Introduction to Risk Management 26 September 2014

Peter Fowler CPPD

“There are “known knowns”. [These are things we know that we know.]There are “known unknowns”. [That is to say, there are things that we know we don't know.]But there are also “unknown unknowns”. [There are things we don't know we don't know.]”Donald Rumsfeld (Feb 12, 2002)

“The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.”

Douglas Adams in Mostly Harmless (the fifth book in the Hitchhiker's Guide to the Galaxy trilogy)

Risk Management Definitions• Uncertainty - changing circumstances or situation

• Risk - effect of uncertainty on objectives

• Opportunity - the positive impact on objectives

• Issue - an event that has happened or will happen

Types of Risk Management

• Safety risk management

• Insurance risk management

• Financial (Investment) risk management

• Project risk management

• Business risk management

• Information risk management

Tasmanian Government Information Security Policy1. Purpose

The purpose of the Policy is to provide a consistent approach to managing information security risks across Government.

2. ScopeThis Policy applies to Tasmanian Government agencies as custodians of information on behalf of the Crown.

3. Policy Principles This Policy is based upon the following information security policy principles:

• Availability: information is accessible and usable to authorised entities.

• Integrity: the accuracy and completeness of information is protected.

• Confidentiality: information is not made available or disclosed to unauthorised individuals, entities or processes.

• Proportionality: measures to protect information are relative to the risk of loss or failure of availability, integrity and confidentiality.

Tasmanian Government Information Security Policy Manual

• Information security risks are threats or vulnerabilities that introduce uncertainty regarding the availability, confidentiality or integrity of information. • Structured risk assessments help to prioritise risks and implement

appropriate risk management procedures. • Information security risk management can be undertaken as part of a

broader agency risk management approach. • Each agency MUST identify, quantify and prioritise risks against risk

acceptance criteria and determine appropriate controls to protect against risks.

After completing a risk assessment

there may be residual information security risks where the agency has:• elected to accept a risk by doing nothing, or • adopted a mitigation strategy that does not completely eliminate a

risk.

Process from AS/NZS ISO 31000: 2009

Common failures when managing risks• Not establishing the context:

• Misunderstand organisational attitudes and risk appetite

• Risk attitude. Organization's approach to assess and eventually pursue, retain, take or turn away from risk• Risk appetite. The amount and type of risk that an organisation is

willing to pursue or retain

Source: ISO GUIDE 73: 2009 Risk management — Vocabulary

Common failures when managing risks• Not establishing the context:

• Misunderstand organisational attitudes and risk appetite

• Not focussing on the appropriate risks (business efficiency vs information security)

• Business efficiency risk – Information cannot be located quickly as a result of poor categorisation resulting in more time/ resources required to find records.• Information security risk. Information cannot be located as a result of

poor file categorisation resulting in not finding important records.

Common failures when managing risks• Not establishing the context:

• Misunderstand organisational attitudes and risk appetite

• Not focussing on the appropriate risks (business efficiency vs information security

• Inappropriate measures used for the analysis

• Consequence – If the event occurs what will the consequence be:• Critical• High• Medium• Low• Very low

• Likelihood - What is the likelihood that the event will occur and result in the consequence indicated:• Almost certain• Likely• As likely as not• Possible• unlikely

But what do these terms mean?

But what do these terms mean?

Common failures when managing risks• Not establishing the context:

• Misunderstand organisational attitudes and risk appetite

• Not focussing on the appropriate risks (business efficiency vs information security

• Inappropriate measures used for the analysis

• Generalisation of risk statements (leads to misunderstanding)

1. Inappropriate file categorisation2. Cannot find board meeting minutes

State the full story: What could happen, why could it happen (cause) and what would the result be“Board meeting minutes cannot be located as a result of poor file categorisation resulting in disputed decisions having to be reversed”

Common failures when managing risks• Not establishing the context:

• Misunderstand organisational attitudes and risk appetite

• Not focussing on the appropriate risks (business efficiency vs information security

• Inappropriate measures used for the analysis

• Generalisation of risk statements (leads to misunderstanding)

• Fake treatment (either won’t mean anything or not followed through)

1. Ensure board meeting minutes are categorised appropriately

2. Provide training for staff on board meeting minute categorisation

Would that stop people categorising incorrectly

Only appropriate if not already being done!

Questions?

Introduction to Risk Management 26 September 2014

Peter Fowler CPPD