Risk Management Process
Risk Assessment
Identify area of having higher risk.
Step 1 - Define the impact
In this example, the threat will be an earthquake.
Step 2 - Define the probability of having risk
| Probability | Definition |
|---|---|
| The event is expected to occur |
| The evemt will probably occur |
| The event might occur at some time |
| The event could occur at some time but is improbable |
| The event could have little or no chance of occurrence |
Step 3 - Identify the risk for different threats and create a risk matrix
Step 4 - Rate the risk
1-6: Low | Minor issue of little concern with some small disruptions |
7-14: Medium | Requires attention, inconvenience and risk occur |
15-25: High | Requires urgent attention, introduce control to reduce risk |
Risk Mitigation
Reduce risk using control.
| Risk | Control |
|---|---|
0% | Eliminate riks -> impossible!! |
40% | Username + password + firewall + encryption + biometrics |
50% | Username + password + firewall + encryption |
60% | Username + password + firewall |
80% | Username + password |
100% | No control |
At which level are we going to stop trying to reduce risk? And who should make that decision? The senior management should!
More control means higher cost.
What are the options if senior management still not happu with the existing risk?
Transfer the remaining risk to 3rd party (e.g. insurance)
Avoid the risk
If a bank decides to not offer ebanking.
This is a last resort as most of the time it can lead to lost of costumers.
Summary
Reduce the risk using control to a level acceptable by senior management
Transfer the risk to third party
Avoid the risk
Risk re-evaluation
When should we do it?
Time driven
Periodically, without any external factor trigger.
Event driven
When the environment change.
Something changed within organisation or similar organisations
Government regulation
Natural disaster
Last updated
