risk management
DESCRIPTION
risk mngmntTRANSCRIPT
Understanding Risk and Risk Management
John Cvetko CISSP, CISAPrincipal Consultant
TEK Associates, LLCEmail [email protected]
Phone 503 799 2242
2
Overview
• Risk and Risk Frameworks– Perspectives of risk frameworks
• Risk Management Process– Review the basic elements of a Risk Management
process
• Scenario– Step though a scenario that demonstrates the Risk
Management elements
3
How Do Organizations Use Risk Management Techniques?
• Liability Tool– Identify and manage liabilities
• Opportunity Tool– Identify areas of high risk that can lead companies to new
opportunities
• Organization Tool– Understand how to organize and apply resources– A guide for maximizing results
• Compliance Tool– Demonstrate compliance
• Communications Tool– Communicate progress and risk positions to management and the
functional project teams
4
What is a Risk?
• Different disciplines have different definitions (EPA, Nuclear, Medical)
• PMI Definition (PMBOK®, Third Edition)– A risk is an uncertain event or condition, that if it occurs, has a
positive or negative effect on at least one project objective
• COSO Enterprise Risk Management View(Committee of Sponsoring Organizations )– “… a process, effected by an entity's board of directors,
management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
• Risk is Uncertainty
5
COSO Business Risk FrameworkCommittee of Sponsoring Organizations for the Treadway Commission
• Objectives can be viewed in the context of four categories:
– Strategic – Operations– Reporting– Compliance
• Spans all levels of the organization:– Enterprise-level– Division or subsidiary– Business unit processes– Subsidiary
• Usually paired with IT benchmarking standards– COBIT, ITIL
6
Project Based Risk Management Framework
• Project risk management – Key differences are:
• Objective setting is known as risk planning
• Information and Communications are assumed
• Tailored more for a specific project
Risk Management
Planning
Risk Response Planning
and Control
Risk Assessment
Risk Identification
Risk Monitoring
7
Risk Management Plan• What is in a good plan?
– State objective and expectations of the risk management effort.
– Responsibility for decision events• Delegated authority for specific risk types
– Processes for Risk Identification, Assessment, Mitigation/Control and Monitoring. (Flow Charts).
– Show links to other processes and plans (project plan, change management process, schedule, for e.g.)
– Explain how risks will be communicated to management?
• Timeframe and Dashboard• Emergency issues
– Independent Review• Reporting structure
Risk Management
Planning
Risk Response Planning
and Control
Risk Assessment
Risk Identification
Risk Monitoring
8
Common Plan Errors
• Not making the plan practical/realistic for the project at hand.
• Confuse risk management plan with the project plan.
• Lack of independent review/peer review.
9
Risk Identification:Understanding the Project Requirements
• Collect actionable/quantifiable requirements– Business goals or requirements
– Product or service functionality, schedule and budget
– Service level or performance goals
• Sample of quantifiable requirements– Start of production date, process transactions within 10
seconds, availability of system is 99.999%, increase efficiency by x%.
• Unclear Requirements = Unclear Risks– Unclear requirements are a risk
10
Risk Identification
• Known Risks– These are the obvious risks that jump out quickly at the
beginning of every project.
• Unknown Risks – Are usually a result of inexperience in particular areas
• Unknowable Risks– Are risks that can’t be predicted even with the best
information and experience available.
11
Risk IdentificationRisks can come from many different sources:
• Products– configuration, technology, requirements, etc.
• Procedures – development and operational processes, etc.
• Business environment– cost, profit, regulations, competition, market fluctuations, etc.
• Project– scope, schedule, resource availability, etc.
• People– human error, skills, culture, blind spots, etc.
• External– public opinion, economy, natural disasters etc.
12
Risk Identification Process• Cross Functional Team
– Populate a well rounded team when identifying and assessing risks
• Methods for teasing out risk items– Brainstorming
– Interviews/Questionnaires
– Review of similar projects
– Subject matter experts
– External experienced consultants
– Technical Standards • Program specific Best Practice Guides, e.g., IT= CoBit, ITIL,
ISO17799
– GAP analysis, SWOT, Cause and Effect, Fault Tree, Hazard and Operability (HAZOP), business impact analysis techniques
– Prototyping
13
Risk Identification Process (cont)
• Capture each risk item using wording such as:– Due to/As a of result <definitive cause>, a/an <uncertain event>
may occur which could lead to <some effect on program objective(s)>
• Document each item in a risk event list/database
• Ensure a clear description of the consequence is included– Define the “so what”
14
Common Risk Identification Errors
• Lack of experience in a crucial subject area• Not understanding what constitutes a risk – not listening
with a risk management perspective• Not understanding blind spots• Not prepared for a significant amount of information• Over focus on a particular risk
15
Risk Assessment Process• Once risks are identified, each risk event needs to be
assessed for:– Impact to the project if the risk event occurs
• Qualitative vs. Quantitative Assessments
– Probability that the risk event will occur• Qualitative vs. Quantitative Assessments
• Initially let each team member assess their own risks– Likely result:
• A predominance of events characterized as high likelihood, high consequence
• Everyone thinks their risk items are the most important, i.e. high consequence, high likelihood
• Assessments should then be made jointly by all the team members to gain agreement– The assessment results will impact what resources are devoted to
which tasks
16
Risk Assessment Process
• Risk index numbering establishes priorities– Enables the team to agree on the relative ranking of risk items
• Caution: don’t let the debate divert the process
High Medium Low
High 1 2 4
Medium 3 5 7
Low 6 8 9
Risk Ranking
Impact Exposure
Probability
17
Common Assessment Errors
• Not breaking the problem or risk down to manageable pieces.
• Not having enough information to fully assess the risk
• Not having the authority to make decisions• Being overwhelmed…when in doubt ask for help.
18
Risk Response Strategies• Response strategies for dealing with identified risks
– Avoidance (Elimination)
• pursue a completely different approach (e.g. use another supplier)
– Transfer
• move risk elsewhere (e.g. back to the customer, buy insurance.)
– Mitigation (Reduction)
• take steps to minimize the consequence and/or likelihood of the risk occurring (e.g. develop secondary approach, train multiple personnel)
– Acceptance
• ”if it happens, it happens and we’ll deal with it”
• Strategy use– Multiple strategies can be used per risk event and strategies may
change with time
19
Risk Response Planning
• Develop a response plan to implement the strategy– What is to be done, what is the budget, what is the schedule…– Develop a plan “B”
• Determine who is responsible for implementing the plan– Accountability
• Communicate– Inform management and project team of the plan
20
Common Response Plan Errors
• Not clearly assigning accountability for individual plans.
• Not having a plan “B”• Creating a plan on half an assessment.• Not understanding residual risk
21
Risk Event Monitoring
• Continuous monitoring and proactively addressing developments are vital to a successful risk management process– Review ‘Red’ items an upcoming trigger events at
least weekly
• Track actual closure of risk items– Closure date, how/why closed, any special issues or
circumstances
22
Risk Management Status Tracking
• Summary Matrix– A risk summary matrix of risk priorities is ‘quick look’
approach to monitoring and communicating status
Key Risk
Significant Risk
Tolerable Risk
Not Assessed
H M L
H 6 0 2
M 3 1 0
L 3 3 1
Closed
6
Risk Summary
Co
ns
eq
ue
nc
e
0Probability
23
Risk Scenario• You work for the ACME car insurance company. ACME is a $1 billion
dollar public company that is implementing a new collection system to enable customers to review their bills and take credit card and direct deposit payments on-line. This system will replace an existing manual system that requires 250 people to manage. The cost of this system is $20 million dollars and is expected to save the company $26k dollars a day.
• This software system is a commercial off the shelf (COTS) system with the exception of the on-line (credit card and direct deposit) payment module. The module is currently being developed by the software supplier. The supplier is new to the world of on-line financial transactions.
Not Assessed
H M L
H 0 0 2
M 0 1 0
L 3 3 1
Closed
6
Risk Summary
Co
ns
eq
ue
nc
e0
ProbabilityMonday Morning Team Meeting Status
S1
24
Risk Identification Build-up ListMonday Morning Team Meeting
Item Risk Identification Impact Statement
1Possible internal resources conflict, a
schedule slip of 2 weeks might materialize.
The business has calculated that a slip in production costs $26k per
day. A two week loss is $260k dollars.
2
Due to supplier problem the financial transaction software module is not
expected to be available until 2 month after production.
The business requires the transaction software to be available upon production. The business has calculated that a slip of this type will
have a $1 million dollar impact.
3
Due to supplier problems, Role Based Access is not available until 3 months after the current production date. This feature is intended to prevent the business analyst
from accessing the general ledger account.
If regulatory compliance is not met, the year end SEC audit may be in
jeopardy. SEC Audit can effect stock price.
4Due to Role Based Access not being
available, regulatory compliance will not be met at production.
If compliance is not met, the year end SEC audit may be in jeopardy. SEC
Audit can effect stock price.
S2
Team Members:Project ManagerEngineering ManagerBusiness OwnerSecurity OfficerFinance
25
Initial Risk Impact Ranking
Probability ImpactRisk
Ranking
High Medium 3
High High 1
High Medium 3
High Medium 3
Item Risk Identification Impact Statement
1Possible internal resources conflict, a
schedule slip of 2 weeks might materialize.
The business has calculated that a slip in production costs $26k per
day. A two week loss is $260k dollars.
2
Due to supplier problem the financial transaction software module is not
expected to be available until 2 month after production.
The business requires the transaction software to be available upon production. The business has calculated that a slip of this type will
have a $1 million dollar impact.
3
Due to supplier problems, Role Based Access is not available until 3 months after
the current product date. This feature is intended to prevent the business analyst
from accessing the general ledger account.
If regulatory compliance is not met, the year end SEC audit may be in
jeopardy. SEC Audit can effect stock price.
4Due to Role Based Access not being
available regulatory compliance will not be met at production.
If compliance is not met, the year end SEC audit may be in jeopardy. SEC
Audit can effect stock price.
High Medium Low
High 1 2 4
Medium 3 5 7
Low 6 8 9
Risk Ranking
Impact Exposure
Probability
S3
26
Not Assessed
H M L
H 1 0 2
M 3 1 0
L 3 3 1
Closed
6
Risk Summary
Probability0
Co
nse
qu
ence
Risk Management Status Tracking
Monday Afternoon Weekly Executive Briefing
S4
By Functional Area
01234567
Eng
inee
ring
Sal
es
Pro
duct
Sup
port
Fin
anci
al
Mat
eria
lC
ontr
ol
Pur
chas
ing
Ope
ratio
ns# o
f E
ven
ts i
n C
ateg
ory
Green
Yellow
Red
As a Function of Time
0
2
4
6
8
Feb Mar April May June July August
# o
f E
ven
ts in
Cat
ego
ry
Green
Yellow
Red
Unassessed
27
Item Risk Identification Impact Statement Assessment
1Possible internal resources conflict, a
schedule slip of 2 weeks might materialize.
The business has calculated that a slip in production costs $26k per
day. A two week loss is $260k dollars.
2 DBA'a were pulled off the project to assist another higher priority project
in need of their skills.
2
Due to supplier problem the financial transaction software module is not
expected to be available until 2 month after production.
The business requires the transaction software to be available upon production. The business has calculated that a slip of this type will
have a $1 million dollar impact.
Found the supplier delay to be 2 months. Also, the issue is really with
the direct deposit portion of the system and not the Credit Card
portion of the module. The business says that credit card payment is 90% of initial business and is the higher
priority
3
Due to supplier problems, Role Based Access is not available until 3 months after
the current product date. This feature is intended to prevent the business analyst
from accessing the general ledger account.
If regulatory compliance is not met, the year end SEC audit may be in
jeopardy. SEC Audit can effect stock price.
The software supplier believes the problem is with the operating system (OS). The OS vendor is researching the issue. Per security's question:
The software supplier indicates that audit trails and triggers do work.
4Due to Role Based Access not being
available regulatory compliance will not be met at production.
If compliance is not met, the year end SEC audit may be in jeopardy. SEC Audit can effect stock price.
Compliance believes a satisfactory manual control can be developed to
satisify the external auditor.
Risk Assessment ProcessTuesday Afternoon
S5
28
Risk Response Development and Implementation
Wednesday Afternoon
Item Risk Identification Assessment Risk Response/Control Monitor
1Possible internal resources conflict, a
schedule slip of 2 weeks might materialize.
2 DBA'a were pulled off the project to assist another higher priority project in need of
their skills.
Outside resources can be brought in to complete the work for approx. $50k. Two week schedule savings is worth $260k.
Closed. Monitor as part of normal schedule
2
Due to supplier problem the financial transaction software module is not
expected to be available until 2 month after production.
Found the supplier delay to be 2 months. Also, the issue is really with the direct
deposit portion of the system and not the Credit Card portion of the module. The
business says that credit card payment is 90% of initial business and is the higher
priority
The system can be deployed with credit card payment on the original schedule.
The Direct deposit will be made a separate software module and added
later with minimal impact.
Have meeting with supplier every two days
for updates.
3
Due to supplier problems, Role Based Access is not available until 3 months
after the current product date. This feature is intended to prevent the
business analyst from accessing the general ledger account.
The software supplier believes the problem is with the operating system (OS). The OS
vendor is researching the issue. Per security's question: The software supplier indicates that audit trails and triggers do
work.
Audit trails and instant triggers can be set up to notify Business Manager of any unauthorized access into GL acct. This
can be used as a manual control until the software upgrade is in place.
Have meeting with supplier every two days
for updates.
4Due to Role Based Access not being
available regulatory compliance will not be met at production.
Compliance believes a satisfactory manual control can be developed to satisify the
external auditor.
Security officer to explain the situation to external auditor and communicate the
proposed workaround. Security officer is confident of auditor buyoff.
Update compliance with status once per month.
S6
29
Updated Risk Impact RankingWednesday Afternoon
Item Risk Identification Risk Response/Control4/17/06
Risk Ranking
Probability Impact4/19/06
Risk Ranking
1Possible internal resources conflict, a
schedule slip of 2 weeks might materialize.
Outside resources can be brought in to complete the work for approx. $50k. Two week schedule savings is worth $260k.
3 Medium Low 8
2
Due to supplier problem the financial transaction software module is not
expected to be available until 2 month after production.
The system can be deployed with credit card payment on the original schedule.
The Direct deposit will be made a separate software module and added
later with minimal impact.
1 High Medium 3
3
Due to supplier problems, Role Based Access is not available until 3 months
after the current product date. This feature is intended to prevent the
business analyst from accessing the general ledger account.
Audit trails and instant triggers can be set up to notify Business Manager of any unauthorized access into GL acct. This can be used as a manual control until
the software upgrade is in place.
3 High Medium 3
4Due to Role Based Access not being
available regulatory compliance will not be met at production.
Security officer to explain the situation to external auditor and communicate the proposed workaround. Security officer
is confident of auditor buyoff.
3 Medium Low 8
S7
30
Summary• Apply some form of a risk management
process to all your projects– Every project has risks: if you listen for them you
can manage and communicate them appropriately
• Apply the KISS principle
• Use risk management as a tool that facilitates:– Communications– Organization– Opportunity identification– Liability and Compliance Management
• Learn each time you use an RM process– It is a skill that can be learned and mastered with
practice
Risk Management
Planning
Risk Response Planning
and Control
Risk Assessment
Risk Identification
Risk Monitoring