How to assess risk for Business Continuity Management
James Gorzelak
UK MIS Manager
Itron Inc.
Felixstowe, UK
June, 2011
Risk Management – A Definition
Risk Management is the identification, assessment,
and prioritization of risks
followed by coordinated and
.
commercial application of resources to minimize, and
control the probability and/or impact of events in line
with regulatory requirements and corporate culture.
©2011 , Itron Inc
2
Risk Management ‐ Identification Risks can come from a number of sources both within
and external to an organisation.
For example uncertainty in financial markets, project
failures, legal liabilities, credit risk, accidents, natural
events as well as deliberate attacks from an adversary
Identify your specific risks through Brainstorming,
common risk checking, or role based scenarios.
©2011 , Itron Inc
3
Risk Management ‐ Assessment
Once risks have been identified, they must
then be assessed as to their potential severity
of loss and to the probability of occurrence
©2011 , Itron Inc
4
Risk Management ‐ Assessment Composite Index method
The impact of the event is assessed on a scale of 1 to 5, where 1
and 5 represent the minimum and maximum possible impact
(usually in terms of financial losses).
The probability of occurrence is likewise assessed on a scale from 1
to 5, where 1 represents a very low probability of the event
occouring while 5 represents a very high probability of occurrence.
These two values are then multiplied together to get a composite
index value of between 1 and 25.
The composite index value is then classified into Low, Medium or
High, depending on the sub-range containing the calculated value.
For instance, the three sub-ranges could be defined as 1 to 8, 9 to
16 and 17 to 25.
©2011 , Itron Inc
5
Risk Management ‐ Assessment Likelihood of occurrence X impact of the event = Risk Rating
©2011 , Itron Inc
6
Risk Management ‐ Assessment Establish your company’s appetite for risk and
regulatory requirements.
©2011 , Itron Inc
7
Risk Management ‐ Mitigation Strategies to manage risk include:
•Avoidance (eliminate, withdraw from or not become involved)
•Reduction (optimize - mitigate)
•Sharing (transfer - outsource or insure)
•Retention (accept and budget)
©2011 , Itron Inc
8
Risk Management ‐ Review and evaluation
Risk management is a closed loop approach
Initial risk management plans will never be perfect.
Practice, experience, and actual loss will necessitate
changes in the plan and contribute information to allow
new decisions to be made in dealing with the risks faced.
Risk Analysis results and management plans should be
updated periodically for two primary reasons:
•To evaluate whether the previously selected controls are
still applicable and effective.
•To evaluate the possible risk level changes in the
business environment and identify new risks.
©2011 , Itron Inc
9
Risk Management – Further Resources ISO 31000 Risk management -- Principles and
guidelines on implementation
http://en.wikipedia.org/wiki/Risk_management
The Institute of Risk Management (www.theirm.org )
[email protected]
©2011 , Itron Inc
10