- Weapons of mass destruction? It’s #29.
- Natural catastrophes? It’s # 19.
- Cyber attacks? It’s #8. We’re getting closer.
Guess again? Continue reading
Guess again? Continue reading
Money got tight and we weren’t getting the results we needed. We were forced to make adjustments in how we worked and they weren’t well received. From a management perspective we needed to look at how we were performing and what we needed to improve. To do that we examined ourselves in terms of these two essential issues:
Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainly has an organization’s objectives is “risks”.
All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required.
Risk Framework – Life Cycle with Risk Validation
The risks which are identified are based on what one’s vision can point out. There are many unearthed risks which “Risk Owner” may not be able to visualize and also may not be able to identify certain unknown risks or vulnerabilities, which may cause an incident.
➢ Past Experience
(Every Experience has a price to pay)
➢ Future Vision
This means the Risk Management is Vision Based, initially.
Objective > How to convert Vision Based Risk Assessment to Factual Based Risk Assessment?
Well > Evidence Based to Decision Making is the basic Principle of Management System and Auditing
to understand Risk Validation, it is important to look more deep into RISK MANAGEMENT:
PROBABILITY OF OCCURANCE & SEVERITY OF IMPACT which consolidated result is considered as RISK LEVEL – this Risk Level can be achieved through Quantitative or Qualitative Methodology.
If you observe carefully following conclusion of Impacts differ between scenarios of Stable Asset or Moving Assets:
In Stable Assets – Probability Changes more than Severity
In Moving Assets – Severity of Impact Changes more than Probability
In Industry, most of the processes work on IT platform and IT (Information Technology) falls under Stable Assets – thus any controls implemented (to reduce the risk), reduces the Probability – example is Firewall on Servers – all controls reduce the probability only as if they are breached, Impact is same – high risk.
Impact changing generally occur in Moving Assets like moving machine, health & safety like road accident (as shown above) or person falling from height (impact changes based on speed or height).
Risk Mitigation Effectiveness
Another important aspect of Risk Management is Control to reduce the risk – no matter what controls are put, the Risk Cannot be reduced to Zero – some element of residual risk is bound to be there.
The type of investment in mitigations depends on below or any combination
➢ Probability and / or Impact of vulnerability;
➢ Risk Appetite & Risk Tolerance;
➢ Monitoring Controls or Risk Reduction controls;
➢ Management perception of the Risk;
➢ Risk Owner’s perception of the Risk;
➢ Market influence on business;
➢ Competition perception;
➢ Risk Acceptance Criteria
The residual risk visualization / perception also gives rise to Risk Owner’s decision, in case Residual Risks are not acceptable.
B) – Risk Control Effectiveness
There are two types of controls which exists
If Monitoring Controls are more than Risk Reduction Controls in RA – Risk Management is NOT EFFECTIVE
If Risk Reduction Controls are more than Risk Monitoring Controls in RA – Risk Management is EFFECTIVE
After all risks are identified, mitigated & monitored – what next?
Well, there is one more objective left out, which we discussed above:
– How to covert a vision based Risk Assessment into Factual based Risk Assessment?
– Updating Risk Assessment after an incident occurs
Now “Risk Owners” have to do is – “Risk Validation” when incident happens
1) Identify the causes of the risks
2) Compare the causes of the incident to risk assessment and update the same – which is Risk Validation.
Some cautions are to be taken as below:
> Residual Risks
> Controls – Risk Reduction controls like (Server Firewall, etc.) and Monitoring Controls (like CCTV, etc.)
> Relevant Interested party not identified
> Interested party identified but not the risk or vulnerability
We need to know why the Incident occurred on first place, in spite of existing controls. Risk Validation shall help us to understand –which vulnerability in the Risk Assessment lead to the incident:
– The Risk Management Strategy OR
– Risk Process (criteria or evaluation or mitigation or acceptance criteria)
KEDB (Known Error Data Base) – updated after every Risk Validation in Incidents, apart from linking up to RA for required corrective actions. This updated KEDB is used for future reference, thus building up the knowledge base for the scope of the organization. By doing this, you are actually validating actual incidents with vision based current risks – thus converting vision based RA to Factual based RA.
Risk Assessment – Preventive Action Vs Corrective Action
As per Annex SL on which most of ISO Management Standards, new versions are released, the Preventive Action word is replaced by “Risk & Opportunities” there is no need for Preventive Actions;
– but when Risk Assessment is updated based on an incident – entire information of that specific risk (including controls & residual risks) now gets converted as corrective action(s) and do not remain as preventive, any more.
The definition of Corrective Actions is “Eliminating the causes of detected non-compliance and Pre-venting from recurrence”
Example: (Information Security)
There are three parameters of Information Security:
➢ Confidentiality ( Information is available only to authorised personnel and not to unauthorized personnel )
➢ Integrity ( Accuracy and Completeness of Information )
➢ Availability ( Information is available to authorised personnel, when required)
If Confidentiality Breaches, changes of Integrity & Availability breaches automatically increases
If Integrity Breaches, chances of Availability breaches automatically increases
If Availability Breaches, then no risk for Confidentiality & Integrity is not there
Hope you have gained from this white paper on RISK VALIDATION and hope that this would benefit, if practiced. Requesting you to share your comments via mail to email@example.com
Best Regards > Naresh RAO, Technical Director, IRCBO Solutions Pvt. Ltd., INDIA
Started carrier from banking software development in 1986 then was an entrepreneur of textile mill. Entered Management Systems in 1993. Became and auditor with DNV(III CB) and later AQSR, RINA , KPMG, BSI and Intertek in senior positions like Regional Manager, Head Operations, General Manager , Head Standards and Business Solutions. Also a Lead Trainer in qualifying III party auditors on risk based standards. Now running a consulting firm in all Management system standards, apart from III party auditor for Intertek etc. and also has his own Lead Auditor course in Business Continuity (ISO 22301:2012) , Annex A based ISMS software (ISO 27001:2013 – new product about to be released globally)”
Most are familiar with an oft referenced 1970’s observation of the all-too-true life cycle of big projects. Although written in humour it holds the main reasons for projects failing and the phases may be mapped against Kipling’s six famous questions as follows: Continue reading
In my 2013 book “Mastering 21st Century Enterprise Risk Management” I quipped “just as the Wild West of the 1890’s had disappeared without trace by the Roaring 1920s, so too will the business world of the 1990s, be long forgotten by the 2020s”. Just 5 years on and not only has the world changed emphatically but the rate of change is accelerating. Continue reading
There’s a TV commercial for oil filters where the mechanic warns the customer, “You can pay me now or you can pay me later.” Of course what he means is maintain your car, or wait for an expensive breakdown and an engine overhaul.
Makes total sense, right? Continue reading
In the risk-neutral world, all business and government continuity planning would be risk-balanced. However, in reality, risks, threats, hazards and their consequences change depending on an organizations exposure, sensitivities to impact and other factors. For instance, a natural disaster, can occur without much warning and can have direct and indirect impact on an organization. Complicating the Business Continuity Planners life is a simple fact, events have unforeseen consequences that can rarely be planned for. Continue reading
When people discuss Supply Chain Management, there doesn’t seem to be any common understanding of what it is all about. I get it! To some, it is software and technology. To others, it is just purchasing and logistics. And still others believe that it is ‘big data’ and analytics. No wonder that eyes glaze-over when the subject is mentioned. Continue reading
Recently I read a new 6-star hotel is opening in Australia in 2018. 6-Stars, really? I remember when 5-star rating was synonymous with 1st Class, as opposed to 2nd Class. Now we have 0th Class. I stayed in a 6-star hotel once and couldn’t see the difference to a true 5-star hotel, in fact it wasn’t as good as the 5-star Royal Crescent Hotel in Bath UK, which I would have to say is the best hotel experience I have enjoyed (that includes The Plaza, Savoy & Peninsula). Truly sublime. So if ISO 31000 is the 5-star of the GRC field what would be 6-stars? I would put that as being Strategic Management, it’s what turns the Plan into reality. Continue reading
In the workplace we have identified and attempted to eradicate racial and gender discrimination, sexual harassment and bullying. We now battle age discrimination in our aging society in a (supposedly) increasingly politically correct world. However, our intellects are also being abused as individuals find increasing ways to breach of the bounds of reasonable behavior and put our sanity and dignity at risk. Continue reading
Governments and companies worldwide are emerging from the current financial crisis and subsequent recession. While governments are crafting new regulations, businesses around the world are walking in shifting sand as risk exposures are high and new regulations will create compliance challenges. According to a recent survey by Korn/Ferry International, corporate leaders are focusing more attention on risk management after what is considered by many to be excessive risk-taking during the boom times that factored into the global financial crisis. Continue reading
The 2012 Moving Ahead for Progress in the 21st Century Transportation Act (MAP 21) requires state departments of transportation to develop a Transportation Asset Management Plan (TAMP). The TAMP is to include a Risk Based Asset Management Plan (RBAMP). The two plans must be certified by the Federal Highway Administration (FHWA) by June 30, 2019. Continue reading