Risk Management Process

Risk Assessment

Identify area of having higher risk.

Step 1 - Define the impact

In this example, the threat will be an earthquake.

Step 2 - Define the probability of having risk

Probability	Definition
Probable	The event is expected to occur
Likely	The evemt will probably occur
Possible	The event might occur at some time
Unlikely	The event could occur at some time but is improbable
Very unlikely	The event could have little or no chance of occurrence

Step 3 - Identify the risk for different threats and create a risk matrix

Step 4 - Rate the risk

1-6: Low	Minor issue of little concern with some small disruptions
7-14: Medium	Requires attention, inconvenience and risk occur
15-25: High	Requires urgent attention, introduce control to reduce risk

Risk Mitigation

Reduce risk using control.

Risk	Control
0%	Eliminate riks -> impossible!!
40%	Username + password + firewall + encryption + biometrics
50%	Username + password + firewall + encryption
60%	Username + password + firewall
80%	Username + password
100%	No control

At which level are we going to stop trying to reduce risk? And who should make that decision? The senior management should!

More control means higher cost.

What are the options if senior management still not happu with the existing risk?

• Transfer the remaining risk to 3rd party (e.g. insurance)

Avoid the risk

If a bank decides to not offer ebanking.

This is a last resort as most of the time it can lead to lost of costumers.

Summary

1. Reduce the risk using control to a level acceptable by senior management

2. Transfer the risk to third party

3. Avoid the risk

Risk re-evaluation

When should we do it?

Time driven

Periodically, without any external factor trigger.

Event driven

When the environment change.

• Something changed within organisation or similar organisations

• Government regulation

• Natural disaster