Risk managent in IT
Introduction to risk management
Stanislav Masák, MSc.
masakst@gmail.com
2022
Risk management
This is an area of management that focuses on risk analysis and mitigation. The
goal of risk analysis is the elimination or reduction and, in fact, in its essence, the
detection of all potential risks.
What is risk? According to the definition of the Ministry of the Interior of the Czech
Republic = The possibility that an event will occur with a certain probability that
we consider undesirable from a security point of view. Risk is always derivable and
derived from a specific threat. The level of risk, i.e. the probability of harmful
consequences resulting from the threat and the vulnerability of the interest, can
be assessed on the basis of a so-called risk analysis, which is also based on an
assessment of our readiness to face threats.
2022
Introduction to risk management
Glossary:
Risk - a potential event in the future with negative consequences. So the risk may
or may not occur. Certain risks are associated with every activity, therefore risks
have always been, are and will be present in the operation of every organization.
The goal is therefore not to eliminate all risks, but to be aware of them and work
with them (i.e. manage them).
Asset - It is anything (tangible or intangible) that can be used to produce positive
economic value. Assets represent value of ownership that can be converted into
cash.
Risk management – an integral part of every decision in the organization.
Continuous activity aimed at reducing the probability of occurrence of risks or
reducing their impact. The purpose of risk management is to prevent problems or
negative phenomena, i.e. prevent the occurrence of problems and thereby avoid
the need for crisis management.
Risk significance – the relative importance of the risk to the organization, which
is usually expressed as the product of the probability of the risk and the impact of
the risk. (Hereinafter referred to as V).
2022
Introduction to risk management
Glossary:
Risk probability – the degree of probability of a risk event occurring in the
future, measured according to prevailing practice on a scale of 1-5 (1 least likely, 5
most likely). (Hereinafter referred to as P).
Risk impact (effect on the organization) – the extent of the negative impact
or loss that the organization will incur in the event of a risk event. It can include
both direct financial losses or additional costs, as well as impacts of a non-financial
4 nature, e.g. loss of good reputation, reduction in the quality of services for
citizens, etc.). According to the prevailing practice, the impact of the risk is again
measured on a scale of 1-5 (1 the least negative impact, 5 the greatest negative
impact). (Hereinafter referred to as D).
Risk map – result of risk analysis; an overview of the organization's identified
risks can be sorted according to their significance in the program, which serves as
one of the bases for compiling - these risk maps serve and for the purposes of
managing the organization's risks by its management.
2022
Introduction to risk management
Glossary:
Top management of the organization – 1st and 2nd level of organization
management, director and deputies, heads of key departments, e.g. economic or
financial department, informatics department, legal department
Managers at other levels of management – other managers at lower
management levels of the organization.
Risk management is a continuous, recurring set of interconnected activities, the
goal of which is to manage potential risks, i.e. to limit the likelihood of their
occurrence or reduce their impact on the organization and its goals. The purpose
of risk management is to prevent problems or negative phenomena, to avoid crisis
management and to prevent the emergence of problems. Risk management
consists of several interconnected phases - 4, 5, 6 or 8 are distinguished according
to different methodologies. 6 basic phases are most often used, namely:
• risk identification • risk analysis
• risk evaluation • risk mitigation
• risk management • risk monitoring and review
2022
Introduction to risk management
Fundamental to risk management is its analysis. Risk analysis is used to determine
the degree of danger (threat) to which the organization is exposed, how
vulnerable its assets are to these threats, how likely the threat is to occur
(vulnerability) and what impact it may have on the organization. The basic
principles of risk management can be summarized in the following statements:
• Every human activity brings certain risks
• Zero risk does not exist
In organizations, responsibility for risk management is distributed throughout
management. The highest responsibility naturally rests with the owner, the
statutory body and the top management of the company.
In small organisations, responsibility for risk management is concentrated at the
level of the statutory body, as it is not efficient to employ a dedicated full-time risk
manager. In medium and large organizations, responsibility is distributed among
individual managers. Large organizations or organizations doing business in a risky
environment (for example, banks, insurance companies, petrochemical and energy
industries, aviation industry, transport) have a designated specialist (risk
manager). Risk management is almost always linked to the role of the CFO, as the
effects of risks (damages) and countermeasures can be expressed financially and
have an impact on financial planning.
2022
Introduction to risk management
Winterling crisis matrix - a graphical representation used to interpret the risk map
2022
Introduction to risk management
Risk management models applied in practice
A centralized risk management model
Brief description: The risk management of the organization is in charge of the Risk
Management Committee consisting of the top management of the organization.
One of the organization's employees (risk manager) is tasked with coordinating
activities in the area of ​​risk management across the organization and preparing
documents for meetings and decision-making by the Risk Management
Committee. Prerequisites An employee who is in charge of coordinating risk
management in an organization must have sufficient knowledge, experience,
competence and trust on the part of the top management of the organization as
well as managers at other levels of management in order to be able to ensure:
• Active and open communication with members of the Risk Management
Committee
• Preparation of complete and true documents (in cooperation with senior staff at
all levels of management and specialist departments) including the inclusion of
negative information and possible impacts related to the given operation, which
are relevant for deciding on the next course of action
2022
Introduction to risk management
Risk management models applied in practice
• Submission of these documents to the Risk Management Committee and active
participation in their discussion Members of the Risk Management Committee must
be willing and able to accept the existence of risks in the operations under their
management, not try to marginalize them and continue to work with them, not
only individually, but even in front of other members of the top management of
the organization.
Advantages:
It allows the organization to emphasize risk management in the form of separate
activities aimed at identifying, evaluating, monitoring and reporting significant
risks in the organization. When properly implemented, it gives the organization's
top management reasonable assurance that key risks are being consistently
managed by executives at the appropriate levels of the organization.
2022
Introduction to risk management
Risk management models applied in practice
Disadvantages:
Among the most frequently identified shortcomings of risk management are a
tendency towards formalism, understanding the organization's risk map or risk
catalog as the goal of activities in the area of ​​risk management, not as a mere tool
for active risk management by the organization's management, and excessive
emphasis on quantifying the significance of risks, rather than on further work with
by them. All these shortcomings are naturally supported by the introduction of a
centralized risk management model rather than prevented. It is therefore a model
in the environment of non-profit organizations suitable only for those organizations
that really operate in a risky environment and where the functioning of the risk
management system in the form of separate activities aimed at identifying,
evaluating, monitoring and reporting significant risks is therefore key to their
successful functioning. In other organizations that operate in a standard
environment, where the worst possible negative impact of a bad decision is
financial loss, additional costs or possible administrative or legal proceedings, this
risk management model is not very effective, and in practice, its disadvantages
tend to be more apparent.
2022
Introduction to risk management
Risk management models applied in practice
Decentralized risk management model
Brief description: Risk management is an integral part of every decision made
within the organization by its managers. From a certain level of significance of the
decision taken, risk management must have its documented form so that an audit
trail remains in the organization. The level of significance is determined by the
organization itself in its internal regulations and can, or it should be different for
different types of operations in different areas (according to the riskiness of
operations of a given type in a given area for the organization in general).
Prerequisites for functioning: Managers at all levels of management must
understand what risk is and how to work with it, and consciously apply this
knowledge in practice when managing the department entrusted to them, always
in proportion to the operation they are deciding on.
2022
Introduction to risk management
Risk management models applied in practice
Advantages:
It eliminates most of the disadvantages of a centralized risk management model.
It does not assume the existence of a central risk coordinator, from whom it is
naturally very difficult to demand such a degree of knowledge, experience and
competence in the public administration environment that he would be an equal
partner to the top management of the organization in the discussion of risk
management.
Disadvantages:
In order to function optimally, it requires the active participation of all senior
employees at individual management levels. However, a condition for the good
functioning of the decentralized risk management model is not that it be applied
perfectly across the entire organizational structure from the very first moment.
Somewhere it can work better and somewhere worse, it depends on specific
managers. Gradually, it can be unified across the organization in the form of
transferring good practice from the departments where it works to the others.
2022
Introduction to risk management
Risk management models applied in practice
Algorithm of possible risk management
2022
Introduction to risk management
ISO 31000 is a family of standards relating to risk management codified by the International
Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines
on managing risks faced by organizations.
ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies
employing risk management processes to replace the myriad of existing standards,
methodologies and paradigms that differed between industries, subject matters and regions.
For this purpose, the recommendations provided in ISO 31000 can be customized to any
organization and its context.
As of 2020, ISO/TC 262, the committee responsible for this family of standards, has published
five standards, while four additional standards are in the proposal/development stages.
Meaning of the standard:
The purpose of the standard is to ensure the influence of business risks with regard to the
internal and external environment, and this by appropriate risk management in such a way
that the occurrence of risks is reduced with regard to their impact on the organization.
Use / application of the standard:
This standard defines the requirements for a risk management system and is applicable to all
types of organizations, it can be used for both service and manufacturing sectors. It is
applicable to any type and size of organization.
2022
Introduction to risk management
ISO/IEC 27001 - Information security management
History: The first standard covering information security requirements was BS 7999. The aim
of this first standard was to define the requirements for the protection of information in
general, i.e. stored not only on electronic media, but also printed or communicated by word or
image. Since the development of technology since 2000 has brought IT technologies a
dominant role in the field of information, this caused the need to create the ISO 27001
standard in 2006 and subsequently amend it in 2013.
The principle of the norm: The ISO 27001 standard is an internationally valid standard that
defines the requirements for an information security management system. The standard
specifies information security management requirements, requiring the company to handle all
internal information or information shared with its partners or employees in such a way that it
is not lost, misused or even just a violation of trust.
The contribution of the standard to the organization
· brings, thanks to the standardization of processes, the efficiency of activities in the
classification of risks associated with the loss or misuse of information
· will enable individual companies to gain confidence in sharing information with their business
partners
· will reduce the risk of additional costs related to possible unexpected events
2022
Introduction to risk management
ISO 27002 Information security, cybersecurity and privacy protection —
Information security controls
Abstract:
This standard provides a reference set of generic information security controls including
implementation guidance. This standard is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on
ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best
practices;
c) for developing organization-specific information security management guidelines.
ISO 27005
ISO/IEC 27005 provides guidelines for the establishment of a systematic approach to
Information Security risk management which is necessary to identify organizational needs
regarding information security requirements and to create an effective information security
management system. Moreover, this international standard supports ISO/IEC 27001 concepts
and is designed to assist an efficient implementation of information security based on a risk
management approach.
2022
Introduction to risk management