Risk Management and Dependability Standards

Transcription

1 Risk Management and Dependability Standards Engineers Australia, Townsville, 21 July 2014 Dr Edward Lewis UNSW Canberra

2 Me PhD in Psychology Army UNSW Canberra since School of Engineering and IT 30+ consultancy projects in risk management, tender evaluation, strategic planning Deputy Chair Risk Engineering Society, ACT Now EA s rep on SA OB007 Risk management and IEC TC56 Dependability Whilst in Townsville would like to meet those interested in risk

3 You It would help if I knew I was singing to the choir Please indicate your interest in risk management Who can sing: AS ISO/IEC 31000? AS HB 436? AS HB 89: Risk assessment techniques? And the real test.. Who can hum IEC Project risk management?

4 Intent The story I want to tell today is all about the light on the hill provided by standards for risk management and dependability 1. Why we need standards in risk management 2. What standards should we follow 3. How can we make them better

5 Why do we need standards in Risk Management? Talking about standards can be as boring as bats stuff. Standards guide good practice They simplify designs ensure consistency or compatibility pass on lessons learnt but they can be out of date, lack requisite variety, and can conflict 5

6 Why do we need standards in Risk Management? There are four types of Risk Managers: The royal whipping boy project risk, strategic risk = shortfalls Prognosticator or reader of entrails financial risk, risk and insurance = value at risk Seller of Indulgences GRC, enterprise risk, ethics, regulatory compliance = obey Lord Protector safety, security = dependability Each school is the One True Way They do risk differently leading to diffuse theory and practice Standards can unite them

7 What are the Standards that we should follow? The good thing about standards.. There are so many to choose from 7

8 What Standards should we follow: so many There are 1369 products from SAI Global mentioning risk In particular, for us AS/NZS ISO (local adaptation of ISO 31000) AS/NZS 5050:2010 Business continuity managing disruptionrelated risk AS Climate change adaptation for settlements AS Corporate governance corporate social responsibility AS IEC Dependability management Dependability management systems AS IEC Analysis techniques for dependability Event tree analysis (and others about techniques: assurance cases, root cause analysis, systems dependability) AS IEC Guidance on human aspects of dependability and for weed control, medical devices, safety of machinery, legionnaire disease, concrete structures, information security, animal tissue, explosive atmospheres. So showing that Risk is everyone s business Supplemented by Handbooks expanding (or explaining) the Standards HB Risk management Guidance on risk assessment techniques (sort of AU adoption of ISO31010) HB 141: 2011 Risk financing guidelines HB Delivering assurance based on ISO31000 Risk management Principles and guidance HB 167: 2006 Security risk management HB 205: 2004 OHS Risk management Handbook (under revision) HB 246: 2010 Guidelines for managing risk in sport and recreation organizations HB Governance, risk management and control assurance (under revision) HB 266: 2010 Guide for managing risk in notfor-profit organizations HB 327: 2010 Communicating and consulting about risk (companion to ISO31000) HB 203: 2012 Managing environment-related risk HB436 Companion to ISO

9 What Standards should we follow: what is the meaning of it all There are over 50 definitions of risk in over 170 standards just from ISO There are more than 30 techniques listed in just for risk assessment - with considerable debate about:. what should be added. what should be dropped. what should be combined 1. value of what can be lost if infringement occurs 2. undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project 3. the potential for realisation of an unwanted event, which is a function of the hazard, its probability and its consequences 4. The possibility that a particular threat will exploit a particular vulnerability of a data processing system. 5. The combination of the probability of an event and its consequence. 6. term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences) 7. quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that damage 8. qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event 9. product of probability and consequences for an undesired event or action 10. probability of loss or injury from a hazard 11. effect of uncertainty 12.effect of uncertainty on objectives 13. exposure to the chance of injury or loss as applies to safety 14. likelihood of a security threat materializing and the consequences 15. potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization 16.probability of a specific undesired event occurring so that a hazard is realized 17. qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event 18. quantitative or qualitative measure of the severity of a potential damage and the probability of incurring that damage 19.term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences) 20.undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project

10 What Standards should we follow: tracking the traces ISO/IEC 31000: Risk management principles HB 254: Governance, risk, and compliance IEC/ISO: Risk assessment techniques HB Making Decisions with Risk AS 5050: Business continuity management ISO/IEC Corporate governance of IT ISO/IEC 27014: IT security governance Risk Engineering BOK COBIT 5 COBIT 5 and Risk ITIL v3 Cyberresilience (ITIL) ISO/IEC : IT Security ISO/IEC 27005: IT Security risk management ISO/IEC Cybersecurity ISO/IEC DIS Governance Digital Forensics Risk COBIT 5 and IT Security Security RM Body of Knowledge HB 167: Security risk management IEC/ISO Systems Lifecycle -Risk IEC/ISO Assurance Cases Protective Security Policy Framework NIST IT Risk Management, security lifecycle IEC Open Systems Dependability

11 What Standards should we follow: Amplifying with HB436 Tidy up wording about: Event, cause, source Risk policies (which I like to see but they are still rare; proper ones even rarer) Governance and risk management Use of qualitative and quantitative techniques 11

12 What Standards should we follow: Project Risk Have IEC 62198: 2013 Project risk management application guidelines Aligned with ISO Framework Process Annexes: Stakeholder analysis External and internal context Risk criteria Key elements (WBS, phases, contracts, structure) Risk analysis (with risk matrix ugh) Risk evaluation Risk treatment Risk register (another ugh) 12

13 How can we make them better Preparing Making Decisions with Risk Revising IEC/ ISO Risk assessment techniques Preparing IEC (Open) Systems Dependability W =.63p (p.05 + p.95) Injury (Hospital days) WTP (000,000) Act now Watch

14 and now let s sing together