Practical Approach To Security Risk ManagementG3 Intelligence Limited

Risk management

Identifying Risks

Response Control

The Agenda

Quantitative AnalysisQuality Analysis

Tailor made Services & Products

Maintain

Internal risks

External risks

Training

Possible threats on organization

Input Production

Industrial espionage

Crime/Terror

Sabotage

Mother Nature

Transaction

OPEN SYSTEM ORGANIZATION

Risk management

0% treatment with of the risks = 100% danger 1% treatment and above = 99% danger and below.

100% ----------------------------------------------------------------- 100% Security Efficiently

The cost formula - 1:10:100 is: Avoid=1$, Identify = 10$ ,Deal with = 100$

We assume that:

THE COST OF THE PRAPEARATION ALLWAYS LOW THAN THE COT OF THE RECOVERY

DEFINITIONS•Risk event:

A chance of something happening as a result of an hazard or threat which will

impact your business activities, or planned event.

•Effect, consequence:

Impact of event scale quantitative or qualitative terms.

•Likelihood:

Quantitative description of probability or frequency of an event.

•Threat/ Hazard:

The origin of the situations that have the potential to cause loss damage.

Risk analysis:

Systematic use of available information to determine whether events might happen and how often, and determine the dimension effect (exposure size).

Risk avoidance:

An informed decision not to become involved in a risk situation.

Risk management:

The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.

Who is at risk

•Physical assets (buildings, inventory, hardware etc.)•

•Intellectual assets (software, database, professional knowledge)

•Financial assets (debt, current account, securities, credit, currency risks

•Human resources (labor relations, hiring\firing workers)

•Intangible assets (reputation, patents, technology)

How to deal with risks?

•Risk indifference.•Risk dispersion.•Risk share.•Risk defenses.•Risk acceptance.

Establish context- The frame

In order to determine the context the risk manager will do the following:

–Consider the goals and achievements marked by the management .–Consider the surroundings of the organization and its impact on the desired outcomes of its activity.–Identify the stakeholders in the organization.–Develop criteria to evaluate risk acceptance.

Consider the goals and achievements marked by the management

•The risk manager should be acquainted with the nature and scope of the organization’s activity.

•All risks derived from the various activity of the organization must be taken under consideration at this stage.

•Our point of view at this stage should be comprehensive rather than meticulous and specific.

Consider the surroundings of the organization and its impact on the desired outcomes of its activity

•The risk manager should examine the relationships between the organization activities to the environment effected by his actions.•Good understanding of the environment will help develop criteria which enables decision making regarding the acceptability of the risk.•The factor which need to be taken by consideration:Social, economical, legal, tech, environmental. When laying the assumptions we will take into account our control over those factors.

Stakeholders

•Stakeholders are individuals which might\could have an effect on the decisions made by the risk manager. Employees, managers, volunteers, professional organizations, financial institutions, insurance companies, customers, governments and equipment suppliers / services / products / row material.

•Stakeholders has its own interests, opinions and needs. Therefore consultation and constant relationship with the stakeholder is crucial and vital in order to maintain an effective risk management. •

Develop criteria to evaluate risk acceptance

•The criteria to evaluate risks is used to scale the level of the risk, and to determine it’s acceptability.

•the criteria is often influenced by the conception and norms of the stakeholders.

•In this stage we will determine what risks we are willing to confront with in different surroundings of our activities.

Stage 2-Identify risks•The goal at this point is to compile a list of all the significant risks and volume.•To identify risks, risk manager is required to perform these steps:– Choose the optimal method to identify risks.– Choose the relevant risks sources.– Identify all internal and external risks.– Examine the risks from the stakeholders point of view.–

–In this stage every risk(low or high) will be taken by consideration.

TYPES OF RISK•Physical: includes body injuries, injuries or weather conditions and environmental conditions, physical or property damage belonging to the organization.•Financial: theft, fraud, credit to customers, loans, fines, damages, costs and insurance.•Legal :Not abiding by obligations to different authorities (state laws, regulations, regulation, municipal laws.•Ethics and morality: harm the reputation or credibility of the organization, leak of information.

Internal methods to identify risks•Read reports and documents related the activities.•Learn about the accumulated experience of other similar organizations.•Interview stakeholders and use questionnaires.•Make observations on the activities.•Build various scenarios of the activities and analyze it using SWOT, Pareto and other tools.

External methods to identify risks•Use consultants such as lawyers, accountants, security specialists, safety experts, marketing consultant, business consultant - economic, risk managers and businesses.•Consult professional unions that relevant to the activities.•Analyze information and data base from professional magazines and publications.•Learn the standardization and the regulation.

Risk sources

•Human behavior.•Technology and technical issues.•Occupational health and safety.•Legal issues.•Political issues.•Property and equipment.•Environmental issues.•Financial/Market.•Natural events.

Risk Classification

•Internal: The risk sources are from the organization activities - a risk that employee / customer will damaged from the operation of equipment.

•External: The risk sources are external factors that affecting the organization - new regulations for new safety arrangements.

•Random: Can't predict the risk- force major.

Stage 3-ANALYZE RISKS

•After identifying the risks we want to determine the extent of the impact of each risk identified on the organization.•We will start separating a low risks (clearly acceptable ) and those who are significant and we need to manage them.•This stage involves assessing the relationship between the likelihood and impact inherent in the identified risks.•At this time we need to take by consideration existing response or treatment.

The operative meaning of risk level•After the risk level determined by the intersection between the impact and likelihood we have to set the practical implications of each level of risk:•Very high- A cretin damage to the organization-We need to act immediately.•High- We need to act because of potential damage.•Medium- We need to ask relevant people to take care of the risk and to set a supervision procedures. •Low- The treatment will be by the routine procedures.

Stage 4- Risk evaluation

•Till now we set the context, identified and analyzed the risks.•The next step is to assess the risks by comparing the levels of risk to the criteria set at in the context stage about the acceptable or not of the risks.•The risk evaluation will take by consideration:

-The importance of the task and it’s products.

- The level of control on the risk.

- Potential damages.

- Benefits and opportunities that the risk poses.

You can decide the risk is "acceptable “ because of:

Very low level of risk.

Cost / benefit - low level of risk –the benefits of accept it exceed the costs of treat it.

The risk is more opportunity than threat.

Now we use the criteria from stage one about acceptable risks.

Stage 5 -Risk treatment•The risks treatment actions:

- Identify alternatives that can be used to treat risks.

- Selecting the best alternative in terms of feasibility and Cost - benefit.

- Preparation of a detailed plan for treat the risks.

- Implementation of the plan.

Identifying alternatives to treat the risks:

- Avoid risk- By a decision to cancel or replace the activity with less danger but similar products. (Be aware of a new risk…someone can sue you…)

- Sample- Insurance, outsourcing, including terms of exclusion in the contract.

Retain the risk - Once we accept the fact that risk can not be prevented, controlled or transfer or, alternatively or treatment costs are not standing the test of cost-effective.

-Control the risk- By activities to reduce the realization of the risk or likelihood of damage can be caused by the realization of risk.

- Sample for reducing the likelihood: Increasing quality assurance, training, supervision, examination testing, process control, preventive maintenance.

- Sample for reducing the damages : Exceptional events program (Business continuity plan), a change or cancellation of the activity.

Transfer the risk – Referring the responsibility to another party that can manage the risk better.

•Preparing a plan to treat the risks: Risk treatment plan describes how the selected alternative in the previous stage will be applied.•The plan will consider these aspects:

- Sources of risk and events related to them.

- Risk analysis - likelihood, consequences and levels of risk.

- Priorities of the unacceptable risks and selected alternatives.

- Persons responsible for implementing the treatment.

- Performance measures to track implementation.

-Steps and timetables to implement the alternatives.

- Timetable for control.

Thank you!

G3 Intelligence Ltd

1 Bedford Row, WC1R 4BZ London UK

info@g3igroup.com

G3 Intelligence Sagl

Via Livio 14, Chiasso CH

+41 767634383