How to assess risk for Business Continuity Management James Gorzelak UK MIS Manager Itron Inc. Felixstowe, UK June, 2011 Risk Management – A Definition Risk Management is the identification, assessment, and prioritization of risks followed by coordinated and . commercial application of resources to minimize, and control the probability and/or impact of events in line with regulatory requirements and corporate culture. ©2011 , Itron Inc 2 Risk Management ‐ Identification Risks can come from a number of sources both within and external to an organisation. For example uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural events as well as deliberate attacks from an adversary Identify your specific risks through Brainstorming, common risk checking, or role based scenarios. ©2011 , Itron Inc 3 Risk Management ‐ Assessment Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence ©2011 , Itron Inc 4 Risk Management ‐ Assessment Composite Index method The impact of the event is assessed on a scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible impact (usually in terms of financial losses). The probability of occurrence is likewise assessed on a scale from 1 to 5, where 1 represents a very low probability of the event occouring while 5 represents a very high probability of occurrence. These two values are then multiplied together to get a composite index value of between 1 and 25. The composite index value is then classified into Low, Medium or High, depending on the sub-range containing the calculated value. For instance, the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17 to 25. ©2011 , Itron Inc 5 Risk Management ‐ Assessment Likelihood of occurrence X impact of the event = Risk Rating ©2011 , Itron Inc 6 Risk Management ‐ Assessment Establish your company’s appetite for risk and regulatory requirements. ©2011 , Itron Inc 7 Risk Management ‐ Mitigation Strategies to manage risk include: •Avoidance (eliminate, withdraw from or not become involved) •Reduction (optimize - mitigate) •Sharing (transfer - outsource or insure) •Retention (accept and budget) ©2011 , Itron Inc 8 Risk Management ‐ Review and evaluation Risk management is a closed loop approach Initial risk management plans will never be perfect. Practice, experience, and actual loss will necessitate changes in the plan and contribute information to allow new decisions to be made in dealing with the risks faced. Risk Analysis results and management plans should be updated periodically for two primary reasons: •To evaluate whether the previously selected controls are still applicable and effective. •To evaluate the possible risk level changes in the business environment and identify new risks. ©2011 , Itron Inc 9 Risk Management – Further Resources ISO 31000 Risk management -- Principles and guidelines on implementation http://en.wikipedia.org/wiki/Risk_management The Institute of Risk Management (www.theirm.org ) [email protected] ©2011 , Itron Inc 10
© Copyright 2024