risk management

Understanding Risk and Risk Management

John Cvetko CISSP, CISAPrincipal Consultant

TEK Associates, LLCEmail [email protected]

Phone 503 799 2242

mailto:[email protected]

2

Overview

• Risk and Risk Frameworks– Perspectives of risk frameworks

• Risk Management Process– Review the basic elements of a Risk Management

process

• Scenario– Step though a scenario that demonstrates the Risk

Management elements

3

How Do Organizations Use Risk Management Techniques?

• Liability Tool– Identify and manage liabilities

• Opportunity Tool– Identify areas of high risk that can lead companies to new

opportunities

• Organization Tool– Understand how to organize and apply resources– A guide for maximizing results

• Compliance Tool– Demonstrate compliance

• Communications Tool– Communicate progress and risk positions to management and the

functional project teams

4

What is a Risk?

• Different disciplines have different definitions (EPA, Nuclear, Medical)

• PMI Definition (PMBOK®, Third Edition)– A risk is an uncertain event or condition, that if it occurs, has a

positive or negative effect on at least one project objective

• COSO Enterprise Risk Management View(Committee of Sponsoring Organizations )– “… a process, effected by an entity's board of directors,

management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

• Risk is Uncertainty

5

COSO Business Risk FrameworkCommittee of Sponsoring Organizations for the Treadway Commission

• Objectives can be viewed in the context of four categories:

– Strategic – Operations– Reporting– Compliance

• Spans all levels of the organization:– Enterprise-level– Division or subsidiary– Business unit processes– Subsidiary

• Usually paired with IT benchmarking standards– COBIT, ITIL

6

Project Based Risk Management Framework

• Project risk management – Key differences are:

• Objective setting is known as risk planning

• Information and Communications are assumed

• Tailored more for a specific project

Risk Management

Planning

Risk Response Planning

and Control

Risk Assessment

Risk Identification

Risk Monitoring

7

Risk Management Plan• What is in a good plan?

– State objective and expectations of the risk management effort.

– Responsibility for decision events• Delegated authority for specific risk types

– Processes for Risk Identification, Assessment, Mitigation/Control and Monitoring. (Flow Charts).

– Show links to other processes and plans (project plan, change management process, schedule, for e.g.)

– Explain how risks will be communicated to management?

• Timeframe and Dashboard• Emergency issues

– Independent Review• Reporting structure

Risk Management

Planning


and Control

Risk Assessment

Risk Identification

Risk Monitoring

8

Common Plan Errors

• Not making the plan practical/realistic for the project at hand.

• Confuse risk management plan with the project plan.

• Lack of independent review/peer review.

9

Risk Identification:Understanding the Project Requirements

• Collect actionable/quantifiable requirements– Business goals or requirements

– Product or service functionality, schedule and budget

– Service level or performance goals

• Sample of quantifiable requirements– Start of production date, process transactions within 10

seconds, availability of system is 99.999%, increase efficiency by x%.

• Unclear Requirements = Unclear Risks– Unclear requirements are a risk

10

Risk Identification

• Known Risks– These are the obvious risks that jump out quickly at the

beginning of every project.

• Unknown Risks – Are usually a result of inexperience in particular areas

• Unknowable Risks– Are risks that can’t be predicted even with the best

information and experience available.

11

Risk IdentificationRisks can come from many different sources:

• Products– configuration, technology, requirements, etc.

• Procedures – development and operational processes, etc.

• Business environment– cost, profit, regulations, competition, market fluctuations, etc.

• Project– scope, schedule, resource availability, etc.

• People– human error, skills, culture, blind spots, etc.

• External– public opinion, economy, natural disasters etc.

12

Risk Identification Process• Cross Functional Team

– Populate a well rounded team when identifying and assessing risks

• Methods for teasing out risk items– Brainstorming

– Interviews/Questionnaires

– Review of similar projects

– Subject matter experts

– External experienced consultants

– Technical Standards • Program specific Best Practice Guides, e.g., IT= CoBit, ITIL,

ISO17799

– GAP analysis, SWOT, Cause and Effect, Fault Tree, Hazard and Operability (HAZOP), business impact analysis techniques

– Prototyping

13

Risk Identification Process (cont)

• Capture each risk item using wording such as:– Due to/As a of result <definitive cause>, a/an <uncertain event>

may occur which could lead to <some effect on program objective(s)>

• Document each item in a risk event list/database

• Ensure a clear description of the consequence is included– Define the “so what”

14

Common Risk Identification Errors

• Lack of experience in a crucial subject area• Not understanding what constitutes a risk – not listening

with a risk management perspective• Not understanding blind spots• Not prepared for a significant amount of information• Over focus on a particular risk

15

Risk Assessment Process• Once risks are identified, each risk event needs to be

assessed for:– Impact to the project if the risk event occurs

• Qualitative vs. Quantitative Assessments

– Probability that the risk event will occur• Qualitative vs. Quantitative Assessments

• Initially let each team member assess their own risks– Likely result:

• A predominance of events characterized as high likelihood, high consequence

• Everyone thinks their risk items are the most important, i.e. high consequence, high likelihood

• Assessments should then be made jointly by all the team members to gain agreement– The assessment results will impact what resources are devoted to

which tasks

16

Risk Assessment Process

• Risk index numbering establishes priorities– Enables the team to agree on the relative ranking of risk items

• Caution: don’t let the debate divert the process

High Medium Low

High 1 2 4

Medium 3 5 7

Low 6 8 9

Risk Ranking

Impact Exposure

Probability

17

Common Assessment Errors

• Not breaking the problem or risk down to manageable pieces.

• Not having enough information to fully assess the risk

• Not having the authority to make decisions• Being overwhelmed…when in doubt ask for help.

18

Risk Response Strategies• Response strategies for dealing with identified risks

– Avoidance (Elimination)

• pursue a completely different approach (e.g. use another supplier)

– Transfer

• move risk elsewhere (e.g. back to the customer, buy insurance.)

– Mitigation (Reduction)

• take steps to minimize the consequence and/or likelihood of the risk occurring (e.g. develop secondary approach, train multiple personnel)

– Acceptance

• ”if it happens, it happens and we’ll deal with it”

• Strategy use– Multiple strategies can be used per risk event and strategies may

change with time

19


• Develop a response plan to implement the strategy– What is to be done, what is the budget, what is the schedule…– Develop a plan “B”

• Determine who is responsible for implementing the plan– Accountability

• Communicate– Inform management and project team of the plan

20

Common Response Plan Errors

• Not clearly assigning accountability for individual plans.

• Not having a plan “B”• Creating a plan on half an assessment.• Not understanding residual risk

21

Risk Event Monitoring

• Continuous monitoring and proactively addressing developments are vital to a successful risk management process– Review ‘Red’ items an upcoming trigger events at

least weekly

• Track actual closure of risk items– Closure date, how/why closed, any special issues or

circumstances

22

Risk Management Status Tracking

• Summary Matrix– A risk summary matrix of risk priorities is ‘quick look’

approach to monitoring and communicating status

Key Risk

Significant Risk

Tolerable Risk

Not Assessed

H M L

H 6 0 2

M 3 1 0

L 3 3 1

Closed

6

Risk Summary

Co

ns

eq

ue

nc

e

0Probability

23

Risk Scenario• You work for the ACME car insurance company. ACME is a $1 billion

dollar public company that is implementing a new collection system to enable customers to review their bills and take credit card and direct deposit payments on-line. This system will replace an existing manual system that requires 250 people to manage. The cost of this system is $20 million dollars and is expected to save the company $26k dollars a day.

• This software system is a commercial off the shelf (COTS) system with the exception of the on-line (credit card and direct deposit) payment module. The module is currently being developed by the software supplier. The supplier is new to the world of on-line financial transactions.

Not Assessed

H M L

H 0 0 2

M 0 1 0

L 3 3 1

Closed

6

Risk Summary

Co

ns

eq

ue

nc

e0

ProbabilityMonday Morning Team Meeting Status

S1

24

Risk Identification Build-up ListMonday Morning Team Meeting

Item Risk Identification Impact Statement

1Possible internal resources conflict, a

schedule slip of 2 weeks might materialize.

The business has calculated that a slip in production costs $26k per

day. A two week loss is $260k dollars.

2

Due to supplier problem the financial transaction software module is not

expected to be available until 2 month after production.

The business requires the transaction software to be available upon production. The business has calculated that a slip of this type will

have a $1 million dollar impact.

3

Due to supplier problems, Role Based Access is not available until 3 months after the current production date. This feature is intended to prevent the business analyst

from accessing the general ledger account.

If regulatory compliance is not met, the year end SEC audit may be in

jeopardy. SEC Audit can effect stock price.

4Due to Role Based Access not being

available, regulatory compliance will not be met at production.

If compliance is not met, the year end SEC audit may be in jeopardy. SEC

Audit can effect stock price.

S2

Team Members:Project ManagerEngineering ManagerBusiness OwnerSecurity OfficerFinance

25

Initial Risk Impact Ranking

Probability ImpactRisk

Ranking

High Medium 3

High High 1

High Medium 3

High Medium 3

Item Risk Identification Impact Statement





2





3

Due to supplier problems, Role Based Access is not available until 3 months after

the current product date. This feature is intended to prevent the business analyst





available regulatory compliance will not be met at production.

If compliance is not met, the year end SEC audit may be in jeopardy. SEC

Audit can effect stock price.

High Medium Low

High 1 2 4

Medium 3 5 7

Low 6 8 9

Risk Ranking

Impact Exposure

Probability

S3

26

Not Assessed

H M L

H 1 0 2

M 3 1 0

L 3 3 1

Closed

6

Risk Summary

Probability0

Co

nse

qu

ence

Risk Management Status Tracking

Monday Afternoon Weekly Executive Briefing

S4

By Functional Area

01234567

Eng

inee

ring

Sal

es

Pro

duct

Sup

port

Fin

anci

al

Mat

eria

lC

ontr

ol

Pur

chas

ing

Ope

ratio

ns# o

f E

ven

ts i

n C

ateg

ory

Green

Yellow

Red

As a Function of Time

0

2

4

6

8

Feb Mar April May June July August

# o

f E

ven

ts in

Cat

ego

ry

Green

Yellow

Red

Unassessed

27

Item Risk Identification Impact Statement Assessment





2 DBA'a were pulled off the project to assist another higher priority project

in need of their skills.

2





Found the supplier delay to be 2 months. Also, the issue is really with

the direct deposit portion of the system and not the Credit Card

portion of the module. The business says that credit card payment is 90% of initial business and is the higher

priority

3

Due to supplier problems, Role Based Access is not available until 3 months after

the current product date. This feature is intended to prevent the business analyst




The software supplier believes the problem is with the operating system (OS). The OS vendor is researching the issue. Per security's question:

The software supplier indicates that audit trails and triggers do work.



If compliance is not met, the year end SEC audit may be in jeopardy. SEC Audit can effect stock price.

Compliance believes a satisfactory manual control can be developed to

satisify the external auditor.

Risk Assessment ProcessTuesday Afternoon

S5

28

Risk Response Development and Implementation

Wednesday Afternoon

Item Risk Identification Assessment Risk Response/Control Monitor



2 DBA'a were pulled off the project to assist another higher priority project in need of

their skills.

Outside resources can be brought in to complete the work for approx. $50k. Two week schedule savings is worth $260k.

Closed. Monitor as part of normal schedule

2



Found the supplier delay to be 2 months. Also, the issue is really with the direct

deposit portion of the system and not the Credit Card portion of the module. The

business says that credit card payment is 90% of initial business and is the higher

priority

The system can be deployed with credit card payment on the original schedule.

The Direct deposit will be made a separate software module and added

later with minimal impact.

Have meeting with supplier every two days

for updates.

3

Due to supplier problems, Role Based Access is not available until 3 months

after the current product date. This feature is intended to prevent the

business analyst from accessing the general ledger account.

The software supplier believes the problem is with the operating system (OS). The OS

vendor is researching the issue. Per security's question: The software supplier indicates that audit trails and triggers do

work.

Audit trails and instant triggers can be set up to notify Business Manager of any unauthorized access into GL acct. This

can be used as a manual control until the software upgrade is in place.

Have meeting with supplier every two days

for updates.



Compliance believes a satisfactory manual control can be developed to satisify the

external auditor.

Security officer to explain the situation to external auditor and communicate the

proposed workaround. Security officer is confident of auditor buyoff.

Update compliance with status once per month.

S6

29

Updated Risk Impact RankingWednesday Afternoon

Item Risk Identification Risk Response/Control4/17/06

Risk Ranking

Probability Impact4/19/06

Risk Ranking



Outside resources can be brought in to complete the work for approx. $50k. Two week schedule savings is worth $260k.

3 Medium Low 8

2



The system can be deployed with credit card payment on the original schedule.

The Direct deposit will be made a separate software module and added

later with minimal impact.

1 High Medium 3

3

Due to supplier problems, Role Based Access is not available until 3 months

after the current product date. This feature is intended to prevent the

business analyst from accessing the general ledger account.

Audit trails and instant triggers can be set up to notify Business Manager of any unauthorized access into GL acct. This can be used as a manual control until

the software upgrade is in place.

3 High Medium 3



Security officer to explain the situation to external auditor and communicate the proposed workaround. Security officer

is confident of auditor buyoff.

3 Medium Low 8

S7

30

Summary• Apply some form of a risk management

process to all your projects– Every project has risks: if you listen for them you

can manage and communicate them appropriately

• Apply the KISS principle

• Use risk management as a tool that facilitates:– Communications– Organization– Opportunity identification– Liability and Compliance Management

• Learn each time you use an RM process– It is a skill that can be learned and mastered with

practice

Risk Management

Planning


and Control

Risk Assessment

Risk Identification

Risk Monitoring

risk management

Documents

risk management effort

risk management techniques

risk management elementshow

risk positions

editiona risk

risk planninginformation

risk appetite

specific risk typesprocesses