential for risk assessment.  Models can never replace judgment and experience, but they can enhance the decision-making process.

Adding Objectivity to a Qualitative Assessment Adding Weights and Definitions to the Potential Impact

Adding Objectivity to a Qualitative Assessment Adding Values to Assessments

A Common Objective Approach  More complex models allow analyses based on statistical and mathematical models.  A common method is the calculation of the annualized loss expectancy (ALE).  This calculation begins by calculating single-loss expectancy (SLE) with the following formula: – SLE = asset value * exposure factor

A Common Objective Approach Final quantitative assessment of the findings

Qualitative versus Quantitative Risk Assessment  It is impossible to conduct risk management that is purely quantitative.  Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience.  It is possible to accomplish purely qualitative risk management.

Qualitative versus Quantitative Risk Assessment  The decision of whether to use qualitative versus quantitative risk management depends on: – The criticality of the project. – The resources available. – The management style.  The decision will be influenced by the degree to which the fundamental risk management metrics can be quantitatively defined.

Tools to Enhance Risk Management The tools that can be used during the various phases of risk assessment are: – Affinity grouping - A method of identifying related items and then identifying the principle that ties them together into a group. – Baseline identification and analysis - The process of establishing a baseline set of risks. It produces a “snapshot” of all the identified risks at a given point in time. – Cause and effect analysis - Identifying relationships between a risk and the factors that can cause it.

Tools to Enhance Risk Management The tools that can be used during the various phases of risk assessment are (continued): – Cost/benefit analysis - A method for comparing cost estimates with the benefits of a mitigation strategy. – Gantt charts - A management tool for diagramming schedules, events, and activity duration. – Interrelationship digraphs - A method for identifying cause- and-effect relationships by defining the problem, identifying its key elements, and describing their relationships.

Tools to Enhance Risk Management The tools that can be used during the various phases of risk assessment are (continued): – PERT (program evaluation and review technique) charts - A diagram depicting interdependencies between project activities, showing the sequence and duration of each activity. – Risk management plan - A comprehensive plan documenting how risks will be managed on a given project.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.