Published on March 10, 2014
Risk Management By Shyam
DISCLAIMER(S) • The opinion here represented are my personal ones and do not necessary reflect my employers views. • Registered brands belong to their legitimate owners. • The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :) 2
Personal Risk Management 4
Ideal Risk Management A Prioritization process is followed whereby the risks with the greatest (impact) and the greatest probability (likelihood) of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. 5
Impact vs Likelihood 6
Risk management methodologies • NIST SP 800-30 framework • ISO 27005 framework • ISO 31000 Risk Management principles and guidelines • PRISM framework •OWASP Risk rating methodology •COSO Enterprise risk management- Integrated framework •OCTAVE •ISF Information risk assessment methodologies (IRAM) •ISACA risk IT 7
Problem • These are somebody else’s vision of what risk management should be. • At best they are a guideline to give you examples of what others are doing. •At worst they make risk management look overly complicated and make it difficult to get started. 8
Defining Risk • Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). 9
Risk can apply to • Economic risk •Health, Safety, and Environment •IT and InfoSec •Insurance •Business and management •Finance •Security 10
Risk formula •Likelihood: The probability of something occurring. •Impact: The expected loss if that event occurs. •Classic formula •Risk= Likelihood*Impact 11
Make your risk formula fit you • Weighting Impact RISK= LIKELIHOODxIMPACT+IMPACT 12
•Weighting Impact RISK= LIKELIHOODxIMPACT+ILIKELIHOOD 13
Be Flexible!! •Risk management needs to be a custom fit for your organization and your formula needs to reflect that. •Your formula can (and likely will) change. •Wherever you are tracking risks should be able to dynamically update risk based on the updated formula. •No word documents •No excel documents •No static formats 14
Determining risks Convince your peers that documenting risks is CYOA and you’ll have more risks than you know what to do with. • Network vulnerability scanners •Application vulnerability scanners •Security mailing lists • Security blogs •Code Reviews 15
Evaluating a risk Is the risk acceptable? Is the likelihood or impact low enough that I’m willing to simply accept the consequences if it happens. Is the risk transferrable? •Could I purchase insurance or some other measure to transfer the impact of the risk to another party. Is the risk reducable? • Is there some sort of mitigation that could be put in place to reduce the impact or likelihood of the risk. 16
Determining a response 17
Risk management is cyclical 18
Risk review process • May depend on how lean your organization is on management structure. • Raise the visibility of high level risks. • High Risk =VP •Medium Risk =Director • Low Risk = Area Manager •Risk should be re-reviewed regularly. • High Risk = Monthly •Medium Risk = Semi-Monthly • Low Risk = Annually 19
Risk management is not • It is not a process for avoiding risk. •The aim of risk management is not to eliminate risk, rather to manage the risks involved in business activities to maximize opportunities and minimize adverse effects. •Note: Risk management is not the management of insurable risks. Insurance is an important way of transferring risk but most risks will be managed by other means. 20
Deriving Value • Order by risk level. •Group if the mitigations are the same. •Pass back to various teams stating that project X was approved for consideration in next budget cycle. 21
Tools for enterprise risk management •Most enterprise tools fall into a category called “GRC” (Governance, Risk & Compliance). These tools are easily $100+. •Bwise GRC Platform •RSA Archer eGRC •SAP GRC •Oracle GRC •Spreadsheets •Any good tools out there? 22
FixNix Risk management 23
FixNix Document a risk 24
FixNix risk mitigation 25
FixNix risk review 26
GOOD Risk management A good risk management is that where the risks are easily managed , mitigated and continuously reviewed. 28
QUESTIONS?? Sheyamselvaraj Shyamdicaprio or gRc_sham or 29
Risk in automation and power industries 1 Introduction Industry Landscape The risk management process has undergone rapid evolution since the last century.
UC4 Software – As enterprise software is increasingly used to automate complex business processes, IT is becoming an increasingly important factor for ...
February 24, 2010. The Risks of Automation By Melanie Lockwood Herman. During a recent flight to the west coast I had the opportunity to see a film titled ...
Rockwell Automation project managers can help reduce implementation time and risk with the use of standardized, tested, repeatable engineering and ...
Software Risk Management: Using the Automated Tools Sergey M. Avdoshin, Elena Y. Pesotskaya School of Software Engineering, Software Management Department ...
Risk management. To overcome possible poor implementation or failure of a LIMS or laboratory automation project, risk management should be ...
Automated Risk Management Using NIST Standards ... The overall risk management process is shown below in graphical ... Automation Risk Management programs.
As a discipline, project risk management is an integral part of project management practices. It is found in common methodologies such as the PRINCE2 ...
All registrants will be entered into a draw to win an Apple iPad. Automating the IT Risk Management process is critical for organizations who want to ...
GRC Solutions; Third Party Risk Management; ... When technology risk management and regulatory pressures complicate ... and risk scorecards; Automation: ...