Risk Management Training 2013
-
Upload
vicky-ames -
Category
Documents
-
view
327 -
download
0
Transcript of Risk Management Training 2013
![Page 1: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/1.jpg)
September 2013
Vicky AmesIT Risk Manager
IT Risk Management Program
![Page 2: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/2.jpg)
Purpose
The purpose of this training is to provide an introduction to:
Risk Management terminology
Risk Management concepts
IT Risk Management program
“Risk comes from not knowing what you are doing.”-Warren Buffett
2
![Page 3: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/3.jpg)
Objectives
At the end of this training you will:Have a basic understanding of Risk Management terminology
Have a basic understanding of our IT Risk Management program
Understand your role and responsibilities within our IT Risk Management program
“Risk comes from not knowing what you are doing.”-Warren Buffett
3
![Page 4: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/4.jpg)
Agenda
Introduction to risk management terminology
Introduction to our IT Risk Management process
Questions
“Risk comes from not knowing what you are doing.”-Warren Buffett
4
![Page 5: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/5.jpg)
Risk Management Terminology
“Progress always involves risk; you can't steal second base and keep your foot on first.”
-Frederick Wilcox
5
![Page 6: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/6.jpg)
What is Risk?
6
![Page 7: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/7.jpg)
Risk Management Terminology
Risk is:A future event that will effect business objectives
Risk vs. IssueA risk is something that might happen. It has a probability (or likelihood) of happening and if it does there will be a certain impact (may be positive or negative).
An issue is something that has happened (or is happening right now). It does not have a probability but it will have an impact.
7
![Page 8: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/8.jpg)
Risk Management Terminology
Impact is:The effect of an event to the organization
Likelihood is:The chance of something happening
8
![Page 9: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/9.jpg)
Risk Management Terminology
Risk Analysis is:Evaluation of the likelihood and impact a risk would have on business objectives
9
![Page 10: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/10.jpg)
Exercise – Risk Analysis
10
What is the Risk?
What could be done to increase or decrease likelihood?
What could be done to increase or decrease impact?
![Page 11: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/11.jpg)
Risk Management Terminology
Gross Risk is:The initial assessment of the impact and likelihood of a risk prior to considering any existing controls.
Net Risk is:The assessment of the impact and likelihood of a risk that considers existing controls.
Target Risk is:The acceptable levels of impact and likelihood for a risk.
11
![Page 12: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/12.jpg)
Risk Management TerminologyPossible Risk Responses are:Avoid
– Management decision not to be involved in, or to withdraw from, an activity based on the level or risk
Accept– Management decision that the controls currently in place are
sufficient and the current level of residual risk is acceptable
Exploit– Management decision to take actions to ensure an identified
opportunity is realized
Mitigate– Management decision to take actions to lessen the likelihood and/or
impact of a risk
Transfer– Management decision to share the burden of loss or benefit of gain
for a risk with another party.
12
![Page 13: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/13.jpg)
Risk Management Terminology
Risk Management is:Coordinated activities to identify, assess and respond to risks
13
![Page 14: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/14.jpg)
IT Risk Management Process
“One cannot refuse to eat just because there is a chance of being choked.”
- Chinese Proverb
14
![Page 15: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/15.jpg)
IT Risk Management Lifecycle
15
![Page 16: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/16.jpg)
IT Risk Management - Roles
IT Risk Manager– Manages the Risk Management Program
– Coordinates with other roles to ensure risk management activities occur
– Responsible for conducting risk analysis, maintaining the risk register, providing quarterly reports to management
– Interfaces with Enterprise Risk Management team
IT Process Owner– Responsible for managing risks that impact their processes
– Responsible and accountable for bringing risks that impact their processes to agreed upon target levels
– Provides data to Risk Manager for review
– Assigns Risk POCs and Analysts
– Supports risk management activities
16
![Page 17: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/17.jpg)
IT Risk Management - Roles
ITLT– Supports Risk Management activities
– May be consulted during risk analysis
– Only role authorized to accept risk
Risk Point of Contact– Primary individual assigned by the Process Owner to participate in Risk
Management activities for a particular risk
Analyst– Any other individual assigned to participate in risk management activities
by the Process Owner
17
![Page 18: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/18.jpg)
IT Risk Management - Identify
Collect data– Risk Manager will meet with targeted groups to review trends
and identify potential risks• Problem Management• Internal and External Audits and Assessments
– Risk Manager will review incidents and issues and will gather data to identify potential risks
• Incident Management• Change Management
Rationalize data– Identify potential risks
18
![Page 19: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/19.jpg)
IT Risk Management - Analyze
Identify Process Owner– Risk Manager will identify the IT process most impacted by
the stated risk
Conduct Risk Analysis– Risk Manager will then meet with the Process Owner and
others as necessary to perform risk analysis– Gross Risk– Net Risk– Target Risk– Select initial Risk Response
Update Risk Register– Risk Manager will update the Risk Register
19
![Page 20: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/20.jpg)
IT Risk Management - Respond Process Owner Develops Risk Action Portfolio
– Plan will identify activities and resources needed to bring Net Risk rating to Target Risk rating
• May require resources from multiple teams
– Process Owner reviews risk assessment and action plan with IT Leadership Team Process Sponsor
– Risk Manager will provide support as needed
– Process Owner completes Risk Action Portfolio document
Process Owner and Risk Manager review Action Plan– Ensure plan properly executes Risk Response strategy
– Ensure plan will bring Net Risk rating to stated Target Risk rating
Process Owner, Risk POC and Analysts implement Risk Action Plan
20
![Page 21: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/21.jpg)
IT Risk Management - Monitor
Risk Manager will meet quarterly with Process Owner– Review progress of Risk Action Plan
– Review changes to likelihood and impact ratings
– Discuss issues and potential solutions
– Address any concerns
Risk Manager provides Quarterly report to the ITLT– Reports on top risks and Risk Action Plan status
21
![Page 22: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/22.jpg)
Objectives
At the end of this training you will:Have a basic understanding of Risk Management terminology
Have a basic understanding of the IT Risk Management program
Understand your role and responsibilities within our IT Risk Management program
22
![Page 23: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/23.jpg)
Questions
“You'll always miss 100% of the shots you don't take.”
- Wayne Gretzky
23
![Page 24: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/24.jpg)
Appendices
“There are those who are so scrupulously afraid of doing wrong that they seldom venture to do anything.”
- Luc de Clapiers, Marquis de Vauvenargues
24
![Page 25: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/25.jpg)
Appendix A – Risk Management Process Documents
APO12-SOP001 Managing Risk
APO12-SOP001-STD001 Standards for Managing Risk
APO12-SOP001-WI001 Risk Management Data Collection
APO12-SOP001-WI002 Risk Analysis and Assessment
APO12-SOP001-WI003 Maintain Risk Register
APO12-SOP001-WI004 Risk Articulation
APO12-SOP001-WI005 Responding to Risk
APO12-FRM001 Risk Acceptance Form
APO12-SOP001-TMP001 Risk Analysis and Assessment Template
APO12-SOP001-TMP002 Risk Register Template
APO12-SOP001-TMP003 ISLT Quarterly Risk Report Template
APO12-SPO001-TMP004 Risk Management Action Portfolio Template
25
Available in the GSF Library
![Page 26: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/26.jpg)
Appendix B – Risk Management Process Links
IT Risk Management Sharepoint Site https://sharepointportal/Departments/InformationTechnology/InfoSecurity/riskmanagement/default.aspx– Shared Documents section houses IT Risk Register and other Risk
Management documents
GSF Library https://sharepointportal/Departments/InformationTechnology/GSF-Library/SharedDocuments/Forms/AllItems.aspx
26
![Page 27: Risk Management Training 2013](https://reader034.fdocuments.in/reader034/viewer/2022042723/5876d4be1a28ab1d238b54af/html5/thumbnails/27.jpg)
Appendix C -IT Process Landscape with
27
EDM01 Ensure Governance Framework Setting and MaintenancePerson 1Person 2
EDM02 Ensure Benefits DeliveryPerson 3Person 4
EDM03 Ensure Risk OptimizationPerson 5Person 2
EDM04 Ensure Resource OptimizationPerson 3Person 4
EDM05 Ensure Stakeholder TransparencyPerson 4Person 6
APO01 Manage the IT Management FrameworkPerson 4Person 6
APO02 Manage StrategyPerson 4Person 6
APO03 Manage Enterprise ArchitecturePerson 7Person 8
APO04 Manage InnovationPerson 9Person 10
APO05 Manage PortfolioPerson 3Person 4
APO06 Manage Budget and CostsPerson 12Person 4
APO07 Manage Human ResourcesPerson 13Person 6
Evaluate, Direct and Monitor (EDM)
Align, Plan & Organize (APO)
APO08 Manage RelationshipsPerson 3Person 4
APO09 Manage Service AgreementsPerson 15Person 16
APO10 Manage SuppliersPerson 4Person 6
APO11 Manage QualityPerson 14Person 4
APO12 Manage RiskPerson 3Person 4
BAI01 Manage Programs and ProjectsPerson 17Person 18
BAI02 Manage Requirements DefinitionPerson 19Person 20
BAI03 Manage Solutions Identification and BuildPerson 21Person 22
BAI04 Manage Availability and CapacityPerson 23Person 24
BAI05 Manage Organizational Change EnablementPerson 25Person 4
BAI06 Manage ChangesPerson 26Person 27
BAI07 Manage Change Acceptance and TransitioningPerson 23Person 24
Build, Acquire & Implement (BAI)
BAI08 Manage KnowledgePerson 13Person 14
BAI09 Manage AssetsPerson 7Person 4
BAI10 Manage ConfigurationPerson 26Person 27
DSS01 Manage OperationsPerson 28Person 22
DSS02 Manage Service Requests and IncidentsPerson 26Person 27
DSS03 Manage ProblemsPerson 26Person 27
DSS04 Manage ContinuityPerson 3Person 4
DSS05 Manage Security ServicesPerson 26Person 27
DSS06 Manage Business Process ControlsPerson 3Person 4
Deliver, Service & Support (DSS)
Monitor, Evaluate, & Assess (MEA)
MEA01 Monitor, Evaluate, and Assess Performance and ConformanceTrish PaliniPete Buckwalter
MEA02 Monitor, Evaluate, and Assess the System of Internal ControlPete BuckwalterPete Buckwalter
MEA03 Monitor, Evaluate, and Assess Compliance with External RequirementsBill GoebelPete Buckwalter
APO13 Manage SecurityPerson 3Person 4
Process OwnerITLT Sponsor