The webinar covers:
• Risk management process in IT intensive SMEs
• Challenges for usage of generic risk management methodologies
• Overview of simplified risk management methodology for IT intensive SMEs
Presenter:
This webinar was presented by Jasmina Trajkovski, Managing Director of Trajkovski & Partners Consulting who has more than 15 years of experience in IT consulting.
Link of the recorded session published on YouTube: https://youtu.be/1X4qTy1FzbY
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
PECB Webinar: Risk-management in IT intensive SMEs
1. Risk Management Framework for IT-
Centric Micro and Small Companies
Jasmina Trajkovski, CISA, CISM, PMP
1Trajkovski & Partners Management Consulting
Sveti Kliment Ohridski 24/2/1, 1000 Skopje, Macedonia
jasminat@tpconsulting.com.mk
2. Content
• Overview of Risk and RM frameworks
• Risk management considerations for IT centric M&S companies
• Elements of possible relevant framework
• Challenges for implementation
3. Overview of Risk
•Risk is defined as: “effect of uncertainty on
objectives”,
• uncertainties include events (which may or not happen) and uncertainties
caused by ambiguity or a lack of information,
• objectives can have different aspects (health and safety, financial, IT,
environmental) and can apply at different levels (such as strategic,
organizational, project, process).
• It includes both negative and positive impacts on objectives.
4. Types of Risks
• IT risk—that is the business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT within an
enterprise. [ISACA]
• Information security risk—that is, the risk associated with the
operation and use of information systems that support the missions
and business functions of their organizations.[NIST]
• Operational risk - the direct or indirect loss resulting from inadequate
or failed internal processes, people and systems, or from external
events." [BASEL Committee]
5. Enterprise Risk Management
• "Enterprise risk management is a process, effected by an entity's
board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives” [COSO]
6. Overview of
RM frameworks
Type of framework Main elements Resource
Generic risk
management
frameworks
11 Principles for managing risks
5 segment framework: mandate and commitment; design
framework; implement risk management; monitor and
review the framework; continual improvement
5 step process: establish the context; risk assessment;
risk treatment; monitoring and review;
communication and consultation
ISO31000:2009 Risk
Management Standard[1]
It has 4 sub-processes: Risk assessment process; Risk
treatment process; Risk communication process; Risk
review and monitoring process.
Corpuz and Barnes in their
2010 paper on integration
information security policy
into corporate risk
management [7]
Information
Security Risk
Management
Frameworks
The tiers are: Organization, Mission / business processes
and Information Systems, while the phases are Frame,
Assess, Respond and Monitor
NIST SP800-39: Managing
Information Security Risk
[2].
6 step process: context establishment; risk assessment;
risk treatment; risk acceptance; monitoring and review;
risk communication.
ISO27005:2008 Information
Security Risk management
[8].
Views: STROPE - strategy, technology, organization,
people, and environment
Phases: DMAIC - define, measure, analyze, improve,
and control cyclic phases.
Information security risk
management (ISRM)
framework for enterprises
using IT [6]
IT Risk
management
frameworks
Domains: Risk governance, Risk evaluation and Risk
response
RiskIT framework [3]
Operational Risk
Management
Framework
Components: identify, assess, respond to and control risk COSO Enterprise risk
management integrated
framework [9]
Elements: 1. leadership, 2. management, 3. risk, and 4.
tools.
RMA Operational risk
management framework [10]
7. Risk management based on ISO31000 - Scope
Provides principles and generic guidelines on principles and
implementation of risk management.
Can be applied to any kind of organisation, risk type and is not specific
to any industry or sector.
8. ISO 31000:2009 - Users
ISO 31000:2009 is intended to be used by a wide range of
stakeholders including:
those responsible for implementing risk management within their organisation;
those who need to ensure that an organisation manages risk;
those who need to manage risk for the organisation as a whole or within a specific area or
activity;
those needing to evaluate an organisation’s practices in managing risk; and
developers of standards, guides, procedures, and codes of practice that in whole or in part set
out how risk is to be managed within the specific context of these documents
8
9. ISO 31000:2009 Relationship between
the Principles, Framework and Process
9
Mandate
and
Commitment
(4.2)
Implementing
risk
Management
(4.4)
Design of
framework
(4.3)
Continual
improvement
of the
Framework
(4.6)
Monitoring
and review
of the
Framework
(4.5)
Framework
(Clause 4)
a) Creates value
b) Integral part of
organizational
processes
c) Part of decision
making
d) Explicitly addresses
uncertainty
e) Systematic,
structured and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and
inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles
(Clause 3)
Process
(Clause 5)
Establishing
the context (5.3)
Risk treatment
(5.5)
Risk
identification
(5.4.2)
Risk analysis
(5.4.3)
Risk
evaluation
(5.4.4)
Risk assessment
(5.4)
M
o
n
i
t
o
r
i
n
g
&
r
e
v
i
e
w
(5.6)
C
o
m
u
n
i
c
a
t
i
o
n
&
c
o
n
s
u
l
t
a
t
i
o
n
5.2
10. Principles (Clause 3)
Risk management should….
1. Create value
2. An integral part of organizational processes
3. Part of decision making
4. Explicitly address uncertainty
5. Be systematic and structured
6. Be based on the best available information
7. Be tailored
8. Take into account human factors
9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change
11. Be capable of continual improvement and enhancement
10
11. Framework (Clause 4)
The success of risk management will depend on the effectiveness of
the management framework providing the foundations and
arrangements that will embed it throughout the organization at all
levels.
The framework assists in managing risks effectively through the
application of the risk management process at varying levels and
within specific contexts of the organization.
11
12. Process (Clause 5)
The risk management process should be
an integral part of management,
embedded in the culture and practices, and
tailored to the business processes of the organization
Includes five activities: communication and consultation; establishing
the context; risk assessment; risk treatment; and monitoring and review.
12
13. Risk Management Process
13
Risk assessment (5.4 )
Communication
and
Consultation
(5.2)
Monitoring
and
Review
(5.6)
Establishing the context (5.3)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Risk identification (5.4.2)
14. RM considerations for M&S companies
• Specifics of IT-centric micro and small companies:
• Exposure to various types of risks
• Limited resources for risk management
• Low resilience of the organizations to operations and information
security risks
• Challenges related to meeting the following requirements:
• Need for integrated approach to treat various types of risks
• Need for comprehensive and usable methodology
16. People aspect
• Risk management is people intensive process and the people are
crucial for the successful implementation and maintenance of risk
management in the organization
• Risk management team – to include the representatives from the main
processes or units in the company, as well as the management team. Optimal
number of representatives is 5 to 7.
• Risk management officer – a responsible person in the company, the owner,
and managing director or other person from the management team in the
forefront of the activities for risk management.
17. Policy aspect
• The risk management policy is a simple but straightforward document
summarizing the intent and the approach for risk management.
• 1-2 pages
• Includes:
• Scope and purpose of the risk management
• Main objectives
• Risk management principles
• The commitment of management to risk management
• Allocated responsibilities for the process and results
• References to the methodology and process to be used
• Level of acceptable risk for the company.
18. Methodology and Process Aspect
Phase 1
•Establish the context for risk management
•Define the scope of operations to be covered by the risk management process, preferably
entire operations.
•Identify process and asset related risks
Phase 2
•Regular risk assessment
•Evaluate bare risks based on algorithm set and the grading scale defined in the risk
management methodology
•Assess the impact of current controls on the bare risk and evaluate the current risk levels
•For current risks above the level of acceptable risk, define risk treatment options and
evaluate the level of residual risks.
•Specify the risk treatment options into a feasible Risk Treatment Action Plan with timeframe,
responsibilities, deadlines, indicators, necessary resources.
Phase 3
•Risk monitoring
•On regular intervals (at least every 6 months) check the progress on the Risk Treatment
Action Plan
•On regular intervals (at least annually) check if new risks can be identified, review the risk
assessment, assess the real impact of the risk treatment options and update the Risk
Treatment Action Plan.
•Continually monitor for risk realization and document the real impact of the risk when it
happens.
19. Methodology and Process Aspect
• The main results of the process are:
• the process and/or asset register,
• the risk identification register,
• decision on range of value for probability and impact of risks, and calculation
formula;
• the risk assessment register,
• decision on acceptable risk,
• the risk treatment plan,
• the risk treatment action plan,
• the risk measurement/monitoring log.
20. Challenges for implementation
• Valuation of assets
• Aspects for assessment of impact
• Monetary
• C – I – A
• Business operations
• Technological operations
• Reputation
• Estimation of expected effectiveness of suggested mitigation
measures
21. Tools Aspect
• Risk management toolkit is a usable software tool for gathering,
calculating and presenting risk assessment results as well as other
related information.
• It can include:
• the process and/or asset register,
• the risk identification register,
• the risk assessment register,
• the risk treatment plan,
• the risk treatment action plan,
• the risk measurement/monitoring log.