Scribd
Upload
16 views13 pages

Ecuador Risk Management

The document discusses risk management and provides definitions and frameworks for identifying, assessing, and treating risks. It outlines the key steps in the risk management process, which includes identifying risks and vulnerabilities, assessing the likelihood and impact of risks, evaluating risks against criteria, and treating risks through options like avoidance, sharing or reducing likelihood and impact. It emphasizes that risk management should be a systematic and periodic process that involves stakeholders and monitoring risks over time in response to changes.

Uploaded by

zakeoec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
16 views13 pages

Ecuador Risk Management

The document discusses risk management and provides definitions and frameworks for identifying, assessing, and treating risks. It outlines the key steps in the risk management process, which includes identifying risks and vulnerabilities, assessing the likelihood and impact of risks, evaluating risks against criteria, and treating risks through options like avoidance, sharing or reducing likelihood and impact. It emphasizes that risk management should be a systematic and periodic process that involves stakeholders and monitoring risks over time in response to changes.

Uploaded by

zakeoec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Risk

Management

Martin Paas
August 2nd, 2022
Agenda
• Why manage risks

• Risk management process

• Introduction to risk assessment

• Practical considerations
Key definitions (ISO 27000)
Risk – effect of uncertainty to objectives (3.61)
Risk management – coordinated activities to direct and control an organization with regard to risk
(3.69)
Risk management process – systematic application of management policies, procedures, and practices
to the activities of communicating, consulting, establishing the context and identifying, analysing,
evaluating, treating, monitoring and reviewing risk (3.70)
Risk assessment – overall process of risk identification, risk analysis and risk evaluation (3.64)
Risk owner – person or entity with the accountability and authority to manage the risk (3.71)
Risk treatment – process to modify risk (3.72)
Level of risk – magnitude of a risk expressed in terms of the combination of consequences and their
likelihood (3.39)
Threat – potential cause of an unwanted incident, which can result in harm to a system or organization
(3.50)
Likelihood – chance of something happening (3.40)
Residual risk – risk remaining after risk treatment (3.57)
Risk acceptance – informed decision to take a particular risk (3.61)
Vulnerability – weakness of an asset or control that can be exploited by one or more threats (3.74)
STAKEHOLDERS ARE
RISKS ARE INVOLVED WHEN
IDENTIFIED RISK MANAGEMENT
DECISIONS ARE MADE

RISKS ARE ASSESSED RISK TREATMENT


IN TERMS OF THEIR MONITORING IS
EFFECT TO BUSINESS MORE EFFECTIVE
CONTINUITY ADDED VALUE
OF RISK
MANAGEMENT
THE LIKELIHOOD AND RISKS AND RISK
CONSEQUENCES OF MANAGEMENT
RISKS ARE . PROCESS ARE
COMMUNICATED AND MONITORED AND
UNDERSTOOD REVIEWED REGULARLY

MANAGERS AND STAFF


PRIORITY ORDER FOR ARE EDUCATED ABOUT
. RISK TREATMENT IS THE RISKS AND THE
ESTABLISHED ACTIONS TAKEN TO
MITIGATE THEM
…should identify,
quantify, and
prioritize risks against
criteria for risk
. acceptance and
…should have a objectives relevant to
clearly defined the organization
scope in order to
be effective

RISK …should include


ASSESSMENT… the systematic
approach of
estimating the
magnitude of
risks
…should be
performed
periodically to
address changes in …should include the
RISK EVALUATION
the information process of comparing
security the estimated risks
requirements and against risk criteria to
in the risk situation determine the
significance of the risks
(risk evaluation)
STEP 1 Introduction to
risk A
identification

Identification
of assets B

Identification
of threats C

RISK
IDENTIFICATION Identification
of existing D
controls

Identification
of E
vulnerabilities

Identification
.
of F
consequences
STEP 2

RISK ANALYSIS
.
METHODOLOGIES

ASSESSMENT OF
.
CONSEQUENCES
RISK ANALYSIS
ASSESSMENT OF
INCIDENT
LIKELIHOOD

.
LEVEL OF RISK
DETERMINATION
STEP 3 Avoiding the risk by
deciding not to start or A
continue with the activity

Taking or increasing risk


in order to pursue an B
opportunity

Removing the risk


C
source
RISK
TREATMENT
Changing the D
likelihood

Changing the E
consequences

Sharing the risk or F


.

retaining it by informed choice


TIME ETHICAL
CONSTRAINTS
.
CONSTRAINTS
.

FINANCIAL ENVIRONMENTAL
CONSTRAINTS CONSTRAINTS

TECHNICAL
I
EASE OF USE
CONSTRAINTS

OPERATIONAL PERSONNEL
CONSTRAINTS CONSTRAINTS

CONSTRAINTS ON
CULTURAL CONSTRAINTS SELECTING CONTROLS
CONSTRAINTS FOR
INTEGRATING
NEW AND
EXISTING
CONTROLS
INCREASED IMPACT OR
INCLUSION OF NEW CONSEQUENCES OF
ASSETS ASSESSED THREATS,
VULNERABILITIES AND RISKS

NECESSARY INFORMATION
MODIFICATION OF SECURITY
ASSET VALUES INFORMATION INCIDENTS
SECURITY RISK
MONITORING AND
REVIEW
NEW THREATS
BOTH INSIDE AND NEW OR
OUTSIDE OF
.
INCREASED NO RISK OR RISK ELEMENT
ORGANISATION VULNERABILITIES SHOULD BE OVERLOOKED
OR UNDERESTIMATED

NECESSARY ACTIONS
SHOULD BE TAKEN
In practice…
As-is Recommendations
• Formal process with limited added value to the • Awareness raising within the organization, incl
organisation upper management
• Lack of commitment from the management… • Systematic reviews of high risks
• …which might be reflected in lack of • Reviews after incident – could it have been
commitment by other colleagues in the prevented?
organisation
• Changes in risks over time
• Unjustified/extremely high or low risk levels
• Plan ahead, also in terms of people and
• No systematic reviews budget
• Unjustified expectations towards risk manager • Define the role of risk manager
vs risk owner
In practice…
As-is Recommendations
• Formal process with limited added value to the • Awareness raising within the organization, incl
organisation upper management
• Lack of commitment from the management… • Systematic reviews of high risks
• …which might be reflected in lack of • Reviews after incident – could it have been
commitment by other colleagues in the prevented?
organisation
• Changes in risks over time
• Unjustified/extremely high or low risk levels
• Plan ahead, also in terms of people and
• No systematic reviews budget
• Unjustified expectations towards risk manager • Define the role of risk manager
vs risk owner
Thank you!

You might also like