4 WEEKS OF RISK MANAGEMENTTRAINING (THEORY).ppt
shelmithmwikali7
11 views
29 slides
Jul 09, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
THIS IS A SHORT THEORT INTO RISK MANAGEMENT
Slide Content
INTRODUCTION TO SECURITY
MANAGEMENT
1
Topic: Risk Management
MANAGEMENT
1
Topic: Risk Management
THE RISK MANAGEMENT
2
2
1. WHAT IS A “RISK”?
a) Risk can be defined as an event that has
probability of occurring and could have either
positive or negative impact should it occur.
b) However, in the security and safety field, it is
generally recognized that consequences are only
negative
c) A risk is different from a threat; there can not be
a risk without threat. One may think of threat as the
father of risk
3
a) Risk can be defined as an event that has
probability of occurring and could have either
positive or negative impact should it occur.
b) However, in the security and safety field, it is
generally recognized that consequences are only
negative
c) A risk is different from a threat; there can not be
a risk without threat. One may think of threat as the
father of risk
3
THREAT
VULNERABILI
TY(security
gaps)
RISK
ASSET
VULNERABILI
TY(security
gaps)
RISK
ASSET
THE SOURCES OF RIKS
Risks arise from the threats such as:-
1.Deliberate attack from an adversary
2.Accidents
3.Natural causes and disasters
4.Uncertain or unpredictable events
5
Risks arise from the threats such as:-
1.Deliberate attack from an adversary
2.Accidents
3.Natural causes and disasters
4.Uncertain or unpredictable events
5
RISK MANAGEMENT PROCESSES
Managing risks involve the following four
processes:
1. Risk Identification
2. Risk Assessment
3. Risk Analysis
4. Mitigating the risks (Methods of Dealing with
Risks or Response Methods)
6
Managing risks involve the following four
processes:
1. Risk Identification
2. Risk Assessment
3. Risk Analysis
4. Mitigating the risks (Methods of Dealing with
Risks or Response Methods)
6
1.RISK IDENTIFICATION METHODS
Risks are identified from some of the following sources:
1.Organizations and people who have gone through
similar projects and events.
2.Expert opinions
3.Failure History Analysis
4.SWOT Analysis
5.Observation and Check lists
6.Hazard analysis
7.Scenario Analysis
8.Brainstorming
7
Risks are identified from some of the following sources:
1.Organizations and people who have gone through
similar projects and events.
2.Expert opinions
3.Failure History Analysis
4.SWOT Analysis
5.Observation and Check lists
6.Hazard analysis
7.Scenario Analysis
8.Brainstorming
7
RISK ASSESSMENT
8
8
2 What is Risk Assessment ?
a)Risk Assessment is the process of identifying
risks in order to effectively implement
countermeasures to deal with those risks .
b) In other words ,Risk Assessment is an
assessment that seeks to determine the
likelihood that an adversary will successfully
exploit a vulnerability and the resulting impact to
that asset
c) The risks have to be prioritized in order to
know the level of protection to be provided.
9
a)Risk Assessment is the process of identifying
risks in order to effectively implement
countermeasures to deal with those risks .
b) In other words ,Risk Assessment is an
assessment that seeks to determine the
likelihood that an adversary will successfully
exploit a vulnerability and the resulting impact to
that asset
c) The risks have to be prioritized in order to
know the level of protection to be provided.
9
How to carry out risk assessment
The risk assessment involves the following:
a)Asset assessment and giving value to assets
b) Taking inventory of the existing
security measures,
c)Threats assessment ( identify threats to assets)
d) Vulnerability assessment (identify security
gaps)
10
The risk assessment involves the following:
a)Asset assessment and giving value to assets
b) Taking inventory of the existing
security measures,
c)Threats assessment ( identify threats to assets)
d) Vulnerability assessment (identify security
gaps)
10
a). ASSETS ASSESSMENT
a) This is the process of determining which assets are
critical to the mission of the organization and need
protection.
b)The assets which are important to the mission or
operations of the organization are identified and
value put on them.
c) For each asset, identify undesirable events or
consequences that would have on the organization if
there is loss, damage or destruction of that asset
d) The higher the consequences(impact) for the loss,
damage or destruction of an asset, the more critical it is.
11
a) This is the process of determining which assets are
critical to the mission of the organization and need
protection.
b)The assets which are important to the mission or
operations of the organization are identified and
value put on them.
c) For each asset, identify undesirable events or
consequences that would have on the organization if
there is loss, damage or destruction of that asset
d) The higher the consequences(impact) for the loss,
damage or destruction of an asset, the more critical it is.
11
b). Assessment of the existing
security measures
a)This step involves taking inventory of existing
security measures designed to protect the asset within
the compound or facility.
b) Existing security rmeasures may include security
personnel, physical measures, access control,
policies and procedures.
c)Exisiting measures may or may not be effective in
protecting the facility and its critical assets and this
fact is noted in writing.
12
security measures
a)This step involves taking inventory of existing
security measures designed to protect the asset within
the compound or facility.
b) Existing security rmeasures may include security
personnel, physical measures, access control,
policies and procedures.
c)Exisiting measures may or may not be effective in
protecting the facility and its critical assets and this
fact is noted in writing.
12
c).Threat Assessment
a)A threat is an indication, circumstances, or event
with a potential or likelihood to cause
destruction, damage or loss of use of an asset.
b)Here threats are identified and characterized.For
example, heavy rains may cause power disruption
or floods or terrorists can plan attacks on some
critical assets and there is likelihood of this
happening.
13
a)A threat is an indication, circumstances, or event
with a potential or likelihood to cause
destruction, damage or loss of use of an asset.
b)Here threats are identified and characterized.For
example, heavy rains may cause power disruption
or floods or terrorists can plan attacks on some
critical assets and there is likelihood of this
happening.
13
d). Vulnerabilities assessment
a) Vulnerability is a weakness or gaps in security
program that can be exploited by a threat to gain
unauthorized access to an asset with an intention to
steal , destroy or damage it .
b) During assessment, vulnerabilities such as
structural , procedural, electronic, human and other
elements that provide opportunities to attack assets
are noted and evaluated..
c)For example, vulnerability could be the absence
of police, guards , poor access controls, etc
14
a) Vulnerability is a weakness or gaps in security
program that can be exploited by a threat to gain
unauthorized access to an asset with an intention to
steal , destroy or damage it .
b) During assessment, vulnerabilities such as
structural , procedural, electronic, human and other
elements that provide opportunities to attack assets
are noted and evaluated..
c)For example, vulnerability could be the absence
of police, guards , poor access controls, etc
14
3.RISK ANALYSIS
15
15
Risk Analysis is Conducted using the
following methods.
There are two general methods of risk analysis . These are:
a)Qualitative risk analysis, which is the process of prioritizing
risks by assessing and combining their probability of
occurrence and impact. For example ,the risk is rated low,
medium or , high
b) Quantitative risk analysis, which is the process of
numerically analyzingthe effect of identified risks on the
whole facility. For example, on a scale of 1-5 and also
calculating the monetary loss.
•Either or both approaches may be taken with respect to
a particular project or problem.
following methods.
There are two general methods of risk analysis . These are:
a)Qualitative risk analysis, which is the process of prioritizing
risks by assessing and combining their probability of
occurrence and impact. For example ,the risk is rated low,
medium or , high
b) Quantitative risk analysis, which is the process of
numerically analyzingthe effect of identified risks on the
whole facility. For example, on a scale of 1-5 and also
calculating the monetary loss.
•Either or both approaches may be taken with respect to
a particular project or problem.
c) Using these methods, establish the probability of loss
risk and frequency of events. This refers to the
regularity of the loss event. For example, if the risk is
the stealing computers from NPSC, the frequency would
be the number of times the event occurs each day or
night
d) Determine the impact of the events. The impacts
could be:-financial, infrastructural, psychological, and
related costs associated with the loss of tangible or
intangible assets of an organization.
A sufficient risks analysis should reflect the interaction of
threat , vulnerability and consequences( impact)
17
risk and frequency of events. This refers to the
regularity of the loss event. For example, if the risk is
the stealing computers from NPSC, the frequency would
be the number of times the event occurs each day or
night
d) Determine the impact of the events. The impacts
could be:-financial, infrastructural, psychological, and
related costs associated with the loss of tangible or
intangible assets of an organization.
A sufficient risks analysis should reflect the interaction of
threat , vulnerability and consequences( impact)
17
e). Lastly, Prepare a Report
i) In the report ,countermeasures are identified and then
evaluated to determine workability and cost.
For example, the questions to ask ”will the
countermeasure which have been recommended going
to protect the asset? Are they costly or affordable?
ii)Also, develop options to mitigate risks. In other words,
Identify options available to prevent or mitigate losses
through physical security, people , policies and
procedures and other related security processes.
18
i) In the report ,countermeasures are identified and then
evaluated to determine workability and cost.
For example, the questions to ask ”will the
countermeasure which have been recommended going
to protect the asset? Are they costly or affordable?
ii)Also, develop options to mitigate risks. In other words,
Identify options available to prevent or mitigate losses
through physical security, people , policies and
procedures and other related security processes.
18
4. THEOPTIONS FOR MITIGATING
RISKS ( METHODS OF DEALING
WITH RISKS)
19
RISKS ( METHODS OF DEALING
WITH RISKS)
19
THE OPTIONS FOR MITIGATING RISKS
(METHODS OF DEALING WITH RISKS)
a)Mitigating or dealing with the risks is the
ability to reduce the probability and impact of
loss of an asset.
b) The principal methods of dealing with risk
include:
1) Risk Avoidance (Avoiding the risk)
2) Risk Reduction (Diffusing the risk)
3) Risk Transfer (Transfering the risk)
4) Spreading the risk
5) Risk Acceptance ( Retaining the risk)
20
(METHODS OF DEALING WITH RISKS)
a)Mitigating or dealing with the risks is the
ability to reduce the probability and impact of
loss of an asset.
b) The principal methods of dealing with risk
include:
1) Risk Avoidance (Avoiding the risk)
2) Risk Reduction (Diffusing the risk)
3) Risk Transfer (Transfering the risk)
4) Spreading the risk
5) Risk Acceptance ( Retaining the risk)
20
1. RISK AVOIDANCE (AVOIDING THE RISK)
a) Avoiding the risk means an organization or
individual deciding not to start or continue with the
activity that gives rise to the risk.
b) For example , some organizations avoid crime-
related risks by chosing not to operate in high crime-
areas.It could also involve avoiding setting up an
asset in an area characterized by high degree of
either human or natural threats or both.
c) Police may call off an operation, if the
commanders feel it could lead to high casualties.
21
a) Avoiding the risk means an organization or
individual deciding not to start or continue with the
activity that gives rise to the risk.
b) For example , some organizations avoid crime-
related risks by chosing not to operate in high crime-
areas.It could also involve avoiding setting up an
asset in an area characterized by high degree of
either human or natural threats or both.
c) Police may call off an operation, if the
commanders feel it could lead to high casualties.
21
2. RISK REDUCTION/RISK DIFFUSION
a)Reducing the risk involves decreasing access to the
target.This means reducing the risk by shaping or
removing the risk source.
b) For example, protective barriers and access control
measures enhance building or compound security, thus
reducing the risk of an incident occurring in the
compound.
c)For example ,to reduce the risk of people being
mugged in the city centre ,Police should deploy
uniformed and CID personnel to patrol the streets and
arrest the perpetrators of these crimes.
22
a)Reducing the risk involves decreasing access to the
target.This means reducing the risk by shaping or
removing the risk source.
b) For example, protective barriers and access control
measures enhance building or compound security, thus
reducing the risk of an incident occurring in the
compound.
c)For example ,to reduce the risk of people being
mugged in the city centre ,Police should deploy
uniformed and CID personnel to patrol the streets and
arrest the perpetrators of these crimes.
22
d) In case of the supermarkets, shoplifting risk can
be reduced by high demand items such as
perfumes, pens , cameras, kept behind the cashier‘s
counter.
23
be reduced by high demand items such as
perfumes, pens , cameras, kept behind the cashier‘s
counter.
23
3. TRANSFERING THE RISK
a) After consideration, management may
acknowledge the risk is legitimate and probable, but
it would be far too expensive to manage it on their
own.
b) In this circumstances, it may be less expensive to
contain the financial risk of loss by transferring it to
an insurance policy
c) On the same vein, management may consider
transferring the risk to a vendor or subcontracts and
service level agreements or they may increase the
price of specific goods to cover the loss.
24
a) After consideration, management may
acknowledge the risk is legitimate and probable, but
it would be far too expensive to manage it on their
own.
b) In this circumstances, it may be less expensive to
contain the financial risk of loss by transferring it to
an insurance policy
c) On the same vein, management may consider
transferring the risk to a vendor or subcontracts and
service level agreements or they may increase the
price of specific goods to cover the loss.
24
d) In this way, the management is not ignoring or
rejecting the risk but they are actively
acknowledging it and instead of spending their
own resources on safeguards, they believe that
the risk is best handled through an alternative
strategy.
25
rejecting the risk but they are actively
acknowledging it and instead of spending their
own resources on safeguards, they believe that
the risk is best handled through an alternative
strategy.
25
4. SPREADING THE RISK
a)The two primary methods of accomplishing risk
transfer are to insure the assets with Insurance
providers or raise prices to cover the loss in the event
of a criminal act.
b)For example, insurance companies may insure with
other Reinsurance companies to protect their assets.
c)An individual may decide to invest his money in
different ways such as buying shares in various
companies, treasury bills etc. This is a way of
spreading risks.
“Do not put all your eggs on one basket’
26
a)The two primary methods of accomplishing risk
transfer are to insure the assets with Insurance
providers or raise prices to cover the loss in the event
of a criminal act.
b)For example, insurance companies may insure with
other Reinsurance companies to protect their assets.
c)An individual may decide to invest his money in
different ways such as buying shares in various
companies, treasury bills etc. This is a way of
spreading risks.
“Do not put all your eggs on one basket’
26
5. RISK ACCEPTANCE( Retaining the risk)
a)No organization can ever be 100% secure. Only full
avoidance can totally eliminate risk in a given a
environment. Therefore, there will always be remaining
risk.
b)Retained risk or Residual risk is the risk
remaining after the risk treatment .In other words,
the residual risk is the amount that is left after
safeguards and controls have been put in place to protect
and prevent asset loss.
c) The management has to make a decision on how to
deal with the residual or remaining risk.
27
a)No organization can ever be 100% secure. Only full
avoidance can totally eliminate risk in a given a
environment. Therefore, there will always be remaining
risk.
b)Retained risk or Residual risk is the risk
remaining after the risk treatment .In other words,
the residual risk is the amount that is left after
safeguards and controls have been put in place to protect
and prevent asset loss.
c) The management has to make a decision on how to
deal with the residual or remaining risk.
27
d) Management may decide that a particular risk is
worth a gamble or that the cost or loss is not large
enough to justify the cost of protection.
e) Another deciding factor may be the intractability of
the risk. That is, despite the best efforts, the risk cannot
be controlled to an a acceptable level and so it is
accepted
f) On the other hand, the management believes that the
risk to the assets is material and requires an immediate
response to safeguard them and so they allocate
resources to provide countermeasures.
28
worth a gamble or that the cost or loss is not large
enough to justify the cost of protection.
e) Another deciding factor may be the intractability of
the risk. That is, despite the best efforts, the risk cannot
be controlled to an a acceptable level and so it is
accepted
f) On the other hand, the management believes that the
risk to the assets is material and requires an immediate
response to safeguard them and so they allocate
resources to provide countermeasures.
28
THE SUMMARY OF THINGS TO DO IN
RISK MANAGEMENT
1)Establishing the Risk management Team
2) The risk assessment is conducted in which the
vulnerabilities and threats to the organization are
determined.
3) Placing value on the organization’s assets.
4) Determine how you will deal with the risk you uncover.
In other words what control measures are you going to
put in place.
5) Implementing the control measures to mitigate
against the risks.
29
RISK MANAGEMENT
1)Establishing the Risk management Team
2) The risk assessment is conducted in which the
vulnerabilities and threats to the organization are
determined.
3) Placing value on the organization’s assets.
4) Determine how you will deal with the risk you uncover.
In other words what control measures are you going to
put in place.
5) Implementing the control measures to mitigate
against the risks.
29
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 11
- Slides 29
- Age 530 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
44 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
42 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
43 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
39 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
51 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
43 views