Please enable JavaScript.
Coggle requires JavaScript to display documents.
Lecture 5: Risk Management (Risk Management (Risk Awareness (Use multi…
Lecture 5: Risk Management
Risk: combination of
probability
of an event and its
consequences
Risk Management: 1 governance obj; entails
recognising
risk;
assessing
impact of likelihood of risk;
developing strategies
to
manage
risk within ent risk appetite
Risk Mgmt Frameworks
COSO Enterprise Risk Mgmt (ERM)
ISO 31000 Risk Mgmt
ISO 27005 IS Risk Mgmt
CoBIT 5 for Risk
Risk Mgmt Lifecycle
Cyclical process
Risk Identification
Risk Assessment
Risk Response and Mitigation
Risk & Control monitoring and reporting
Continuously refine, adapt, improve and mature
Biz Risk vs IT Risk
IT risk subset of biz risk
IT Risks
Project Risks
Control Risks
Change risks
Risk Model
Quantitative
Risk = Probabilitiy x Business Impact
Annual Loss Expectancy = Annual Rate of Occurence x Single Loss Expectancy
SLE = Asset Value x Exposure Factor
Qualitative
Probabiltiy (very unlikely, unlikely, possible, likely, very likely)
Business Impact (negligible, minor, moderate, significant, severe)
Rating scale defined based on documented criteria
From:
Brainstorming
Delphi techniques
Interviews
Combi of prob and BI = final risk rating
Issues w this model
Rating subjective; may differ between indiv
Wide variation of risk perspective influences approach to risk
Hybrid
Benefits:
Simple communication
Better Visualisation
Increase accuracy of qualitative model
Risk Management
Risk Culture
Good risk culture = exec unuderstand real risk within org; empowers employees to do the right thing
Poor risk culture = false sense of security, incorrect decision making, increased opp for incidents
Risk Awareness
Appropriate at each level
Strategic - enterprise wide
Tactical - business-unit wide
Operational = division wide
Open comm increases risk awareness
Use multi channels to deliver awareness
Town hall meetings
On-demand learning
Email campaign
Posters
Risk Appetite: Org-wide decision on
threshold
of acceptable risk within org
Determined by BoD
Documented & communicated
Described in annual report
Risk Capacity:
total amt of loss
ent can tolerate w/o risking continued existence
Determined by BoD
Risk Tolerance:
Range of deviation
between set threshold in each level of appetite