Key Components of a Successful Risk Assessment Carol Fox RIMS Director, Strategic & Enterprise Risk Practice ASIS International seminar and Exhibition Tuesday, September 30, 2014 Marc Siegel Commissioner, Global Standards
Risk Assessment Standard Under Development Development of the Risk Assessment (RA) ANSI American National Standard is a joint initiative. Both are ANSI accredited SDOs. 2
About ASIS International Largest professional society for security management practitioners Founded in 1955 More than 38,000 Members in 133 Countries 218 Chapters in 60 countries 31 Councils; ranging from disaster management, financial services, physical security, IT security, supply chain security, utilities, hotels and hospitality and retail Recognized as international body by ISO Liaison Status Chair and Secretariat of ISO/OC284 Security Operations Recognized as European body by CEN Liaison Status Accredited by ANSI as American SDO OPEN TO MEMBERS GLOBALLY Standards Development and Training Credentialing and Certification of Security Professionals 3
About RIMS Global not-for-profit organization focused on advancing risk management for organizational success Founded in 1950 More than 11,000 Members located in more than 60 Countries More than 80 Chapters More than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world Accredited by ANSI as American SDO open to members globally Member of US-TAG to ISO/TC262 Risk Management Learning: Risk Management Development Offerings / Designations Networking: Conferences, Meetings, Standards and Practices Committee Resources: Publications, Research, Surveys, Articles, Tools 4
ANSI/ASIS/RIMS Standard Builds on the Foundation of ISO 31000: Risk Management ISO 31000:2009, Risk management Principles and guidelines ISO Guide 73:2009, Risk management Vocabulary ISO/IEC 31010:2009 Risk management Risk assessment techniques 5
Bottom Line: Risk Managers are Business Managers Old View Event Focused New View Objectives Focused
Evolving Views of Risk Management Risk management is a price of doing business and spend as little as possible. Risk management has some strategic value but there is a need to rationalize the cost of risk profile improvement. Risk management creates business opportunities and helps realize positive returns on risk management investments. 7
Risk Management is tailored to the Business Not Vice-Versa Risk manager that recognizes that it is about value creation, products, and services Risk manager that thinks it is about tailoring the business to managing risk 8
ISO 31000 Changes the Perspective on Risk Management Expanding organizational risk management competencies Reactive mode Event-focused Post-action response Afterthought Transactional Protecting value Old View Proactive mode Objectives-focused Predictive indicators Foresight Strategic Creating and capturing value New View Defines risk as effect of uncertainty on objectives
Using ISO 31000:2009 as a Base 10
ISO 31000:2009 Risk Management 11
Risk Assessment Expressed Another way Who/What/When/Where/How Why/How Often/How Much/How Critical/Level of Risk Based on What Criteria? What is Acceptable or Unacceptable / Solution Options / Priorities Reproduced from ISO 31010 www. iso.org. Copyright remains with IEC ISO. 12
Creating AND Protecting Value Value Creation Value Preservation 13
ISO/IEC 31010 ISO/IEC 31010:2009 Risk management Risk assessment Provides guidance on selection and application of systematic techniques for risk assessment. A range of techniques are presented, with specific references to other international standards where the concept and application of techniques are described in greater detail. Selection of risk assessment techniques Comparison of risk assessment techniques Description of risk assessment techniques 14
Proposing an American National Risk Assessment Standard A Collaborative Approach 15
Risk Assessment Standard Defining the Process Reliable risk assessments require that they be conducted using a systematic approach: Organized and well-documented Clearly defined objectives and criteria Clearly identified stakeholders Biases understood Documented assumptions Defined sampling techniques The standard will discuss managing a risk assessment program, as well as conducting individual risk assessment. 16
American National Risk Assessment Standard Intent Provides guidance for establishing a risk assessment program and conducting individual risk assessments consistent with the ISO 31000:2009 Risk management Principles and Guidelines, and the COSO Enterprise Risk Management (ERM) framework Provides guidance on conducting risk assessments for risk and resilience based management system standards, including principles of risk assessments, managing the risk assessment program, and conducting risk assessments, as well as evaluation of competence of persons involved in the risk assessment process Describes the process for conducting risk assessments consistent with the Plan-Do-Check-Act Model, and Provides the informational basis necessary for decision makers to make informed decisions about managing risks in the organization and its supply chain. 17
Formalized Risk Assessment Provides a Critical Decision Making Tool Whether an activity should be undertaken How to maximize opportunities Whether risks need to be treated Choosing between options with different risks Prioritizing risk treatment options The most appropriate selection of risk treatment strategies that will bring adverse risks to a tolerable level and make reward outcomes for risk-taking more certain
Importance of Risk Assessment Provide the foundation on which organization s security operations management and risk management plans and programs are based. Strategies will be formulated and plans will be developed to meet the needs identified in them. Therefore: Should be repeated on a regular basis and/or in response to significant changes to the organization s operating environment.
Risk Assessment Principles Impartiality Independence and objectivity Trust, competence, and due professional care Honest and fair representation Responsibility and authority Consultative approach Fact-based approach Confidentiality Change management Continual improvement 20
PDCA for a Risk Assessment Program 21
Managing the Risk Assessment Program Understand the organization and its objectives Establish the framework Establish the program Implement the risk assessment program Monitor the risk assessment program Review and improve 22
Establishing a Risk Assessment Program Define the objectives for the risk assessment program Identify the scope of the risk assessment Extent/number/types/duration/locations/schedule of the risk assessments; Establish risk assessment procedures Criteria Influences Methods Identify stakeholders Select risk assessment teams Identify information sources Determine resources necessary Verify processes for handling confidentiality Monitor and measure to ensure that objectives are achieved Establish how information will be recorded and communicated Review in order to identify possible improvements
Don t Forget Management commitment Setting risk criteria Support of risk assessment program Who will lead and participate in the process? Documentation Assumptions Types and methods People involved Data and information sources Risk descriptions Error analysis Sensitivity analysis Document control
Communicate and Consult Should take place during all stages of the risk management process. A two-way dialogue between stakeholders. Develop communication strategy at the context stage. Ensure stakeholders perception of risk is addressed. Seeks to improve performance based on informed, mutual decisions.
Understanding Biases Social and cultural biases Familiarity and confirmation bias Perception, observational selection, and memory biases Belief and behavioral biases Relational, group-think, and tribal biases Confirmation and post rationalization biases Information availability bias Decision making biases Illusion of control biases
Performing Individual Risk Assessments Commencing the risk assessment Planning risk assessment activities Conducting risk assessment activities Post risk assessment activities 27
Formal vs. Informal Risk Assessments
Using Multiple Techniques 29
Identify the Risks Why could something happen? A cause or factor creating risk Effectiveness of controls Who could be involved? Individuals or groups associated with threat, control of risk, and/or impacted by risk How could it happen? A source of risk What could happen? Potential event Potential consequences When could something happen? Where could it happen?
Risk Identification Asset and service identification, valuation and characterization Threat and opportunity analysis Vulnerability and capability analysis, and Criticality and impact analysis. 31
The Risk Arena Internal circle internal risks External circle external risks These risks do not exist in isolation and can have overlapping and multiple effects.
Threat Assessment
Identification Output = Analysis Input
Risk Analysis Purpose: Separate minor risks from major. Provide data to assist in evaluation. Determine the adequacy and appropriateness of existing controls to manage identified priority risks. Prioritize risks for subsequent evaluation of tolerance or need for further treatment. Provide a better understanding of the necessary risk treatments to protect the value of critical assets to identified risks. Identify opportunities means to achieve objectives.
Types of Risk Analysis Quantitative analysis relies on probabilities and statistics using mathematical formulas and calculations to interpret numbers, data, and estimates Qualitative analysis relies on the subjective judgment based on the intuitive assessment of team members using terms, words, and images as descriptors of risk, and Combined approaches used when numerical values would be inadequate to properly describe all the risks being assess (and their likelihoods and consequences)
Risk Evaluation Determining which risks are tolerable, and which risks require control and treatment Criteria for risk evaluation should have been identified in the scope and policy of the management system in consultation with top management All risk cannot be eliminated what is the cost effective As Low A Reasonably Practical risk.
Are Existing Controls Effective? 38
Risk Assessment The Funnel Analogy A box is filled up with all identified risks, and tipped into a funnel. Depending upon the organization's tolerance for risk, the funnel s filters will allow different sized risks to fall through the gaps, or remain at the top. The way risks are prioritized depends on where they sit in the funnel; the higher they sit, the greater the priority they represent. Some risks are so small they fall through the bottom of the funnel and accepted. Levels of risk tolerance may differ between assessments, or across organizations, because of the context.
Risk Assessment Drives Decision Making Risk management process needs clear governance structure Risk management is based on specific business objectives and is objectives focused Risk assessment is defined in terms of organizational objectives Key performance indicators linked to business objectives Risk management supports decision making, therefore proactive Risk management protects and creates value 40
Risk Assessment Standard Defining the Process Managing a risk assessment program and conducting individual risk assessment: Scope Project objectives Project scope and boundaries Definition of variables Statement of work Planning Gaps analysis Legal and other requirements Objectives, targets and strategies Data gathering and sampling 41
Risk Assessment Standard Defining the Process Implementation Asset identification and valuation Threat analysis Criticality and impact analysis Vulnerability analysis Cost benefit analysis Risk control and treatments Roles, resources and responsibilities Skills and competencies Documents, records, and document control Checking and evaluation Review and improvement 42
Thank You Questions? Marc Siegel ASIS International Commissioner, Global Standards (858) 484-9855 siegel@msiegel.net Carol Fox RIMS Director, Strategic and Enterprise Risk Practice (212) 655-6004 cfox@rims.org www.asisonline.org www.rims.org 43