Risk Management Process
Risk Assessment
Identify the area of having higher risk.
Step 1 - Define the impact
In this example, the threat will be an earthquake.
Step 2 - Define the probability of having risk
Probable
The event is expected to occur
Likely
The evemt will probably occur
Possible
The event might occur at some time
Unlikely
The event could occur at some time but is improbable
Very unlikely
The event could have little or no chance of occurrence
Step 3 - Identify the risk for different threats and create a risk matrix
Step 4 - Rate the risk
1-6: Low
Minor issue of little concern with some small disruptions
7-14: Medium
Requires attention, inconvenience and risk occur
15-25: High
Requires urgent attention, introduce control to reduce risk
Risk Mitigation
Reduce risk using control.
0%
Eliminate riks -> impossible!!
40%
Username + password + firewall + encryption + biometrics
50%
Username + password + firewall + encryption
60%
Username + password + firewall
80%
Username + password
100%
No control
At which level are we going to stop trying to reduce risk? And who should make that decision? The senior management should!
More control means higher cost.
What are the options if senior management still not happy with the existing risk?
Transfer the remaining risk to 3rd party (e.g. insurance)
Avoid the risk
If a bank decides to not offer ebanking.
This is a last resort, as most of the time it can lead to lost of costumers.
Summary
Reduce the risk using control to a level acceptable by senior management
Transfer the risk to a third party
Avoid the risk
Risk re-evaluation
When should we do it?
Time driven
Periodically, without any external factor trigger.
Event driven
When the environment changes.
Something changed within an organisation or similar organisations
Government regulation
Natural disaster
Last updated