Introduction to Risk Management 26 September 2014 Peter Fowler CPPD “There are “known knowns”. [These are things we know that we know.] There are “known unknowns”. [That is to say, there are things that we know we don't know.] But there are also “unknown unknowns”. [There are things we don't know we don't know.]” Donald Rumsfeld (Feb 12, 2002) “The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.” Douglas Adams in Mostly Harmless (the fifth book in the Hitchhiker's Guide to the Galaxy trilogy) Risk Management Definitions • Uncertainty - changing circumstances or situation • Risk - effect of uncertainty on objectives • Opportunity - the positive impact on objectives • Issue - an event that has happened or will happen Types of Risk Management • Safety risk management • Insurance risk management • Financial (Investment) risk management • Project risk management • Business risk management • Information risk management Tasmanian Government Information Security Policy 1. Purpose The purpose of the Policy is to provide a consistent approach to managing information security risks across Government. 2. Scope This Policy applies to Tasmanian Government agencies as custodians of information on behalf of the Crown. 3. Policy Principles This Policy is based upon the following information security policy principles: • Availability: information is accessible and usable to authorised entities. • Integrity: the accuracy and completeness of information is protected. • Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes. • Proportionality: measures to protect information are relative to the risk of loss or failure of availability, integrity and confidentiality. Tasmanian Government Information Security Policy Manual • Information security risks are threats or vulnerabilities that introduce uncertainty regarding the availability, confidentiality or integrity of information. • Structured risk assessments help to prioritise risks and implement appropriate risk management procedures. • Information security risk management can be undertaken as part of a broader agency risk management approach. • Each agency MUST identify, quantify and prioritise risks against risk acceptance criteria and determine appropriate controls to protect against risks. After completing a risk assessment there may be residual information security risks where the agency has: • elected to accept a risk by doing nothing, or • adopted a mitigation strategy that does not completely eliminate a risk. Process from AS/NZS ISO 31000: 2009 Common failures when managing risks • Not establishing the context: • Misunderstand organisational attitudes and risk appetite • Risk attitude. Organization's approach to assess and eventually pursue, retain, take or turn away from risk • Risk appetite. The amount and type of risk that an organisation is willing to pursue or retain Source: ISO GUIDE 73: 2009 Risk management — Vocabulary Common failures when managing risks • Not establishing the context: • Misunderstand organisational attitudes and risk appetite • Not focussing on the appropriate risks (business efficiency vs information security) • Business efficiency risk – Information cannot be located quickly as a result of poor categorisation resulting in more time/ resources required to find records. • Information security risk. Information cannot be located as a result of poor file categorisation resulting in not finding important records. Common failures when managing risks • Consequence – If the event occurs what will the consequence be: • Not establishing the context: • Critical • High •• Misunderstand organisational attitudes and risk appetite Medium But what do these terms mean? Lowfocussing on the appropriate risks (business efficiency vs information •• Not • security Very low • Likelihood - What is the likelihood that the event will occur and result Inappropriate measures used for the analysis in• the consequence indicated: • • • • • Almost certain Likely As likely as not Possible unlikely But what do these terms mean? Common failures when managing risks 1.• Not Inappropriate categorisation establishingfile the context: 2. Cannot find board meeting minutes • Misunderstand organisational attitudes and risk appetite State the full story: What could happen, why could it happen (cause) Not focussing on result the appropriate risks (business efficiency vs information and •what would the be security “Board meeting minutes cannot be located as a result of poor file categorisation resulting in disputed decisions • Inappropriate measures used for the analysis having to be reversed” • Generalisation of risk statements (leads to misunderstanding) Common failures when managing risks 1.• Not Ensure establishing board meeting the context: minutes are categorised appropriately • Misunderstand organisational attitudes and risk incorrectly appetite Would that stop people categorising • Not focussing on the appropriate risks (business efficiency vs information 2. Provide securitytraining for staff on board meeting minute categorisation Only appropriate if not already • Inappropriate measures used for the analysisbeing done! • Generalisation of risk statements (leads to misunderstanding) • Fake treatment (either won’t mean anything or not followed through) Questions? Introduction to Risk Management 26 September 2014 Peter Fowler CPPD