• Home

  • Documents

  • Considerations for Responding to Risks...Managing Risks – Accept Accept the risk and continue...
12
Considerations for Responding to Risks Table of Contents Risk and Impact Analysis................................................................................................................ 2 Managing Risks with Methods of Response.................................................................................. 3 Managing Risks – Accept............................................................................................................... 4 Managing Risks – Transfer............................................................................................................. 5 Managing Risks – Mitigate............................................................................................................. 6 Managing Risks – Avoid................................................................................................................. 7 Residual Risk Not All Risk Can Truly be Eliminated........................................................................ 8 Cost vs. Time for Risk Strategies.................................................................................................. 10 Security Controls.......................................................................................................................... 11 Notices......................................................................................................................................... 12 Page 1 of 12

Considerations for Responding to Risks...Managing Risks – Accept Accept the risk and continue operating. Risk is typically not reduced with this response plan. You may “accept”

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

  • Considerations for Responding to Risks

    Table of Contents

    30TRisk and Impact Analysis30T ................................................................................................................ 2

    30TManaging Risks with Methods of Response30T .................................................................................. 3

    30TManaging Risks – Accept30T ............................................................................................................... 4

    30TManaging Risks – Transfer30T ............................................................................................................. 5

    30TManaging Risks – Mitigate30T ............................................................................................................. 6

    30TManaging Risks – Avoid30T ................................................................................................................. 7

    30TResidual Risk Not All Risk Can Truly be Eliminated.30T ....................................................................... 8

    30TCost vs. Time for Risk Strategies30T .................................................................................................. 10

    30TSecurity Controls30T .......................................................................................................................... 11

    30TNotices30T ......................................................................................................................................... 12

    Page 1 of 12

  • Risk and Impact Analysis

    Risk and Impact Analysis

    12

    **012 Instructor: And right now we're going to talk about risk and impact analysis and we make consideration for responding to risks.

    Page 2 of 12

  • Managing Risks with Methods of Response

    Managing Risks with Methods of Response

    Change the asset’s risk exposure (apply safeguard)

    Eliminate the asset’s exposure to risk, or eliminate the asset altogether

    Acknowledge that the risk exists, but apply no safeguard(Exposure value is within tolerance)

    Shift responsibility for the risk to a third party (ISP, MSSP, Insurance, etc.)

    Change the asset’s risk exposure (apply safeguard)

    Eliminate the asset’s exposure to risk, or eliminate the asset altogether

    Accept

    AvoidMitigate

    Transfer

    Risk

    13

    **013 We can manage risks by thinking about how we're going to actually respond to them. You can do this in any variety of ways, but there are four main strategies that you want to think about. You can accept a risk, you can transfer it, you can avoid it, or you can mitigate it. So let's look a little bit closely at these strategies and see a little bit more about what they're all about.

    Page 3 of 12

  • Managing Risks – Accept

    Accept the risk and continue operating.

    Risk is typically not reduced with this response plan. You may “accept” a risk after taking some other action to lower the risk to an acceptable

    level.

    Note, acceptance is a meaningful decision. You can consciously decide to not take

    action for the right reason(s). Document that decision.

    Managing Risks – Accept

    14

    **014 One of our strategies is we can actually accept the risk. This means that we're going to just operate with the risk existing, and we're really not going to do anything to invest resources to manage it or bring the likelihood to an acceptable level, really. That said, understanding that we have an appetite in the organization, we're going to just let the risk happen if it happens. And by the way, this is not just feeling lazy about it and just letting the risk happen; technically this is a meaningful decision. What you want to do is document it and make sure that you've accepted this risk based upon all the information that you have available. And you also want to understand that you're saving yourself resources to address other risks. You're not just going to go out and spend that money like it's fun money.

    Page 4 of 12

  • So acceptance is actually a very critical decision. Some risks you may just accept because they have a lower impact or a lower likelihood, and that's fine, but make sure it's a meaningful decision.

    Managing Risks – Transfer

    Shift responsibility or burden for loss to another party.

    Examples Contracts with third parties Hold-harmless agreements Insurance Warranties Usually used in combination with other strategies

    Managing Risks – Transfer

    15

    **015 Otherwise, I may want to partner with other organizations to share the burden of this risk. Classically we may think about this example in terms of insurance. You may buy insurance and transfer that risk to that insurance carrier, and you're paying them for their troubles, but to be honest, if the risk were ever to come to fruition, they would actually have to pay into recovery from that risk coming to fruition. You can think about this other ways too. We can establish contracts with third-parties, other vendors. We can

    Page 5 of 12

  • actually have some agreements in place to say that a certain partner is willing to take on a certain amount of risk. We can have warranties for our products. You can also combine these together.

    Managing Risks – Mitigate

    Limit the risk by implementing controls that minimize the adverse impact of threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls). You may be reducing the likelihood of the risk occurring or reducing the extent of the

    impact that may be incurred.

    Mitigation can tend to be the most resource intensive response. Each mitigation plan may be a “Just do it”, or it may require a short/long term project to

    implement. Be sure to monitor the implementation and effectiveness of the solution.

    Managing Risks – Mitigate

    16

    **016 We can also think about taking action, and this is called mitigation of a risk, and what we really want to do is we want to invest resources wisely such that we either reduce the likelihood of the risk or we reduce the amount of pain or impact that you would feel if the risk were to come to fruition. This is really the cool trick about risk management. You could actually have, in a sense, a crystal ball in your risk assessment, looking ahead to the future and understanding what I could do to keep that risk from ever happening. But when that cold, dark day comes,

    Page 6 of 12

  • you could also understand that you have resources standing by to recover from that disaster and keep your business operating. So what you want to do is you want to set up a plan. Sure you may have some items that are "just do its", if you will. But if you have some controls and/or response plans that are going to take longer than just a few days or maybe even considerable resources that are necessary for investment, be sure to set up a project plan of some sort so that way you can mindfully implement that control, and it's done in a way that you can monitor its implementation and effectiveness.

    Managing Risks – Avoid

    Make an informed decision to not get involved with a risky action.

    Shut down an operation before the risk occurs.

    Similar to acceptance, this decision is made based on a rich decision making process. Document the decision. You may end up seeing the risk come up again.

    Managing Risks – Avoid

    17

    **017 You also could go about avoiding a risk altogether, and this is another informed decision. Similar to

    Page 7 of 12

  • acceptance, but to be honest with you, you're not going to engage in the activity at all. With acceptance, you may have still stayed with the mission, but on this one, you're avoiding it altogether. And you got to think about this in a very meaningful way too, because there may be an opportunity cost that you're losing there as well. So you want to think about this in terms of acceptance as well, but you're also very much documenting this decision. You're making a mindful decision, and you want to know why. Especially down the road, if something were to change and people started asking why you made the decision, you'll have it documented.

    Residual Risk Not All Risk Can Truly be Eliminated.

    Despite best efforts of response, there will likely still be some risk remaining.

    Acceptance of residual risk should take into account Regulatory compliance Organizational policy Sensitivity/criticality of assets Acceptable levels of potential impacts Uncertainty incorporated in the risk assessment approach itself Cost versus the effectiveness of implementation

    Residual RiskNot All Risk Can Truly be Eliminated.

    18

    **018 So remember, no matter what controls you put into place, not

    Page 8 of 12

  • all risk can truly be eliminated. So no matter what you do, you may still have some uncertainty left on the table, if you will, and you're going to have to look through different lenses to understand if you've really met the appetite of the organization. You've got to be careful if there's some sort of regulatory compliance matter that you have to follow up, so that way you have to knowingly dial your risk down to a certain level. For example, it is unacceptable to release HIPAA data to the public. If that's the case, you have to go to great extremes to make sure that that residual risk is to an absolute minimum to the best of your capability, and that's going to be a regulatory issue. It may be an organizational policy. Maybe you have some assets that have some certain amount of sensitivity to it, where you have lower levels of information that may be okay and have minimal impact to the organization if it's released, but if it is a data set or an information set that has high sensitivity levels, maybe it's top secret to your organization, that could be driving your decision as to whether or not you need to invest more resources to insulate those particular assets. So you want to think about the cost of what you're investing around the security and the controls that you're putting into these risks to address them, versus what you're going to get on the other side, effectively like a return on investment for what you're-- in this case, it's a return on risk investment.

    Page 9 of 12

  • Cost vs. Time for Risk Strategies

    Cost vs. Time for Risk StrategiesIncident Note how the amount of

    resource invested in the response relates to the return

    you see at risk realization.

    19

    **019 You can think of this in different ways. We've talked about the avoidance, mitigation, transference and acceptance strategies, and what you really want to do is put yourself in the seat of that cold, dark day again when that risk comes to light. If you've avoided the risk altogether and the incident happens, there may have been a really high cost related to that avoidance because, let's face it, you didn't go down the path to make that revenue, so it was a lost opportunity. But if an incident happens, you really have no loss, so there may be a good balance that's struck there. Same thing to be said with mitigation, where you may have an investment of resources to dial a risk down, and you're hoping that past the incident, you've at least brought

    Page 10 of 12

  • down the cost related to that risk coming to fruition.

    Security Controls

    Once the risks to the organization have been identified Prioritize the security strategies for response Limited resources are almost always a factor.

    Customize the solutions for the enterprise

    Most cyber risk management solutions are typicallydone through security controls. Technical Physical Administrative

    Security Controls

    20

    **020 So now that you have your strategy in place as to how you're going to address that risk, let's talk a little bit about how you're actually implement the controls around it. So first thing you want to do, you've identified these risks. You really want to prioritize the strategies that you've put into place for a response, and recognizing that you have only a certain number of resources that could be actually put to this risk management game, you want to understand where I'm going to get the biggest return on my risk investment, and in some cases you may want to consider how you're going to actually customize these solutions such that you get that

    Page 11 of 12

  • maximization of your resources. Remember, there's a critical win here for risk managers in finding the interdependency of risks and how they're related. Maybe a response for one risk will help you with multiple other risks. That may bring a risk response to a higher level of prioritization because you can get more return on your risk investment in that case. When we do this, we want to do it using security controls through three basic avenues. They could be technical controls, they could be physical controls, or they could be administrative.

    Notices

    1

    Notices

    Page 12 of 12

    Considerations for Responding to RisksRisk and Impact AnalysisManaging Risks with Methods of ResponseManaging Risks – AcceptManaging Risks – TransferManaging Risks – MitigateManaging Risks – AvoidResidual Risk Not All Risk Can Truly be Eliminated.Cost vs. Time for Risk StrategiesSecurity ControlsNotices


Unknowns, Systemic Risks and Risk Prioritization in ... · Unknowns, Systemic Risks and Risk Prioritization in Schedule Risk Analysis David T. Hulett, Ph.D., FAACE Hulett & Associates,

Unknowns, Systemic Risks and Risk Prioritization in ... · Unknowns, Systemic Risks and Risk Prioritization in Schedule Risk Analysis David T. Hulett, Ph.D., FAACE Hulett & Associates,

Documents
E Discovery Risks for Risk Managers

E Discovery Risks for Risk Managers

Documents
Geo-hazard Risk Reduction: Understanding the Risks and ...pubdocs.worldbank.org/en/...RoadGeohazardManagement-DaisukeHigaki.pdf · Geo-hazard Risk Reduction: Understanding the Risks

Geo-hazard Risk Reduction: Understanding the Risks and ...pubdocs.worldbank.org/en/...RoadGeohazardManagement-DaisukeHigaki.pdf · Geo-hazard Risk Reduction: Understanding the Risks

Documents
Assessing the Risks of Insuring Reputation Risk - FAU · Assessing the Risks of Insuring Reputation Risk Nadine Gatzert, Joan Schmit, Andreas Kolb ... risk control and risk financing

Assessing the Risks of Insuring Reputation Risk - FAU · Assessing the Risks of Insuring Reputation Risk Nadine Gatzert, Joan Schmit, Andreas Kolb ... risk control and risk financing

Documents
RISKS BEYOND BOUNDARIES€¦ · • HSBC Holdings Plc • Institute of Risk Management • The Lighthill Risk Network ... Risks Beyond Boundaries, will be an exploration of risks

RISKS BEYOND BOUNDARIES€¦ · • HSBC Holdings Plc • Institute of Risk Management • The Lighthill Risk Network ... Risks Beyond Boundaries, will be an exploration of risks

Documents
The risk of risks reputation risk and resiliency Linda LOCKE

The risk of risks reputation risk and resiliency Linda LOCKE

Education
Unit 6 Risks “I am addicted to risks”…. Part I preparation To know about risks define risk: use of risk: at the risk of (n) / risk sth (v) risky (adj)

Unit 6 Risks “I am addicted to risks”…. Part I preparation To know about risks define risk: use of risk: at the risk of (n) / risk sth (v) risky (adj)

Documents
Topics Risk Solutions - Facing terrorist risks

Topics Risk Solutions - Facing terrorist risks

Documents
Transforming Risks into Opportunities Risk Advisory · Risk Survey 2018 Transforming Risks into Opportunities Building Future-Ready Risk Management Functions We believe that while

Transforming Risks into Opportunities Risk Advisory · Risk Survey 2018 Transforming Risks into Opportunities Building Future-Ready Risk Management Functions We believe that while

Documents
Risk management · RISK MANAGEMENT Risk management FINANCIAL RISKS The independent identification, measurement, monitoring and mitigation of all risks incurred by the Bank in both

Risk management · RISK MANAGEMENT Risk management FINANCIAL RISKS The independent identification, measurement, monitoring and mitigation of all risks incurred by the Bank in both

Documents
Matrix of Risks Distribution - Roads RISK …...Matrix of Risks Distribution - Roads RISK DISTRIBUTION METHODOLOGY This paper addresses the identification of risk generically rather

Matrix of Risks Distribution - Roads RISK …...Matrix of Risks Distribution - Roads RISK DISTRIBUTION METHODOLOGY This paper addresses the identification of risk generically rather

Documents
Catastrophic Risk and Insurance Hurricane and hydrometeorological risks Catastrophic Risk and Insurance Hurricane and hydrometeorological risks ASSAL XVII

Catastrophic Risk and Insurance Hurricane and hydrometeorological risks Catastrophic Risk and Insurance Hurricane and hydrometeorological risks ASSAL XVII

Documents
Approaches to the measurement of excess risk 1. Ratio of RISKS 2. Difference in RISKS: –(risk in Exposed)-(risk in Non-Exposed) Risk in Exposed Risk in

Approaches to the measurement of excess risk 1. Ratio of RISKS 2. Difference in RISKS: –(risk in Exposed)-(risk in Non-Exposed) Risk in Exposed Risk in

Documents
Information Risks Risk Management 34210

Information Risks Risk Management 34210

Documents
RISKS ASSOCIATED WITH FINANCIAL …...In financial markets, investors face two types of risks: systematic risk and non-systematic risk. • Systematic risk, also called market risk,

RISKS ASSOCIATED WITH FINANCIAL …...In financial markets, investors face two types of risks: systematic risk and non-systematic risk. • Systematic risk, also called market risk,

Documents
Controlling Risks Risk Assessment - USPAS - U.S. …uspas.fnal.gov/materials/12UTA/09_risk_assessment.pdf · Controlling Risks Risk Assessment . ... –Critical effects are added

Controlling Risks Risk Assessment - USPAS - U.S. …uspas.fnal.gov/materials/12UTA/09_risk_assessment.pdf · Controlling Risks Risk Assessment . ... –Critical effects are added

Documents
Risk Management-Assessing and Controlling Risks

Risk Management-Assessing and Controlling Risks

Documents
PMP Study Guide Chapter 6: Risk Planning. Chapter 6 Risk Planning Planning for Risks Plan Risk Management Identifying Potential Risk Analyzing Risks Using

PMP Study Guide Chapter 6: Risk Planning. Chapter 6 Risk Planning Planning for Risks Plan Risk Management Identifying Potential Risk Analyzing Risks Using

Documents
Pricing Environmental Health Risks: Survey Assessments ...jch8/bio/Papers/Viscusi Magat Huber... · Pricing Environmental Health Risks: Survey Assessments of Risk- Risk and Risk-

Pricing Environmental Health Risks: Survey Assessments ...jch8/bio/Papers/Viscusi Magat Huber... · Pricing Environmental Health Risks: Survey Assessments of Risk- Risk and Risk-

Documents
Risks of Risk-Based Testing

Risks of Risk-Based Testing

Technology
Assessing and Integrating Emerging Technologies · Why Humans Accept Risks Ambiguous definitions of risks – Is a risk a hazard, probability, consequence or description of adversary/threat?

Assessing and Integrating Emerging Technologies · Why Humans Accept Risks Ambiguous definitions of risks – Is a risk a hazard, probability, consequence or description of adversary/threat?

Documents
Allianz Risk Barometer: Business Risks 2016

Allianz Risk Barometer: Business Risks 2016

Economy & Finance
Managing and Identifying Risk - Ivey Business School Managing Risk... · uncertainty on their cashflows and/or balance sheet. • Firms decide which risks to accept or manage.

Managing and Identifying Risk - Ivey Business School Managing Risk... · uncertainty on their cashflows and/or balance sheet. • Firms decide which risks to accept or manage.

Documents
Household Environmental Health Risks to Rural Children – Risks and Perceptions of Risk

Household Environmental Health Risks to Rural Children – Risks and Perceptions of Risk

Documents
Bank Risks, Risk Preferences and Lending

Bank Risks, Risk Preferences and Lending

Documents
REAL RISK MANAGEMENT - Lexipol · program. We also outlined the 10 Families of Risk: 1. External Risks 2. Legal and Regulatory Risks 3. Strategic Risks 4. Organizational Risks 5

REAL RISK MANAGEMENT - Lexipol · program. We also outlined the 10 Families of Risk: 1. External Risks 2. Legal and Regulatory Risks 3. Strategic Risks 4. Organizational Risks 5

Documents
RISK MANAGEMENT GOALS AND TOOLS. ROLE OF RISK MANAGER n MONITOR RISK OF A FIRM, OR OTHER ENTITY –IDENTIFY RISKS –MEASURE RISKS –REPORT RISKS –MANAGE -or

RISK MANAGEMENT GOALS AND TOOLS. ROLE OF RISK MANAGER n MONITOR RISK OF A FIRM, OR OTHER ENTITY –IDENTIFY RISKS –MEASURE RISKS –REPORT RISKS –MANAGE -or

Documents
PowerPoint Presentation Grepa PESO... · is a financial solution for clients with risk tolerance classified as moderate to aggressive and who are willing and able to accept risks

PowerPoint Presentation Grepa PESO... · is a financial solution for clients with risk tolerance classified as moderate to aggressive and who are willing and able to accept risks

Documents
Emerging Risks Enterprise Risk Management

Emerging Risks Enterprise Risk Management

Documents
Chapter 3 - Cornèrtrader: Trading on Forex, Stocks ...€¦ · SHARE AND MARKET RISKS Share and CFD trading involve risk. Traders accept these risks every day as they risk a portion

Chapter 3 - Cornèrtrader: Trading on Forex, Stocks ...€¦ · SHARE AND MARKET RISKS Share and CFD trading involve risk. Traders accept these risks every day as they risk a portion

Documents