Introduction to Risk Management

advertisement
Introduction to Risk Management
26 September 2014
Peter Fowler CPPD
“There are “known knowns”. [These are things we
know that we know.]
There are “known unknowns”. [That is to say, there
are things that we know we don't know.]
But there are also “unknown unknowns”. [There are
things we don't know we don't know.]”
Donald Rumsfeld (Feb 12, 2002)
“The major difference between a thing that might go
wrong and a thing that cannot possibly go wrong is
that when a thing that cannot possibly go wrong goes
wrong it usually turns out to be impossible to get at or
repair.”
Douglas Adams in Mostly Harmless (the fifth book in the Hitchhiker's Guide
to the Galaxy trilogy)
Risk Management Definitions
• Uncertainty - changing circumstances or situation
• Risk - effect of uncertainty on objectives
• Opportunity - the positive impact on objectives
• Issue - an event that has happened or will happen
Types of Risk Management
• Safety risk management
• Insurance risk management
• Financial (Investment) risk management
• Project risk management
• Business risk management
• Information risk management
Tasmanian Government Information Security Policy
1. Purpose
The purpose of the Policy is to provide a consistent approach to managing
information security risks across Government.
2. Scope
This Policy applies to Tasmanian Government agencies as custodians of
information on behalf of the Crown.
3. Policy Principles
This Policy is based upon the following information security policy principles:
• Availability: information is accessible and usable to authorised entities.
• Integrity: the accuracy and completeness of information is protected.
• Confidentiality: information is not made available or disclosed to unauthorised individuals,
entities or processes.
• Proportionality: measures to protect information are relative to the risk of loss or failure of
availability, integrity and confidentiality.
Tasmanian Government Information Security Policy
Manual
• Information security risks are threats or vulnerabilities that introduce
uncertainty regarding the availability, confidentiality or integrity of
information.
• Structured risk assessments help to prioritise risks and implement
appropriate risk management procedures.
• Information security risk management can be undertaken as part of a
broader agency risk management approach.
• Each agency MUST identify, quantify and prioritise risks against risk
acceptance criteria and determine appropriate controls to protect
against risks.
After completing a risk assessment
there may be residual information security risks where the agency has:
• elected to accept a risk by doing nothing, or
• adopted a mitigation strategy that does not completely eliminate a
risk.
Process from AS/NZS ISO 31000: 2009
Common failures when managing risks
• Not establishing the context:
• Misunderstand organisational attitudes and risk appetite
• Risk attitude. Organization's approach to assess and eventually
pursue, retain, take or turn away from risk
• Risk appetite. The amount and type of risk that an organisation is
willing to pursue or retain
Source: ISO GUIDE 73: 2009 Risk management — Vocabulary
Common failures when managing risks
• Not establishing the context:
• Misunderstand organisational attitudes and risk appetite
• Not focussing on the appropriate risks (business efficiency vs information
security)
• Business efficiency risk – Information cannot be located quickly as a
result of poor categorisation resulting in more time/ resources
required to find records.
• Information security risk. Information cannot be located as a result of
poor file categorisation resulting in not finding important records.
Common failures when managing risks
• Consequence – If the event occurs what will the consequence be:
• Not
establishing the context:
• Critical
• High
•• Misunderstand
organisational attitudes and risk appetite
Medium
But what do these terms mean?
Lowfocussing on the appropriate risks (business efficiency vs information
•• Not
• security
Very low
• Likelihood - What is the likelihood that the event will occur and result
Inappropriate
measures
used for the analysis
in• the
consequence
indicated:
•
•
•
•
•
Almost certain
Likely
As likely as not
Possible
unlikely
But what do these terms mean?
Common failures when managing risks
1.• Not
Inappropriate
categorisation
establishingfile
the
context:
2. Cannot find board meeting minutes
• Misunderstand organisational attitudes and risk appetite
State the full story: What could happen, why could it happen (cause)
Not focussing
on result
the appropriate
risks (business efficiency vs information
and •what
would the
be
security
“Board meeting minutes cannot be located as a result of poor file
categorisation
resulting
in disputed
decisions
• Inappropriate
measures
used for the
analysis having to be reversed”
• Generalisation of risk statements (leads to misunderstanding)
Common failures when managing risks
1.• Not
Ensure
establishing
board meeting
the context:
minutes are categorised appropriately
• Misunderstand
organisational
attitudes
and risk incorrectly
appetite
Would that
stop people
categorising
• Not focussing on the appropriate risks (business efficiency vs information
2. Provide
securitytraining for staff on board meeting minute categorisation
Only appropriate
if not
already
• Inappropriate
measures used
for the
analysisbeing done!
• Generalisation of risk statements (leads to misunderstanding)
• Fake treatment (either won’t mean anything or not followed through)
Questions?
Introduction to Risk Management
26 September 2014
Peter Fowler CPPD
Download