SlideShare une entreprise Scribd logo
1  sur  23
Risk Management Framework for IT-
Centric Micro and Small Companies
Jasmina Trajkovski, CISA, CISM, PMP
1Trajkovski & Partners Management Consulting
Sveti Kliment Ohridski 24/2/1, 1000 Skopje, Macedonia
jasminat@tpconsulting.com.mk
Content
• Overview of Risk and RM frameworks
• Risk management considerations for IT centric M&S companies
• Elements of possible relevant framework
• Challenges for implementation
Overview of Risk
•Risk is defined as: “effect of uncertainty on
objectives”,
• uncertainties include events (which may or not happen) and uncertainties
caused by ambiguity or a lack of information,
• objectives can have different aspects (health and safety, financial, IT,
environmental) and can apply at different levels (such as strategic,
organizational, project, process).
• It includes both negative and positive impacts on objectives.
Types of Risks
• IT risk—that is the business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT within an
enterprise. [ISACA]
• Information security risk—that is, the risk associated with the
operation and use of information systems that support the missions
and business functions of their organizations.[NIST]
• Operational risk - the direct or indirect loss resulting from inadequate
or failed internal processes, people and systems, or from external
events." [BASEL Committee]
Enterprise Risk Management
• "Enterprise risk management is a process, effected by an entity's
board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives” [COSO]
Overview of
RM frameworks
Type of framework Main elements Resource
Generic risk
management
frameworks
11 Principles for managing risks
5 segment framework: mandate and commitment; design
framework; implement risk management; monitor and
review the framework; continual improvement
5 step process: establish the context; risk assessment;
risk treatment; monitoring and review;
communication and consultation
ISO31000:2009 Risk
Management Standard[1]
It has 4 sub-processes: Risk assessment process; Risk
treatment process; Risk communication process; Risk
review and monitoring process.
Corpuz and Barnes in their
2010 paper on integration
information security policy
into corporate risk
management [7]
Information
Security Risk
Management
Frameworks
The tiers are: Organization, Mission / business processes
and Information Systems, while the phases are Frame,
Assess, Respond and Monitor
NIST SP800-39: Managing
Information Security Risk
[2].
6 step process: context establishment; risk assessment;
risk treatment; risk acceptance; monitoring and review;
risk communication.
ISO27005:2008 Information
Security Risk management
[8].
Views: STROPE - strategy, technology, organization,
people, and environment
Phases: DMAIC - define, measure, analyze, improve,
and control cyclic phases.
Information security risk
management (ISRM)
framework for enterprises
using IT [6]
IT Risk
management
frameworks
Domains: Risk governance, Risk evaluation and Risk
response
RiskIT framework [3]
Operational Risk
Management
Framework
Components: identify, assess, respond to and control risk COSO Enterprise risk
management integrated
framework [9]
Elements: 1. leadership, 2. management, 3. risk, and 4.
tools.
RMA Operational risk
management framework [10]
Risk management based on ISO31000 - Scope
Provides principles and generic guidelines on principles and
implementation of risk management.
Can be applied to any kind of organisation, risk type and is not specific
to any industry or sector.
ISO 31000:2009 - Users
ISO 31000:2009 is intended to be used by a wide range of
stakeholders including:
 those responsible for implementing risk management within their organisation;
 those who need to ensure that an organisation manages risk;
 those who need to manage risk for the organisation as a whole or within a specific area or
activity;
 those needing to evaluate an organisation’s practices in managing risk; and
 developers of standards, guides, procedures, and codes of practice that in whole or in part set
out how risk is to be managed within the specific context of these documents
8
ISO 31000:2009 Relationship between
the Principles, Framework and Process
9
Mandate
and
Commitment
(4.2)
Implementing
risk
Management
(4.4)
Design of
framework
(4.3)
Continual
improvement
of the
Framework
(4.6)
Monitoring
and review
of the
Framework
(4.5)
Framework
(Clause 4)
a) Creates value
b) Integral part of
organizational
processes
c) Part of decision
making
d) Explicitly addresses
uncertainty
e) Systematic,
structured and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and
inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles
(Clause 3)
Process
(Clause 5)
Establishing
the context (5.3)
Risk treatment
(5.5)
Risk
identification
(5.4.2)
Risk analysis
(5.4.3)
Risk
evaluation
(5.4.4)
Risk assessment
(5.4)
M
o
n
i
t
o
r
i
n
g
&
r
e
v
i
e
w
(5.6)
C
o
m
u
n
i
c
a
t
i
o
n
&
c
o
n
s
u
l
t
a
t
i
o
n
5.2
Principles (Clause 3)
Risk management should….
1. Create value
2. An integral part of organizational processes
3. Part of decision making
4. Explicitly address uncertainty
5. Be systematic and structured
6. Be based on the best available information
7. Be tailored
8. Take into account human factors
9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change
11. Be capable of continual improvement and enhancement
10
Framework (Clause 4)
The success of risk management will depend on the effectiveness of
the management framework providing the foundations and
arrangements that will embed it throughout the organization at all
levels.
The framework assists in managing risks effectively through the
application of the risk management process at varying levels and
within specific contexts of the organization.
11
Process (Clause 5)
The risk management process should be
 an integral part of management,
 embedded in the culture and practices, and
 tailored to the business processes of the organization
Includes five activities: communication and consultation; establishing
the context; risk assessment; risk treatment; and monitoring and review.
12
Risk Management Process
13
Risk assessment (5.4 )
Communication
and
Consultation
(5.2)
Monitoring
and
Review
(5.6)
Establishing the context (5.3)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Risk identification (5.4.2)
RM considerations for M&S companies
• Specifics of IT-centric micro and small companies:
• Exposure to various types of risks
• Limited resources for risk management
• Low resilience of the organizations to operations and information
security risks
• Challenges related to meeting the following requirements:
• Need for integrated approach to treat various types of risks
• Need for comprehensive and usable methodology
The new framework
Framework
People
Policy
Methodology
& Process
Tools
People aspect
• Risk management is people intensive process and the people are
crucial for the successful implementation and maintenance of risk
management in the organization
• Risk management team – to include the representatives from the main
processes or units in the company, as well as the management team. Optimal
number of representatives is 5 to 7.
• Risk management officer – a responsible person in the company, the owner,
and managing director or other person from the management team in the
forefront of the activities for risk management.
Policy aspect
• The risk management policy is a simple but straightforward document
summarizing the intent and the approach for risk management.
• 1-2 pages
• Includes:
• Scope and purpose of the risk management
• Main objectives
• Risk management principles
• The commitment of management to risk management
• Allocated responsibilities for the process and results
• References to the methodology and process to be used
• Level of acceptable risk for the company.
Methodology and Process Aspect
Phase 1
•Establish the context for risk management
•Define the scope of operations to be covered by the risk management process, preferably
entire operations.
•Identify process and asset related risks
Phase 2
•Regular risk assessment
•Evaluate bare risks based on algorithm set and the grading scale defined in the risk
management methodology
•Assess the impact of current controls on the bare risk and evaluate the current risk levels
•For current risks above the level of acceptable risk, define risk treatment options and
evaluate the level of residual risks.
•Specify the risk treatment options into a feasible Risk Treatment Action Plan with timeframe,
responsibilities, deadlines, indicators, necessary resources.
Phase 3
•Risk monitoring
•On regular intervals (at least every 6 months) check the progress on the Risk Treatment
Action Plan
•On regular intervals (at least annually) check if new risks can be identified, review the risk
assessment, assess the real impact of the risk treatment options and update the Risk
Treatment Action Plan.
•Continually monitor for risk realization and document the real impact of the risk when it
happens.
Methodology and Process Aspect
• The main results of the process are:
• the process and/or asset register,
• the risk identification register,
• decision on range of value for probability and impact of risks, and calculation
formula;
• the risk assessment register,
• decision on acceptable risk,
• the risk treatment plan,
• the risk treatment action plan,
• the risk measurement/monitoring log.
Challenges for implementation
• Valuation of assets
• Aspects for assessment of impact
• Monetary
• C – I – A
• Business operations
• Technological operations
• Reputation
• Estimation of expected effectiveness of suggested mitigation
measures
Tools Aspect
• Risk management toolkit is a usable software tool for gathering,
calculating and presenting risk assessment results as well as other
related information.
• It can include:
• the process and/or asset register,
• the risk identification register,
• the risk assessment register,
• the risk treatment plan,
• the risk treatment action plan,
• the risk measurement/monitoring log.
Sample toolkit
23
Jasmina Trajkovski, PMP, CISM, CISA
jasmina.trajkovski@tpconsulting.com.mk

Contenu connexe

Tendances

Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core ConsultingCORE Consulting
 
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...Risk Management Institution of Australasia
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...Hassan Zaitoun
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Risk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every CoinRisk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every CoinPECB
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityJeff B
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Continuity and Resilience
 
Alex Sidorenko at the 6th G31000 Risk management conference in Dubai
Alex Sidorenko at the 6th G31000 Risk management conference in DubaiAlex Sidorenko at the 6th G31000 Risk management conference in Dubai
Alex Sidorenko at the 6th G31000 Risk management conference in DubaiAlexei Sidorenko, CRMP
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyИван Вали-Пур
 
#Corpriskforum2016 - Tatiana Budishevskaya
#Corpriskforum2016 - Tatiana Budishevskaya#Corpriskforum2016 - Tatiana Budishevskaya
#Corpriskforum2016 - Tatiana BudishevskayaAlexei Sidorenko, CRMP
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOPiTech
 
Enterprise Risk Management & Fraud Sample Presentation
Enterprise Risk Management & Fraud Sample PresentationEnterprise Risk Management & Fraud Sample Presentation
Enterprise Risk Management & Fraud Sample PresentationAlexander Larsen
 

Tendances (20)

Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
 
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Risk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every CoinRisk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every Coin
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
 
2009 irmcaug iso31000
2009 irmcaug iso310002009 irmcaug iso31000
2009 irmcaug iso31000
 
G31000 Risk Management Maturity Model
G31000 Risk Management Maturity ModelG31000 Risk Management Maturity Model
G31000 Risk Management Maturity Model
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000
 
#corpriskforum2016 - Erike Young
#corpriskforum2016 - Erike Young#corpriskforum2016 - Erike Young
#corpriskforum2016 - Erike Young
 
Alex Sidorenko at the 6th G31000 Risk management conference in Dubai
Alex Sidorenko at the 6th G31000 Risk management conference in DubaiAlex Sidorenko at the 6th G31000 Risk management conference in Dubai
Alex Sidorenko at the 6th G31000 Risk management conference in Dubai
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12
 
#corpriskforum2016 - Julia Graham
#corpriskforum2016 - Julia Graham#corpriskforum2016 - Julia Graham
#corpriskforum2016 - Julia Graham
 
#Corpriskforum2016 - Tatiana Budishevskaya
#Corpriskforum2016 - Tatiana Budishevskaya#Corpriskforum2016 - Tatiana Budishevskaya
#Corpriskforum2016 - Tatiana Budishevskaya
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_en
 
#Corpriskforum2016 - Andy Cox
#Corpriskforum2016 - Andy Cox#Corpriskforum2016 - Andy Cox
#Corpriskforum2016 - Andy Cox
 
Enterprise Risk Management & Fraud Sample Presentation
Enterprise Risk Management & Fraud Sample PresentationEnterprise Risk Management & Fraud Sample Presentation
Enterprise Risk Management & Fraud Sample Presentation
 

Similaire à PECB Webinar: Risk-management in IT intensive SMEs

The IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India
 
Risk Management Maturity Model (RMMM)
Risk Management Maturity Model (RMMM)Risk Management Maturity Model (RMMM)
Risk Management Maturity Model (RMMM)Adnan Naseem
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 
Management of risk introduction
Management of risk introductionManagement of risk introduction
Management of risk introductionSpyros Ktenas
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxransayo
 
project risk management
project risk managementproject risk management
project risk managementAshima Thakur
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000PECB
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820minhaj52
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Vijay Kejriwal
 
Risk management standard
Risk management standardRisk management standard
Risk management standardLuis Vitiritti
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820Tim Smith
 
Session 6 Power Point
Session 6   Power PointSession 6   Power Point
Session 6 Power Pointhiratufail
 
Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment KateKazhan
 

Similaire à PECB Webinar: Risk-management in IT intensive SMEs (20)

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
The IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India- A Risk Management Standard
The IRM India- A Risk Management Standard
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
Risk Management Maturity Model (RMMM)
Risk Management Maturity Model (RMMM)Risk Management Maturity Model (RMMM)
Risk Management Maturity Model (RMMM)
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 
Management of risk introduction
Management of risk introductionManagement of risk introduction
Management of risk introduction
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
 
project risk management
project risk managementproject risk management
project risk management
 
Session 18 4th edition PMP
Session 18 4th edition PMPSession 18 4th edition PMP
Session 18 4th edition PMP
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard
Risk management standardRisk management standard
Risk management standard
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Session 6 Power Point
Session 6   Power PointSession 6   Power Point
Session 6 Power Point
 
Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment
 

Plus de PECB

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 

Plus de PECB (20)

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 

Dernier

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 

Dernier (20)

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 

PECB Webinar: Risk-management in IT intensive SMEs

  • 1. Risk Management Framework for IT- Centric Micro and Small Companies Jasmina Trajkovski, CISA, CISM, PMP 1Trajkovski & Partners Management Consulting Sveti Kliment Ohridski 24/2/1, 1000 Skopje, Macedonia jasminat@tpconsulting.com.mk
  • 2. Content • Overview of Risk and RM frameworks • Risk management considerations for IT centric M&S companies • Elements of possible relevant framework • Challenges for implementation
  • 3. Overview of Risk •Risk is defined as: “effect of uncertainty on objectives”, • uncertainties include events (which may or not happen) and uncertainties caused by ambiguity or a lack of information, • objectives can have different aspects (health and safety, financial, IT, environmental) and can apply at different levels (such as strategic, organizational, project, process). • It includes both negative and positive impacts on objectives.
  • 4. Types of Risks • IT risk—that is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. [ISACA] • Information security risk—that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations.[NIST] • Operational risk - the direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events." [BASEL Committee]
  • 5. Enterprise Risk Management • "Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” [COSO]
  • 6. Overview of RM frameworks Type of framework Main elements Resource Generic risk management frameworks 11 Principles for managing risks 5 segment framework: mandate and commitment; design framework; implement risk management; monitor and review the framework; continual improvement 5 step process: establish the context; risk assessment; risk treatment; monitoring and review; communication and consultation ISO31000:2009 Risk Management Standard[1] It has 4 sub-processes: Risk assessment process; Risk treatment process; Risk communication process; Risk review and monitoring process. Corpuz and Barnes in their 2010 paper on integration information security policy into corporate risk management [7] Information Security Risk Management Frameworks The tiers are: Organization, Mission / business processes and Information Systems, while the phases are Frame, Assess, Respond and Monitor NIST SP800-39: Managing Information Security Risk [2]. 6 step process: context establishment; risk assessment; risk treatment; risk acceptance; monitoring and review; risk communication. ISO27005:2008 Information Security Risk management [8]. Views: STROPE - strategy, technology, organization, people, and environment Phases: DMAIC - define, measure, analyze, improve, and control cyclic phases. Information security risk management (ISRM) framework for enterprises using IT [6] IT Risk management frameworks Domains: Risk governance, Risk evaluation and Risk response RiskIT framework [3] Operational Risk Management Framework Components: identify, assess, respond to and control risk COSO Enterprise risk management integrated framework [9] Elements: 1. leadership, 2. management, 3. risk, and 4. tools. RMA Operational risk management framework [10]
  • 7. Risk management based on ISO31000 - Scope Provides principles and generic guidelines on principles and implementation of risk management. Can be applied to any kind of organisation, risk type and is not specific to any industry or sector.
  • 8. ISO 31000:2009 - Users ISO 31000:2009 is intended to be used by a wide range of stakeholders including:  those responsible for implementing risk management within their organisation;  those who need to ensure that an organisation manages risk;  those who need to manage risk for the organisation as a whole or within a specific area or activity;  those needing to evaluate an organisation’s practices in managing risk; and  developers of standards, guides, procedures, and codes of practice that in whole or in part set out how risk is to be managed within the specific context of these documents 8
  • 9. ISO 31000:2009 Relationship between the Principles, Framework and Process 9 Mandate and Commitment (4.2) Implementing risk Management (4.4) Design of framework (4.3) Continual improvement of the Framework (4.6) Monitoring and review of the Framework (4.5) Framework (Clause 4) a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles (Clause 3) Process (Clause 5) Establishing the context (5.3) Risk treatment (5.5) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk assessment (5.4) M o n i t o r i n g & r e v i e w (5.6) C o m u n i c a t i o n & c o n s u l t a t i o n 5.2
  • 10. Principles (Clause 3) Risk management should…. 1. Create value 2. An integral part of organizational processes 3. Part of decision making 4. Explicitly address uncertainty 5. Be systematic and structured 6. Be based on the best available information 7. Be tailored 8. Take into account human factors 9. Be transparent and inclusive 10. Be dynamic, iterative and responsive to change 11. Be capable of continual improvement and enhancement 10
  • 11. Framework (Clause 4) The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels. The framework assists in managing risks effectively through the application of the risk management process at varying levels and within specific contexts of the organization. 11
  • 12. Process (Clause 5) The risk management process should be  an integral part of management,  embedded in the culture and practices, and  tailored to the business processes of the organization Includes five activities: communication and consultation; establishing the context; risk assessment; risk treatment; and monitoring and review. 12
  • 13. Risk Management Process 13 Risk assessment (5.4 ) Communication and Consultation (5.2) Monitoring and Review (5.6) Establishing the context (5.3) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Risk identification (5.4.2)
  • 14. RM considerations for M&S companies • Specifics of IT-centric micro and small companies: • Exposure to various types of risks • Limited resources for risk management • Low resilience of the organizations to operations and information security risks • Challenges related to meeting the following requirements: • Need for integrated approach to treat various types of risks • Need for comprehensive and usable methodology
  • 16. People aspect • Risk management is people intensive process and the people are crucial for the successful implementation and maintenance of risk management in the organization • Risk management team – to include the representatives from the main processes or units in the company, as well as the management team. Optimal number of representatives is 5 to 7. • Risk management officer – a responsible person in the company, the owner, and managing director or other person from the management team in the forefront of the activities for risk management.
  • 17. Policy aspect • The risk management policy is a simple but straightforward document summarizing the intent and the approach for risk management. • 1-2 pages • Includes: • Scope and purpose of the risk management • Main objectives • Risk management principles • The commitment of management to risk management • Allocated responsibilities for the process and results • References to the methodology and process to be used • Level of acceptable risk for the company.
  • 18. Methodology and Process Aspect Phase 1 •Establish the context for risk management •Define the scope of operations to be covered by the risk management process, preferably entire operations. •Identify process and asset related risks Phase 2 •Regular risk assessment •Evaluate bare risks based on algorithm set and the grading scale defined in the risk management methodology •Assess the impact of current controls on the bare risk and evaluate the current risk levels •For current risks above the level of acceptable risk, define risk treatment options and evaluate the level of residual risks. •Specify the risk treatment options into a feasible Risk Treatment Action Plan with timeframe, responsibilities, deadlines, indicators, necessary resources. Phase 3 •Risk monitoring •On regular intervals (at least every 6 months) check the progress on the Risk Treatment Action Plan •On regular intervals (at least annually) check if new risks can be identified, review the risk assessment, assess the real impact of the risk treatment options and update the Risk Treatment Action Plan. •Continually monitor for risk realization and document the real impact of the risk when it happens.
  • 19. Methodology and Process Aspect • The main results of the process are: • the process and/or asset register, • the risk identification register, • decision on range of value for probability and impact of risks, and calculation formula; • the risk assessment register, • decision on acceptable risk, • the risk treatment plan, • the risk treatment action plan, • the risk measurement/monitoring log.
  • 20. Challenges for implementation • Valuation of assets • Aspects for assessment of impact • Monetary • C – I – A • Business operations • Technological operations • Reputation • Estimation of expected effectiveness of suggested mitigation measures
  • 21. Tools Aspect • Risk management toolkit is a usable software tool for gathering, calculating and presenting risk assessment results as well as other related information. • It can include: • the process and/or asset register, • the risk identification register, • the risk assessment register, • the risk treatment plan, • the risk treatment action plan, • the risk measurement/monitoring log.
  • 23. 23 Jasmina Trajkovski, PMP, CISM, CISA jasmina.trajkovski@tpconsulting.com.mk