Key Components of a Successful RiskAssessment
ASIS Internationalseminar and Exhibition
Tuesday, September 30, 2014
Carol FoxRIMS Director, Strategic &Enterprise Risk Practice
Marc SiegelCommissioner, Global Standards
Copyright © 2014 ASIS International and RIMS
Copyright © 2014 ASIS International and RIMS
Risk Assessment StandardUnder Development
Risk Assessment StandardUnder Development
Development of the Risk Assessment (RA)ANSI American National Standard is a jointinitiative.
Both are ANSI accredited SDOs.
2
Copyright © 2014 ASIS International and RIMS
About ASIS InternationalAbout ASIS International
Largest professional society for securitymanagement practitioners
• Founded in 1955• More than 38,000 Members in 133 Countries• 218 Chapters in 60 countries• 31 Councils; ranging from disaster management, financial services, physical
security, IT security, supply chain security, utilities, hotels and hospitality andretail
• Recognized as international body by ISO – Liaison Status• Chair and Secretariat of ISO/OC284 – Security Operations
• Recognized as European body by CEN – Liaison Status• Accredited by ANSI as American SDO – OPEN TO MEMBERS GLOBALLY• Standards Development and Training• Credentialing and Certification of Security Professionals
3
Copyright © 2014 ASIS International and RIMS
About RIMSAbout RIMS
4
Global not-for-profit organization focusedon advancing risk management fororganizational success
• Founded in 1950• More than 11,000 Members located in more than 60 Countries• More than 80 Chapters• More than 3,500 industrial, service, nonprofit, charitable and government
entities throughout the world• Accredited by ANSI as American SDO – open to members globally• Member of US-TAG to ISO/TC262 – Risk Management• Learning: Risk Management Development Offerings / Designations• Networking: Conferences, Meetings, Standards and Practices Committee• Resources: Publications, Research, Surveys, Articles, Tools
Copyright © 2014 ASIS International and RIMS
ANSI/ASIS/RIMS StandardBuilds on the Foundation ofISO 31000: Risk Management
ANSI/ASIS/RIMS StandardBuilds on the Foundation ofISO 31000: Risk Management
ISO 31000:2009, Risk management – Principlesand guidelines ISO Guide 73:2009, Risk management –
Vocabulary ISO/IEC 31010:2009
Risk management –Risk assessmenttechniques
5
Copyright © 2014 ASIS International and RIMS
Bottom Line: Risk Managers areBusiness Managers
Bottom Line: Risk Managers areBusiness Managers
Old View New View
Event Focused Objectives Focused
Copyright © 2014 ASIS International and RIMS
Evolving Views ofRisk ManagementEvolving Views ofRisk Management
Risk management is a price of doingbusiness and spend as little as possible.
Risk management has some strategicvalue but there is a need to rationalize thecost of risk profile improvement.
Risk management creates businessopportunities and helps realize positivereturns on risk management investments.
7
Copyright © 2014 ASIS International and RIMS
Risk Management is tailored tothe Business – Not Vice-Versa
Risk Management is tailored tothe Business – Not Vice-Versa
8
Risk managerthat recognizesthat it is aboutvalue creation,products, andservices
Risk managerthat thinks it isabout tailoringthe business tomanaging risk
Copyright © 2014 ASIS International and RIMS
ISO 31000 Changes thePerspective on Risk Management
ISO 31000 Changes thePerspective on Risk Management
Proactive modeObjectives-focused
Predictive indicatorsForesightStrategic
Creating and capturing value
Expanding organizational risk management competencies
Reactive modeEvent-focused
Post-action responseAfterthoughtTransactional
Protecting value
Old View New View
Defines risk as “effect of uncertainty on objectives”
Copyright © 2014 ASIS International and RIMS 10
Using ISO 31000:2009 as a BaseUsing ISO 31000:2009 as a Base
Copyright © 2014 ASIS International and RIMS 11
ISO 31000:2009Risk Management
ISO 31000:2009Risk Management
Copyright © 2014 ASIS International and RIMS
Risk AssessmentExpressed Another way
Risk AssessmentExpressed Another way
12
Who/What/When/Where/How
Why/How Often/How Much/HowCritical/Level of Risk Based on
What Criteria?
What is Acceptable orUnacceptable / Solution Options /
Priorities
Reproduced from ISO 31010 www. iso.org. Copyright remains with IEC|ISO.
Copyright © 2014 ASIS International and RIMS
Creating AND Protecting ValueCreating AND Protecting Value
13
Value Creation
Value Preservation
Copyright © 2014 ASIS International and RIMS
ISO/IEC 31010ISO/IEC 31010
14
ISO/IEC 31010:2009 Risk management — Riskassessment◦ Provides guidance on selection and application of systematic
techniques for risk assessment.◦ A range of techniques are presented, with specific
references to other international standardswhere the concept and application oftechniques are described in greater detail. Selection of risk assessment techniques Comparison of risk assessment techniques Description of risk assessment techniques
Proposing an AmericanNational
Risk AssessmentStandard
Proposing an AmericanNational
Risk AssessmentStandard
A Collaborative Approach
15
Copyright © 2014 ASIS International and RIMS
Reliable risk assessments require that theybe conducted using a systematic approach:◦ Organized and well-documented◦ Clearly defined objectives and criteria◦ Clearly identified stakeholders◦ Biases understood◦ Documented assumptions◦ Defined sampling techniques
The standard will discuss managing a riskassessment program, as well as conductingindividual risk assessment.
16
Risk Assessment StandardDefining the Process
Risk Assessment StandardDefining the Process
Copyright © 2014 ASIS International and RIMS
American National RiskAssessment Standard Intent
American National RiskAssessment Standard Intent
Provides guidance for establishing a risk assessment program andconducting individual risk assessments consistent with the ISO31000:2009 Risk management — Principles and Guidelines, andthe COSO Enterprise Risk Management (ERM) framework
Provides guidance on conducting risk assessments for risk andresilience based management system standards, includingprinciples of risk assessments, managing the risk assessmentprogram, and conducting risk assessments, as well as evaluation ofcompetence of persons involved in the risk assessment process
Describes the process for conducting risk assessments consistentwith the Plan-Do-Check-Act Model, and
Provides the informational basis necessary for decision makers tomake informed decisions about managing risks in the organizationand its supply chain.
17
Copyright © 2014 ASIS International and RIMS
Formalized Risk Assessment Providesa Critical Decision Making Tool
Formalized Risk Assessment Providesa Critical Decision Making Tool
Whether an activity should be undertaken How to maximize opportunitiesWhether risks need to be treated Choosing between options with different
risks Prioritizing risk treatment options The most appropriate selection of risk
treatment strategies that will bring adverserisks to a tolerable level and make rewardoutcomes for risk-taking more certain
Copyright © 2014 ASIS International and RIMS
Importance of RiskAssessment
Importance of RiskAssessment
Provide the foundation on which organization’ssecurity operations management and riskmanagement plans and programs are based.
Strategies will be formulated and plans will bedeveloped to meet the needs identified in them.
Therefore:Should be repeated on a regularbasis and/or in response tosignificant changes to theorganization’s operatingenvironment.
Copyright © 2014 ASIS International and RIMS
Risk Assessment PrinciplesRisk Assessment Principles
Impartiality Independence and objectivity Trust, competence, and due
professional care Honest and fair representation Responsibility and authority Consultative approach Fact-based approach Confidentiality Change management Continual improvement
20
Copyright © 2014 ASIS International and RIMS
PDCA for a Risk AssessmentProgram
PDCA for a Risk AssessmentProgram
21
Copyright © 2014 ASIS International and RIMS
Managing theRisk Assessment Program
Managing theRisk Assessment Program
Understand the organization and itsobjectives Establish the framework Establish the program Implement the risk assessment
programMonitor the risk assessment program Review and improve
22
Copyright © 2014 ASIS International and RIMS
Establishing aRisk Assessment Program
Establishing aRisk Assessment Program
Define the objectives for the risk assessment program Identify the scope of the risk assessment◦ Extent/number/types/duration/locations/schedule of the risk assessments;
Establish risk assessment procedures◦ Criteria◦ Influences◦ Methods
Identify stakeholders Select risk assessment teams Identify information sources Determine resources necessary Verify processes for handling confidentiality Monitor and measure to ensure that objectives are achieved Establish how information will be recorded and communicated Review in order to identify possible improvements
Copyright © 2014 ASIS International and RIMS
…Don’t Forget…Don’t Forget
Management commitment◦ Setting risk criteria◦ Support of risk assessment program
Who will lead and participate in theprocess?
Documentation◦ Assumptions◦ Types and methods◦ People involved◦ Data and information sources◦ Risk descriptions◦ Error analysis◦ Sensitivity analysis◦ Document control
Copyright © 2014 ASIS International and RIMS
Communicate and ConsultCommunicate and Consult
Should take place during all stages ofthe risk management process. A two-way dialogue between
stakeholders. Develop communication strategy at the
context stage. Ensure stakeholders perception of risk
is addressed. Seeks to improve performance based
on informed, mutual decisions.
Copyright © 2014 ASIS International and RIMS
Understanding BiasesUnderstanding Biases
Social and cultural biases Familiarity and confirmation bias Perception, observational selection,
and memory biases Belief and behavioral biases Relational, group-think, and tribal
biases Confirmation and post rationalization
biases Information availability bias Decision making biases Illusion of control biases
Copyright © 2014 ASIS International and RIMS
Performing Individual RiskAssessments
Performing Individual RiskAssessments
Commencing the risk assessment Planning risk assessment activities Conducting risk assessment activities Post risk assessment activities
27
Copyright © 2014 ASIS International and RIMS
Formal vs. InformalRisk Assessments
Formal vs. InformalRisk Assessments
Copyright © 2014 ASIS International and RIMS
Using Multiple TechniquesUsing Multiple Techniques
29
Copyright © 2014 ASIS International and RIMS
Identify the RisksIdentify the Risks
Why could something happen?◦ A cause or factor creating risk◦ Effectiveness of controls
Who could be involved?◦ Individuals or groups associated with threat,
control of risk, and/or impacted by risk How could it happen?◦ A source of risk
What could happen?◦ Potential event◦ Potential consequences
When could something happen? Where could it happen?
Copyright © 2014 ASIS International and RIMS
Risk IdentificationRisk Identification
Asset and serviceidentification, valuation andcharacterization Threat and opportunity
analysis Vulnerability and capability
analysis, and Criticality and impact
analysis.
31
Copyright © 2014 ASIS International and RIMS
The Risk ArenaThe Risk Arena
Internal circle –internal risks External circle –
external risks
These risks do notexist in isolationand can haveoverlapping andmultiple effects.
Copyright © 2014 ASIS International and RIMS
Threat AssessmentThreat Assessment
Copyright © 2014 ASIS International and RIMS
Identification Output =Analysis Input
Identification Output =Analysis Input
Copyright © 2014 ASIS International and RIMS
Risk AnalysisRisk Analysis
Purpose:◦ Separate minor risks from major.◦ Provide data to assist in evaluation.
Determine the adequacy and appropriateness of existingcontrols to manage identified priority risks.
Prioritize risks for subsequent evaluation of tolerance orneed for further treatment.
Provide a better understanding of the necessary risktreatments to protect the value of critical assets toidentified risks.
Identify opportunities means to achieve objectives.
Copyright © 2014 ASIS International and RIMS
Types of Risk AnalysisTypes of Risk Analysis
Quantitative analysis – relies on probabilities andstatistics using mathematical formulas andcalculations to interpret numbers, data, and estimates Qualitative analysis – relies on the subjective
judgment based on the intuitive assessment of teammembers using terms, words, and images asdescriptors of risk, and Combined approaches – used when numerical
values would be inadequate to properly describe allthe risks being assess (and their likelihoods andconsequences)
Copyright © 2014 ASIS International and RIMS
Risk EvaluationRisk Evaluation
Determining which risks are tolerable,and which risks require control andtreatment
Criteria for risk evaluation should havebeen identified in the scope and policy ofthe management system in consultationwith top management
All risk cannot be eliminated – what isthe cost effective “As Low A ReasonablyPractical” risk.
Copyright © 2014 ASIS International and RIMS
Are Existing ControlsEffective?
Are Existing ControlsEffective?
38
Copyright © 2014 ASIS International and RIMS
Risk Assessment –The Funnel Analogy
Risk Assessment –The Funnel Analogy
A “box” is filled up with all identifiedrisks, and tipped into a funnel.
Depending upon the organization'stolerance for risk, the funnel’s filterswill allow different sized risks to fallthrough the gaps, or remain at thetop.
The way risks are prioritizeddepends on where they sit in thefunnel; the higher they sit, thegreater the priority they represent.
Some risks are so small they fallthrough the bottom of the funneland accepted.
Levels of risk tolerance may differbetween assessments, or acrossorganizations, because of thecontext.
Copyright © 2014 ASIS International and RIMS
Risk Assessment DrivesDecision Making
Risk Assessment DrivesDecision Making
Risk management process needs clear governancestructure Risk management is based on specific business
objectives and is objectives focused Risk assessment is defined in terms of
organizational objectives Key performance indicators linked to
business objectives Risk management supports decision making,
therefore proactive Risk management protects and creates value
40
Copyright © 2014 ASIS International and RIMS
Managing a risk assessment program andconducting individual risk assessment:◦ Scope Project objectives Project scope and boundaries Definition of variables Statement of work◦ Planning Gaps analysis Legal and other requirements Objectives, targets and strategies Data gathering and sampling
41
Risk Assessment StandardDefining the Process
Risk Assessment StandardDefining the Process
Copyright © 2014 ASIS International and RIMS
Implementation◦ Asset identification and valuation◦ Threat analysis◦ Criticality and impact analysis◦ Vulnerability analysis◦ Cost benefit analysis◦ Risk control and treatments◦ Roles, resources and responsibilities◦ Skills and competencies◦ Documents, records, and document control
Checking and evaluation Review and improvement
42
Risk Assessment StandardDefining the Process
Risk Assessment StandardDefining the Process
Copyright © 2014 ASIS International and RIMS
Marc SiegelASIS International
Commissioner, GlobalStandards
(858) [email protected]
Thank You – Questions?Thank You – Questions?
www.asisonline.orgwww.RIMS.org
43
Carol FoxRIMS – Director, Strategic
and Enterprise Risk Practice(212) [email protected]