Risk Management Basics - ISO 31000 Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company



Similar documents
Disclosure to Promote the Right To Information

When Recognition Matters WHITEPAPER ISO RISK MANAGEMENT PRINCIPLES AND GUIDELINES.

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

Avondale College Limited Enterprise Risk Management Framework

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Enterprise Risk Management: Taking the First Steps

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator

Enterprise Risk Management Framework Strengthening our commitment to risk management

Risk Management Policy and Framework

Policy and Procedure Statement

POLICY. Number: Title: Enterprise Risk Management. Authorization

The Lowitja Institute Risk Management Plan

Analyzing Risks in Healthcare. February 12, 2014

Fraud Risk Management

Confident in our Future, Risk Management Policy Statement and Strategy

Xavier Catholic College Risk Management - Policy & Procedure

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Risk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2

Risk Management Primer

Guidance for Industry: Quality Risk Management

Virginia Commonwealth University School of Medicine Information Security Standard

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Space project management

PROCEDURES RISK MANAGEMENT FRAMEWORK AND GUIDELINES PURPOSE INTRODUCTION. 1 What is Risk?

Risk Management Policy

Information technology Security techniques Information security management systems Overview and vocabulary

ERM Program. Enterprise Risk Management Guideline

Council Meeting Agenda 27/07/15

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

1.20 Appendix A Generic Risk Management Process and Tasks

In accordance with risk management best practices, below describes the standard process for enterprise risk management (ERM), including:

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

ISO 9001: 2008 Boosting quality to differentiate yourself from the competition. xxxx November 2008

Periodic risk assessment by internal audit

QUALITY RISK MANAGEMENT (QRM): A REVIEW

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

WFP ENTERPRISE RISK MANAGEMENT POLICY

Victorian Government Risk Management Framework. March 2015

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

Risk Management Policy Adopted by:

University of New England Compliance Management Framework and Procedures

The University of Adelaide RISK MANAGEMENT HANDBOOK

Core Fittings C-Core and CD-Core Fittings

Network Risk Assessment Guideline

Risk Management Framework

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

St Patrick s Catholic School

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Safety Regulation Group SAFETY MANAGEMENT SYSTEMS GUIDANCE TO ORGANISATIONS. April

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

Effectively Using CobiT in IT Service Management

Risk Management Procedure

East Carolina University Office of Internal Audit Risk Assessment Preliminary Work

1. What Is Risk? 3. Perspectives on Risk. Risk Management. 6. Characteristics of Risk Management 7. Advantages of Risk Management

Submission Competition Policy Review: Draft Report

Policy : Enterprise Risk Management Policy

Risk management systems of responsible entities

Integrated Risk Management:

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Commonwealth Risk Management Policy

SEPT EVIDENCE PRODUCT CHECKLIST For ISO Standard 9004:2009 Managing for the sustained success of an organization A quality management approach

ISO Registration Guidance Document

Risk Management Policy

RM Advancer. Liability Risk Management Award Winner Echo Entertainment Group Business overview

Project Risk Management

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

PRINCE2:2009 Glossary of Terms (English)

Core Infrastructure Risk Management Plan

Risk Management. Policy

Information Security: Business Assurance Guidelines

Implementing an Environmental Management System

RISK ASSESSMENT MODEL AND SUPPLY CHAIN RISK CATALOG

The Risk Management strategy sets out the framework that the Council has established.

Risk/Issue Management Plan

A Risk Management Standard

IIROC Priorities

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

>

South Norfolk Council Business Continuity Policy

REPORT OF THE CONFERENCE OF THE PARTIES ON ITS SEVENTH SESSION, HELD AT MARRAKESH FROM 29 OCTOBER TO 10 NOVEMBER 2001 Addendum

ISO 9001:2015 Internal Audit Checklist

Risk assessment. made simple

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Risk Mitigation Applied to Decision Making. Steve Wenke 2012 Northwest Hydro Operators Forum September 26,2012

Risk Profiling Toolkit DEVELOPING A CORPORATE RISK PROFILE FOR YOUR ORGANIZATION

Enterprise Risk Management in Colleges and Universities

Contractor Management Applying Safety Analytics and Insurance Benchmarking

Stewardship of Change in the Public Interest: Diagnosing Challenges and Managing Risk

Integrated Risk Management Policy

Integrating Human Rights Impact Assessments into Enterprise Risk Management Systems

ENTERPRISE RISK MANAGEMENT POLICY

Session 4. System Engineering Management. Session Speaker : Dr. Govind R. Kadambi. M S Ramaiah School of Advanced Studies 1

V1.0 - Eurojuris ISO 9001:2008 Certified

Transcription:

Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

Risk Management Basics - ISO 31000 Standard 1. Risk Management Basics 2. ISO 31000 Risk Management Principles and Guidelines

Risk Management Basics Organizational objectives are influenced by internal and external factors which create uncertainty in achieving those objectives. The effect of this uncertainty is risk to the organization s objectives. Unlike Risk Elimination (approach of military and law enforcement) which seeks to remove all risk; Risk Management is the coordinated activities to direct and control an organization with regard to risk. Risk Management allows for multiple risk responses dependent upon evaluation and analysis of risk. RISK = Negative IMPACT to objectives X LIKELIHOOD of occurrence.

Risk Management Basics Risk Responses: 1. MITIGATE - corrective action to eliminate or reduce IMPACT or LIKELIHOOD 2. AVOID - Cease activity to eliminate risk 3. TRANSFER - Shift IMPACT to another entity 4. ACCEPT - No corrective action. Document acceptance decision and monitor

ISO 31000: Risk management Principles and guidelines Published in 2009, to provide principles & generic guidelines on risk management can be applied to any type of risk, whatever its nature, whether having positive or negative consequences not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes,.. not intended for the purpose of certification

ISO 31000: Principles, Framework & Process PRINCIPLES a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured & timely f) Based on the best available information g) Tailored h) Takes human & cultural factors into account i) Transparent & inclusive j) Dynamic, iterative and responsive to change k) Facilitates continuous improvement & enhancement of the organization FRAMEWORK Continual improvement of the framework Mandate & commitment Design of framework for managing risk Monitoring & review of the framework Implementing risk management

ISO 31000: Principles, Framework & Process PROCESS Establishing the context FRAMEWORK Implementing risk management Communication & consultation RISK ASSESSMENT Risk identification Risk analysis Risk evaluation Monitoring & review Risk treatment

Risk Management: Establish the context External context Legal, Regulatory, Financial International, national, regional or local Relationships with, perceptions and values of external stakeholders Internal context Organizational objectives Project, process, or activity objectives Policy, standards, guidelines and models adopted by the organization Contractual relationships Risk Management process context Objectives, scope, responsibilities, methods Defining risk criteria measures, tolerance levels, views of stakeholders

ISO 31000: Risk Identification Process of finding, recognizing and describing risks Comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. Identify the risks associated with not pursuing an opportunity A risk that is not identified at this stage will not be included in further analysis Identification should include risks whether or not their source is under the control of the organization

ISO 31000: Risk Analysis Process to comprehend the nature of risk and to determine the level of risk Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Provides the basis for risk evaluation and decisions about risk treatment Risk analysis includes risk estimation

Risk Analysis Risk Classifications: essential risks, risks to be monitored risks to be observed Impact scale: very low (< $1k) low (< $5k) medium (< $25k) high (< $100k) very high (> $100K) Likelihood scale: more than 10 years 5 to 10 years (> 0.1 ) 3 to 5 years (> 0.2 ) 2 to 3 years (> 0,33 ) less than 2 years (> 0.5 ) OWASP Risk Ranking Methodology

ISO 31000: Risk Evaluation The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk Decisions should be made in accordance with legal, regulatory and other requirements In some circumstances, the risk evaluation can lead to a decision to undertake further analysis The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls

ISO 31000: Risk Evaluation The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk Decisions should be made in accordance with legal, regulatory and other requirements In some circumstances, the risk evaluation can lead to a decision to undertake further analysis The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls

ISO 31000: Risk Treatment Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Risk treatment options are not necessarily mutually exclusive. The options can include the following: TRANSFER Sharing the risk with another party or parties (including contracts and risk financing) AVOID Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Removing the risk source MITIGATE Changing the likelihood Changing the consequences (impact) ACCEPT Retaining the risk by informed decision Taking or increasing the risk in order to pursue an opportunity

ISO 31000: Risk Treatment Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. A number of treatment options can be considered and applied either individually or in combination. Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective.

ISO 31000: Monitoring & Review An integral part of the risk management process involving regular checking or surveillance Ensure controls are effective & efficient Detect change in external or internal context Analysis, lessons learned, continuous improvement Identify emerging risks

Risk Management Basics - ISO 31000 Standard THANKS for attending! ENJOY the conference! Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information