Risk Management

Risk is involved in everything that we do. So wouldnt it make sense knowing how to weigh the risks that are involved?

Risk Management What is it?

The idea of risk management is to reduce threats related to preselected domains. Risk management is a structured approach to managing doubt related to a hazard, a sequence of human activities including: risk assessment, developing strategies to manage it, and mitigation of risk. The strategies include transferring risk to another party, avoiding the risk, minimizing the negative effects of the

Risk Management
We will be focusing on the process of Risk Management. We will be looking at the following steps in the process.

1. Establishing context 2. Identification 3. Assessing 4. Different Risk Cures 5. Make a Risk Management Plan 6 Implementing 7. Evaluate and Review Plan

Establishing Context
To Establish context we will: 1. Identify the risk. 2. Plan the remainder of the process 3. Map out

4. 5.

the goals of stakeholders the social scope of risk management how risks will be evaluated

Define a timeline Develop an evaluation plan for the risks involved. 6. Mitigation of hazards using available resources

Identification

We will now look at identifying potential risks. Risks are about events that, when triggered, cause issues. Some common risk identification methods are: Objectives-based risk identification This is where organizations and project teams have goals. Risk is anything that may deter the success of the goals. Scenario-based risk identification Is when different scenarios are made. Doing this will help the company to be

Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Answers from a questionnaire is compiled. The answers to the questions show risks that need to be addressed. Common-risk Checking Many companies has a check list to go through to see if there are any common risks popping up. Risk Charting Combines the above approaches by listing Resources at risk, Hazards to those resources modifying factors which may increase or decrease the risk and consequences it is trying to avoid.

Assessment

When you have identified your risks, you need to asses the risks on how serious they could become. This can be hard or easy to do; however, it is best to make an educated guess as close as possible to the risks severity. The hard part in assessing the risk is to determining the rate of occurrence since statistical information is not available on all kinds of incidents in the past.

Risk Cures
When we have identified and assessed the risks at hand all the ways to manage the risks are placed into one or more of the following categories: Avoidance Reduction Transference Retention (accept and deal with it)

Avoiding Risk
To avoid risk this could be not doing an activity that carries risk. Avoiding may seem to be the answer to all risks; however, avoiding risks could also mean losing out on potential gains.

Minimizing Risk
This method involves minimizing the severity of the loss or the likelihood of the loss from happening. Todays software development methods minimize risk by developing and sending software incrementally.

Risk Retention
This Involves taking a loss when it happens. Risk retention is a possible strategy for small risks where the cost of insuring against the risk would be higher over time than the total losses sustained. All risks that aren't avoided or transferred are retained by default.

Risk Transference

The Transference of risk is when the risk is moved somewhere else for somebody else to deal with it.

Risk Management Plan

To plan we need to measure the risks that are involved. Mitigation must be given the go ahead by management. Strong security controls should be put in place to manage the risks. The step after finishing the Risk Management phase consists of preparing a Risk Treatment or Cure Plan, which should document the decisions on how each of the risks should be handled.

Implementing
Work on all of the planned methods for alleviating the effect of the risks. Advert all risks that can be avoided without sacrificing the companies goals, reduce others, and retain the rest.

Evaluate and Review Plan

The first draft of risk management plans will never be perfect. Practice, experience, and loss will result in necessary changes that will need to be made in the plan. All plans should be updated periodically:

to evaluate whether the last security controls are still effective. to evaluate changes in risk that are occurring in the business environment.

Questions, Comments, or Concerns? Feel free to send them to: Astabrak@cityu.edu

Resources
http://www.managementhelp.org/risk_ mng/risk_mng.htm http://csrc.nist.gov/publications/nistpub s/800-30/sp800-30.pdf http://en.wikipedia.org/wiki/Risk_mana gement http://www.itc.virginia.edu/security/risk management/