Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Risk Management 26 September 2014 Peter Fowler CPPD.

Published byValeria Furr Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Risk Management 26 September 2014 Peter Fowler CPPD."— Presentation transcript:

1 Introduction to Risk Management 26 September 2014 Peter Fowler CPPD

2 “There are “known knowns”. [These are things we know that we know.] There are “known unknowns”. [That is to say, there are things that we know we don't know.] But there are also “unknown unknowns”. [There are things we don't know we don't know.]” Donald Rumsfeld (Feb 12, 2002) “The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.” Douglas Adams in Mostly Harmless (the fifth book in the Hitchhiker's Guide to the Galaxy trilogy)

3 Risk Management Definitions Uncertainty - changing circumstances or situation Risk - effect of uncertainty on objectives Opportunity - the positive impact on objectives Issue - an event that has happened or will happen

4 Types of Risk Management Safety risk management Insurance risk management Financial (Investment) risk management Project risk management Business risk management Information risk management

5 Tasmanian Government Information Security Policy 1.Purpose The purpose of the Policy is to provide a consistent approach to managing information security risks across Government. 2.Scope This Policy applies to Tasmanian Government agencies as custodians of information on behalf of the Crown. 3.Policy Principles This Policy is based upon the following information security policy principles: Availability: information is accessible and usable to authorised entities. Integrity: the accuracy and completeness of information is protected. Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes. Proportionality: measures to protect information are relative to the risk of loss or failure of availability, integrity and confidentiality.

6 Tasmanian Government Information Security Policy Manual Information security risks are threats or vulnerabilities that introduce uncertainty regarding the availability, confidentiality or integrity of information. Structured risk assessments help to prioritise risks and implement appropriate risk management procedures. Information security risk management can be undertaken as part of a broader agency risk management approach. Each agency MUST identify, quantify and prioritise risks against risk acceptance criteria and determine appropriate controls to protect against risks.

7 After completing a risk assessment there may be residual information security risks where the agency has: elected to accept a risk by doing nothing, or adopted a mitigation strategy that does not completely eliminate a risk.

8 Process from AS/NZS ISO 31000: 2009

9 Common failures when managing risks Not establishing the context: Misunderstand organisational attitudes and risk appetite Risk attitude. Organization's approach to assess and eventually pursue, retain, take or turn away from risk Risk appetite. The amount and type of risk that an organisation is willing to pursue or retain Source: ISO GUIDE 73: 2009 Risk management — Vocabulary

10 Common failures when managing risks Not establishing the context: Misunderstand organisational attitudes and risk appetite Not focussing on the appropriate risks (business efficiency vs information security) Business efficiency risk – Information cannot be located quickly as a result of poor categorisation resulting in more time/ resources required to find records. Information security risk. Information cannot be located as a result of poor file categorisation resulting in not finding important records.

11 Common failures when managing risks Not establishing the context: Misunderstand organisational attitudes and risk appetite Not focussing on the appropriate risks (business efficiency vs information security Inappropriate measures used for the analysis Consequence – If the event occurs what will the consequence be: Critical High Medium Low Very low Likelihood - What is the likelihood that the event will occur and result in the consequence indicated: Almost certain Likely As likely as not Possible unlikely But what do these terms mean?

12 Common failures when managing risks Not establishing the context: Misunderstand organisational attitudes and risk appetite Not focussing on the appropriate risks (business efficiency vs information security Inappropriate measures used for the analysis Generalisation of risk statements (leads to misunderstanding) 1.Inappropriate file categorisation 2.Cannot find board meeting minutes State the full story: What could happen, why could it happen (cause) and what would the result be “Board meeting minutes cannot be located as a result of poor file categorisation resulting in disputed decisions having to be reversed”

13 Common failures when managing risks Not establishing the context: Misunderstand organisational attitudes and risk appetite Not focussing on the appropriate risks (business efficiency vs information security Inappropriate measures used for the analysis Generalisation of risk statements (leads to misunderstanding) Fake treatment (either won’t mean anything or not followed through) 1.Ensure board meeting minutes are categorised appropriately 2.Provide training for staff on board meeting minute categorisation Would that stop people categorising incorrectly Only appropriate if not already being done!

14 Questions?

15 Introduction to Risk Management 26 September 2014 Peter Fowler CPPD

Download ppt "Introduction to Risk Management 26 September 2014 Peter Fowler CPPD."

Similar presentations

Hazard and Risk Analysis What are the socio-economic and political trends? Consider recent assessment / reviews / baseline studies / analytical exercises.

Hazard and Risk Analysis What are the socio-economic and political trends? Consider recent assessment / reviews / baseline studies / analytical exercises.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Audit Committee Risk Management Training September 2010 John Allsop Marcus Richards.

Audit Committee Risk Management Training September 2010 John Allsop Marcus Richards.
Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.
Unit 4- Assignment 3 P5, P6, M2 BTEC Business Level 3.

Unit 4- Assignment 3 P5, P6, M2 BTEC Business Level 3.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Defence Project Management 2007 Learning to love project risk management Dr Andrew Tyler DG Ships, DE&S.

Defence Project Management 2007 Learning to love project risk management Dr Andrew Tyler DG Ships, DE&S.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.

Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
BSBPMG508A Manage Project Risk 11.3 Perform Qualitative Risk Analysis Adapted from PMBOK 4 th Edition InitiationPlanning ExecutionClose Monitor Control.

BSBPMG508A Manage Project Risk 11.3 Perform Qualitative Risk Analysis Adapted from PMBOK 4 th Edition InitiationPlanning ExecutionClose Monitor Control.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Seminar brought to you by Risk Appetite vs Risk Capacity.

Seminar brought to you by Risk Appetite vs Risk Capacity.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Risk Assessment Frameworks

Risk Assessment Frameworks
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Ads by Google