350 likes | 485 Views
Hendershott Consulting Inc Risk analysis Version 1 – July 1, 2010 Web Presence: www.hci-itil.com Email: len.hendershott@rogers.com. Service Design – Section 4.5 Service Continuity Management. Continuity Management. Service Design – Section 4.5 Service Continuity Management.
E N D
Hendershott Consulting Inc Risk analysis Version 1 – July 1, 2010 Web Presence: www.hci-itil.com Email: len.hendershott@rogers.com Service Design – Section 4.5 Service Continuity Management
Continuity Management Service Design – Section 4.5 Service Continuity Management
Risk Analysis (RA) Service Design – Section 4.5 Service Continuity Management
Risk Analysis (RA) Service Design – Section 4.5 Service Continuity Management
Every Risk is a Future Event Service Design – Section 4.5 Service Continuity Management
Every Risk is a Future Event We are all familiar with typical risk management processes. The fundamental notion is that we identify risks, we assess their probability of occurrence, and we assess the consequence of occurrence. Then we put a risk management plan in place that is designed to eliminate, or alleviate the impact of, the serious risk events. Every risk is necessarily a future event, and only when the risk event actually happens is the risk transformed into a problem. The better we are at identifying risks and understanding the underlying basis of our risks, the better we can manage the risks. James Dobbins, Critical Success Factor (CSF) Analysis for DoD Risk Management CSF—More Than Making a List Service Design – Section 4.5 Service Continuity Management
Risk Analysis (RA) Risk Analysis provides basic input for continuity and recovery strategies, plans and responses. Risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Service Design – Section 4.5 Service Continuity Management
ISO 31000:2009 A family of standards relating to risk management codified by the International Organization for Standardization that provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. Service Design – Section 4.5 Service Continuity Management
Risk Management Service Design – Section 4.5 Service Continuity Management
Risk Management Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Principles • Risk Management Policy • Process Guide • Plans • Risk Registers • Issue Logs. Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Corporate Risk Profile Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Corporate Risk Profile Risk Profile • the overall management framework • governance and accountability structures • values and ethics • operational work environment • current risk tolerances of stakeholders • individual and corporate risk management culture and tolerances • existing risk management expertise and practices • human resources capacity • level of transparency required • local and corporate policies, procedures and processes. 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Communications & Consultation Risk Profile 5.2 Communications • Embue culture in which everybody is a risk manager • Place responsibility for driving risk management high in the organization • Open communication is necessary for risk management to succeed • Use teams to manage risks • Communicate risk management performance. 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Context Risk Profile 5.2 Communications • Identification of risk in a selected domain of interest • Planning the remainder of the process • Mapping out the social scope of risk management, the identity and objectives of stakeholders and the basis upon which risks and constraints will be evaluated • Defining a framework for the activity and an agenda for identification • Developing an analysis of risks involved in the process • Mitigation or Solution of risks using available technological, human and organizational resources. 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Register Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Register Risk Profile 5.2 Communications • Scope of Risk • Nature of Risk • Stakeholders • Risk Appetite • Risk Treatment & Control Mechanisms • Potential Action for Improvement • Strategy and Policy Developments 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Assessment Risk Profile Risks must be assessed as to their potential severity of loss and to the probability of occurrence. 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Identification Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself. Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation Source Analysis: Risk sources may be internal or external to the system that is the target of risk management. Problem Analysis: Risks are related to identified threats. 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Common Risk Identification Methods • Objectives-based • Scenario-based • Taxonomy-based • Risk Lists • Risk charting Service Design – Section 4.5 Service Continuity Management
Risk Analysis A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat. Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Composite Risk Index • x Composite Risk Index Impact of Risk event Probability of Occurrence = The impact of the risk event is assessed using a measure (eg.,0 to 5, where 0 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses)) The probability of occurrence is also assessed using a scale (eg., 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence (ie., certainty)). Service Design – Section 4.5 Service Continuity Management
Risk Evaluation Controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are identified. The goal of the recommended Controls is to reduce the level of risk to the IT system and its data to an acceptable level. Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis • Factors to be considered: • Effectiveness of recommended options (e.g., system compatibility) • Legislation and regulation • Organizational policy • Operational impact • Safety and reliability. 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Treatment Prioritization and implementation of the appropriate risk-reducing controls recommended from the Risk Assessment process. Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Common Risk Treatments Risk Profile • Avoidance (eliminate, withdraw from or not become involved) • Reduction (optimize - mitigate) • Sharing (transfer - outsource or insure) • Retention (accept and budget) 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Mitigation Strategy Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Mitigation Strategy Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Common Risk Options Risk Profile • Re-design business process with adequate built-in risk control and containment measures • Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures • Transfer the risk • Avoid risks (e.g. by closing down a particular high-risk business area) 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Treatment Plan Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification • Approval by appropriate management level • Propose applicable and effective security controls for managing the risks 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
Risk Monitoring • Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced: • to evaluate whether selected controls are still applicable and effective, and • to evaluate the possible risk level changes in the business environment. Risk Profile 5.2 Communications 5.3 Context Setting 5.4 Risk Assessment 5.4.2 Identification 5.4.3 Risk Analysis 5.4.4 Evaluation 5.5 Risk Treatment 5.6 Risk Monitoring Service Design – Section 4.5 Service Continuity Management
CobIT Risk Assessment Control Objectives • Risk Assessment is a CobITControl Object (PO09): • “IT risk identification and impact analysis, involving multi-disciplinary functions and taking cost-effective measures to mitigate risks.” • with the following objectives: • Business Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updates • Risk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skills • Risk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classification • Risk Measurement - Measurement of risk exposure, assessment of risk acceptance capacity • Risk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptance • Risk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilities • Safeguard Selection - Control system to balance prevention, detection, correction and recovery measures • Risk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanisms Service Design – Section 4.5 Service Continuity Management
CobIT Risk Assessment Maturity Levels Organizations may undertake risk assessment at one of six maturity levels: Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. 2 (Repeatable) Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 1 (Ad Hoc) Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements. 0 (Non-existent) Service Design – Section 4.5 Service Continuity Management
CobIT Risk Assessment Maturity Levels Organizations may undertake risk assessment at one of six maturity levels: Risk assessment has developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization. 5 (Optimized) The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. 4 (Managed & Measured) An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. 3 (Defined) Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. 2 (Repeatable) Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 1 (Ad Hoc) Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements. 0 (Non-existent) Service Design – Section 4.5 Service Continuity Management
Service Continuity Management Risk Analysis Service Design – Section 4.5 Service Continuity Management
Hendershott Consulting Inc Email: len.hendershott@rogers.com ITIL process site: hci-itil.com Service Design – Section 4.5 Service Continuity Management