Please enable JavaScript.
Coggle requires JavaScript to display documents.
Lecture 8: Risk Assessment (Risk Assessment Techniques (Business Impact…
Lecture 8: Risk Assessment
Assessment vs Identification
Risk Assessment
Process to identify and
evaluate
risk and potential impacts
Assess
crit svc and existing control in place
Determine
risk rating and impact considering controls in place
Risk Identification
Process of identifying and
documenting
risks in ent
Document
assets and values
Document
every risk and assoc assets
Risk Assessment Techniques
Business Impact Analysis
Determine -ve impact on biz
Commonly used
can map to risk heat map
Considerations:
Loss of biz
Delayed biz
Increased expenses
Regulatory fines
Reputation loss
Customer dissatisfaction
Considers
end-to-end
impact, not only direct impact
To be done by profession w adequate data and validation
Structured What-if
Consider
hypothetical but realistic events
Session chair pose qn to panel to identify what-ifs, conseq, potential recommendation
What-if can derive from:
Task Analysis
Checklists
Process Description
Regulatory req
Past incidents and accidents
Delphi method
Allow anon expression of thoughs
Used when consensus needed to rate impact
Bow tie analysis
Step 1: Identify undesirable event
Threat > Preventive Defences > Undesired State > Recovery Defences > End state
Step 2: List down relevant threats and preventive defences
Step 3: List down potential conseq and recovery defences
Step 4: Review and revise
Structured interview
best way to get info
Interviews hard to manage -> may turn into discussion
w/o consistency = hard to achieve pri obj from interviewees
Characteristics:
Ask
exact
same qns
Qn written
beforehand
Formal approach
w/o personal opinion
of interviewer
Provide ability to draw
obj comparison
between interviewees
Cause and effect analysis
Fish bone diagram
Describe multiple causes contributing to single adverse event
Knowing cause help identify sig causes and mitigate
Check list
Most simple for self-assessment and verification
Adequacy and effectiveness of checklist depends on
completeness
of condition being assessed
Weakness: no additional info can be captured + rigid scope
Heavily dependent on
competency and exp
of person developing checklist
Event tree analysis
Uses proability
Overall path prrob. = (prob even 1) x ... (prob event n)
Risk Assessment
Step 1: Gather data
Purpose: obtain
background
feel of risks in org
Collect info like:
Company policies, standards, guidelines, procedures
Past risk assessments
Gather stat data from public/comm srcs
Identify org stakeholder + org struct
Risk statements (risk appetite, risk tolerance)
Risk register
Step 2: Develop risk scenario
Validate
prev identified risk scenario and update
Identify
new risk scenario not addr before
Obtain
consensus from list of risk scenarios
Best practices:
Avoid reinventing the wheel - reuse existing risk scenario
Keep up-to-date w latest reports and trends for new threats, vul, risks
Interact w other in same industry and share info
Step 3: Assess the risk
Select appropriate
methodology
(risk models) to assess risk
Consider:
Technology factors
hw/sw lifecycle
Completeness of doc
Avail of svc providers and vendors for support
Geo-socio-political factors
Political stability (martial law, war)
Natural disasters
Society sentiment (product recall)
Existing controls -> cost and operational reasons
Compensating control (alt control that eff reduces risk)
ID and verification when calling bank
Detective control (detect undesirable event)
IDS
Deterrent control (discourage undesirable behaviours)
CCTV, warning banner on login screen
Preventive control
Disable acct after 3 incorrect logins
Step 4: Compare w baseline
Risk assessment complete =
rating
for each risk output
Compare measured risk rate w desirable rate =
gap analysis
Provide recommendation to close gap
Step 5: Communicate risk assessment
Results presented to snr mgmt
Format: slides for snr mgmt, detailed writeup for mgmt and ops exec
Content: list of applicable risks, ratings, owners, recommendations
Tools: Spreadsheet, governance, regulatory and compliance (GRC) sw
Provide BoD w understanding and overview of current risk climate
Can use to empower risk mgmt team to drive risk action plans + add. resrcs