Risk Management and Dependability Standards



Similar documents
Core Infrastructure Risk Management Plan

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

ISO Information Security Management Systems Foundation

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

PROJECT RISK MANAGEMENT

Pocket Guide to Clinical Risk Management

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

PMI Risk Management Professional (PMI-RMP ) - Practice Standard and Certification Overview

Benchmark of controls over IT activities Report. ABC Ltd

Domain 5 Information Security Governance and Risk Management

International Diploma in Risk Management Syllabus

Managing Risk in Procurement Guideline

Title: OHS Risk Management Procedure

A Risk Management Standard

Certified Information Security Manager (CISM)

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Risk Management Policy and Framework

Risk management framework

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

AFTRS Health and Safety Risk Management Policy

Accreditation Application Forms

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

How To Manage Safety Risk In Aviation

RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) RISK MANAGEMENT JUST A PART OF PROJECT MANAGEMENT

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Preparing yourself for ISO/IEC

Metrics 101: Implementing a Metrics Framework to Create Value through Continual Service Improvement

4. Critical success factors/objectives of the activity/proposal/project being risk assessed

Preparing for the Convergence of Risk Management & Business Continuity

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

Australian Standard. Information technology Service management. Part 2: Guidance on the application of service management systems

Client information note Assessment process Management systems service outline

Information Security Risk Management

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

HB A Practitioners Guide to Business Continuity Management

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Avondale College Limited Enterprise Risk Management Framework

Health, Safety and Environment Management System

OPEN INTERNATIONAL MARKETS INCREASE MARKET CONFIDENCE CREATE COMPETITIVE ADVANTAGE A PLATFORM FOR INNOVATION

Governance Simplified

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

Enterprise Risk Management Framework Strengthening our commitment to risk management

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Enterprise Wide Risk Management and Improving Safety and Quality in Healthcare

Motivations. spm adolfo villafiorita - introduction to software project management

Model-Based Conceptual Design through to system implementation Lessons from a structured yet agile approach

Title: Rio Tinto management system

STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO

Risk Management Policy

Module 3. Ways of Finding Answers to Research Questions

CONSULTING IMAGE PLACEHOLDER

Module 1 Study Guide

Good Practice Guide Security Incident Management

Analyzing Risks in Healthcare. February 12, 2014

FDA Releases Final Cybersecurity Guidance for Medical Devices

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

For Articulation Purpose Only.

White Paper. COBIT 5 & BiSL

The Lowitja Institute Risk Management Plan

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

ISO 19600: The development

SECURITY RISK MANAGEMENT

a Medical Device Privacy Consortium White Paper

Strategic Risk Management for School Board Trustees

Clinical Risk Management: Agile Development Implementation Guidance

Trends in Information Technology (IT) Auditing

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

ITIL Service Lifecycles and the Project Manager

RISK ASSESSMENT. Australian Risk Management Standard AS/NZS 4360:200 defines a risk as;

Hazard Identification, Risk Assessment and Control Management

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

SECURITY. Risk & Compliance Services

SAI GLOBAL LIMITED Risk Management Policy

Improving Residual Risk Management Through the Use of Security Metrics

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management

Project Risk Management. Presented by Stephen Smith

Information technology Security techniques Information security management systems Overview and vocabulary

The Concept of Project Success What 150 Australian project managers think D Baccarini 1, A Collins 2

Aviation Safety Policy. Aviation Safety (AVS) Safety Management System Requirements

Transcription:

Risk Management and Dependability Standards Engineers Australia, Townsville, 21 July 2014 Dr Edward Lewis UNSW Canberra

Me PhD in Psychology Army UNSW Canberra since 1986 -School of Engineering and IT 30+ consultancy projects in risk management, tender evaluation, strategic planning Deputy Chair Risk Engineering Society, ACT Now EA s rep on SA OB007 Risk management and IEC TC56 Dependability Whilst in Townsville would like to meet those interested in risk

You It would help if I knew I was singing to the choir Please indicate your interest in risk management Who can sing: AS ISO/IEC 31000? AS HB 436? AS HB 89: Risk assessment techniques? And the real test.. Who can hum IEC 62198 Project risk management?

Intent The story I want to tell today is all about the light on the hill provided by standards for risk management and dependability 1. Why we need standards in risk management 2. What standards should we follow 3. How can we make them better

Why do we need standards in Risk Management? Talking about standards can be as boring as bats stuff. Standards guide good practice They simplify designs ensure consistency or compatibility pass on lessons learnt but they can be out of date, lack requisite variety, and can conflict 5

Why do we need standards in Risk Management? There are four types of Risk Managers: The royal whipping boy project risk, strategic risk = shortfalls Prognosticator or reader of entrails financial risk, risk and insurance = value at risk Seller of Indulgences GRC, enterprise risk, ethics, regulatory compliance = obey Lord Protector safety, security = dependability Each school is the One True Way They do risk differently leading to diffuse theory and practice Standards can unite them

What are the Standards that we should follow? The good thing about standards.. There are so many to choose from 7

What Standards should we follow: so many There are 1369 products from SAI Global mentioning risk In particular, for us AS/NZS ISO 31000 (local adaptation of ISO 31000) AS/NZS 5050:2010 Business continuity managing disruptionrelated risk AS 5334-2013 Climate change adaptation for settlements AS 8003-2003 Corporate governance corporate social responsibility AS IEC 60300.1-2004 Dependability management Dependability management systems AS IEC 6502-2011 Analysis techniques for dependability Event tree analysis (and others about techniques: assurance cases, root cause analysis, systems dependability) AS IEC 62508-2100 Guidance on human aspects of dependability and for weed control, medical devices, safety of machinery, legionnaire disease, concrete structures, information security, animal tissue, explosive atmospheres. So showing that Risk is everyone s business Supplemented by Handbooks expanding (or explaining) the Standards HB 89-2012 Risk management Guidance on risk assessment techniques (sort of AU adoption of ISO31010) HB 141: 2011 Risk financing guidelines HB 156-2010 Delivering assurance based on ISO31000 Risk management Principles and guidance HB 167: 2006 Security risk management HB 205: 2004 OHS Risk management Handbook (under revision) HB 246: 2010 Guidelines for managing risk in sport and recreation organizations HB 254-2005 Governance, risk management and control assurance (under revision) HB 266: 2010 Guide for managing risk in notfor-profit organizations HB 327: 2010 Communicating and consulting about risk (companion to ISO31000) HB 203: 2012 Managing environment-related risk HB436 Companion to ISO31000 8

What Standards should we follow: what is the meaning of it all There are over 50 definitions of risk in over 170 standards just from ISO There are more than 30 techniques listed in 31010 just for risk assessment - with considerable debate about:. what should be added. what should be dropped. what should be combined 1. value of what can be lost if infringement occurs 2. undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project 3. the potential for realisation of an unwanted event, which is a function of the hazard, its probability and its consequences 4. The possibility that a particular threat will exploit a particular vulnerability of a data processing system. 5. The combination of the probability of an event and its consequence. 6. term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences) 7. quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that damage 8. qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event 9. product of probability and consequences for an undesired event or action 10. probability of loss or injury from a hazard 11. effect of uncertainty 12.effect of uncertainty on objectives 13. exposure to the chance of injury or loss as applies to safety 14. likelihood of a security threat materializing and the consequences 15. potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization 16.probability of a specific undesired event occurring so that a hazard is realized 17. qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event 18. quantitative or qualitative measure of the severity of a potential damage and the probability of incurring that damage 19.term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences) 20.undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project

What Standards should we follow: tracking the traces ISO/IEC 31000: Risk management principles HB 254: Governance, risk, and compliance IEC/ISO: 31010 Risk assessment techniques HB Making Decisions with Risk AS 5050: Business continuity management ISO/IEC 38500 Corporate governance of IT ISO/IEC 27014: IT security governance Risk Engineering BOK COBIT 5 COBIT 5 and Risk ITIL v3 Cyberresilience (ITIL) ISO/IEC 27000+: IT Security ISO/IEC 27005: IT Security risk management ISO/IEC 27032 Cybersecurity ISO/IEC DIS 30121 Governance Digital Forensics Risk COBIT 5 and IT Security Security RM Body of Knowledge HB 167: Security risk management IEC/ISO 16085 Systems Lifecycle -Risk IEC/ISO 15026 Assurance Cases Protective Security Policy Framework NIST 800-37 IT Risk Management, security lifecycle IEC Open Systems Dependability

What Standards should we follow: Amplifying with HB436 Tidy up wording about: Event, cause, source Risk policies (which I like to see but they are still rare; proper ones even rarer) Governance and risk management Use of qualitative and quantitative techniques 11

What Standards should we follow: Project Risk Have IEC 62198: 2013 Project risk management application guidelines Aligned with ISO 31000 Framework Process Annexes: Stakeholder analysis External and internal context Risk criteria Key elements (WBS, phases, contracts, structure) Risk analysis (with risk matrix ugh) Risk evaluation Risk treatment Risk register (another ugh) 12

How can we make them better Preparing Making Decisions with Risk Revising IEC/ ISO 31010 Risk assessment techniques Preparing IEC 62853 (Open) Systems Dependability W =.63p.50 +.185(p.05 + p.95) 1 2 3 4 5 6 7 8 9 10 Injury (Hospital days) 1 2 3 4 WTP (000,000) Act now Watch

and now let s sing together

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information