Executive Blueprints, Inc

Risk Management
By Louis W. Mehrmann

Risk Management Index

1. Introduction
2. Principal Factors 3. The Methodology 4. Helpful Hints 5. The Risk Analysis Team 6. Review Checklist

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Preparation
To get the most of this tutorial, we suggest that you prepare with writing instruments and your canvas (blank paper) available as you follow along. You can document your personal ideas and observations as you follow the presentation.
For best results, group participation or review is recommended. It is also suggested that you go through the entire process and then review what you have learned in practice.

Look for this icon in the top right corner as a prompt for you to document your personal strategy canvas.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Introduction
Most management decisions involve the assumption of risk the chance that things may not turn out the way we hope or want them to. Therefore, risk management has become an integral part of general organization and project management. Three principle factors significantly influence risk: Rapid growth in centralization of data, and the information extraction processes Increasing dependence on employees with skills, talents, disciplines, and sometimes motivations, quite different from those with which management has been familiar in the past Increased proliferation of mini, micro and portable processing devices with an associated distribution of key data to remote nodes for data extraction, data update, and data addition.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Assessment Procedure
Any procedure that provides sufficient accuracy and credibility while reducing the labor to perform the risk assessment is acceptable. There are, however, several characteristics which an acceptable procedure should exhibit, including the following: Quantitative Results: The process must yield quantitative data describing the cost of potential problems in terms of cost per unit of time, such as dollars per year. Fundamental Simplicity: The process should be readily comprehensible by the highest levels of management expected to support and fund action based on the data presented. Usability: The requirements for data from the Users of Data Processing should be limited in complexity to ensure that it is understandable to persons whose areas of competence and interest do not include risk assessment.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Assessment Scope
Assessment scope can be a serious point of contention. Some individuals want to limit consideration to catastrophic events such as fire, flood, earthquakes, and volcanoes. Others want to focus only on intentional misconduct such as fraud and embezzlement. The correct position is that consideration must be extended to the effects of all of the undesirable things that might happen to data or to the means of accessing and processing data.

Care must be taken to insist that concern is limited to the effects of undesirable things and not extended to a virtually endless list of bad things the threat list.
It is not until the cost of the undesired event and its estimated frequency have both been examined that a potential source of damage can be justifiably excluded from further consideration.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Assessment Purpose
The purpose of performing a risk assessment is to obtain a quantitative statement of the potential problems to which the data processing facility is exposed so that appropriate, cost effective protection safeguards can be selected. It is assumed that, once armed with such information, no protective measure will be selected that costs more than toleration of the problem. The risk assessment should establish that threshold.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Analysis Elements
Two key elements in risk analysis are: A statement of impact relative to how badly a specific difficulty would hurt if it happens. A statement of the probability of encountering that difficulty within within a specific period of time. Both parameters are needed to describe risk in terms of cost per unit of time such as dollars per year. Note: The probability of an undesirable thing happening is usually more difficult to determine with confidence than is a measure of the consequence of its happening. However, statements of the potential economic impact of events without regard to their relative probability cannot lead to the identification of exposures worthy of corrective action.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Risk Options
Once an exposure to risk has been identified, we have three options to address it. We can: 1. Tolerate it 2. Lower the potential cost by implementing measures costing less than the total loss in dollars per year 3. Lower the probability of loss occurring by implementing protective measures costing less than the exposure

Unless we quantify both the potential cost and the probability of occurrence, we can not be in a position to make an informed selection of any of the three options.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Insurance as an Option
Insurance is not a fourth option. It only provides a means of soothing the effect of a loss when and if it happens. As such, it is a matter to be considered after the election of the other options. Downward adjustment of risk should lessen either: The amount of insurance required (in the case of reduced cost) or The insurance rate (in the case of reduced probability of occurrence)
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Evaluating Sensitive Data

How should the evaluation of incorrect or lost data be measured ? Quantifiable measurements in dollars is the ideal evaluation method. However, the assignment of dollar values to certain types of data can be an issue when: The data under consideration if disclosed or otherwise harmed would have some identifiable and undesirable political or social ramification, and is possibly affected by privacy legislation.

The data is involved with defense or intelligence activities since the risks associated with these two categories are generally much more difficult to assess quantitatively than are many other exposures.
When the assignment of dollar values is a stumbling block to progress it is advisable to consider alternate means of identifying and defining the severity of the potential problems to be assessed.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Alternate Evaluation Methods

The reluctance to use dollars as a measure has led to the use of other means to define the severity of problems. In these categories, using relative sensitivity as, for example, on a scale of 1 to 5 is a methodology that may be employed. Such a rating scheme can be valuable as a means of communicating an assessment of the potential for harm to people due to the loss of security to files of specific types. For example, a rating of 1 indicates great sensitivity for psychiatric data and a 2 for files having less sensitive data such as tax files. It is conceivable that a convention using the relative sensitivity scale of 1 to 5 can be coupled with another measure describing probability of occurrence to provide an expression which says for example: the probability of a 2-sized problem is 0.3 times per year. Although useful in sizing the exposure to data sensitivity, these ratings do not provide an adequate parameter for guidance in selecting economically feasible security measures. Such rating schemes should coexist with risk analysis techniques which quantify the problem in dollars.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Justifying Protection
A specific protection measure to contain only one problem is often difficult to justify. The best protective measures usually contain or assist in containing multiple problems. Any summation of risks to be contained by specific or combinations of specific protective measures requires that the risks be expressed in common units of measure. If some problems are expressed in economic terms and others in non-dimensional sensitivity ratings, the ability of specific measures to contain this variety of problems will be awkward to assess and difficult to cost-justify. Experience indicates that the application of standard risk analysis methodologies to data collections will often dictate measures adequate enough to also include protection against disclosure thus relieving the need for solid quantification of social impact either real or imagined.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

The Methodology
Assessment Objective:
Develop a quantitative statement of the potential cost of losses of security in and about a data processing facility where such losses might result in a failure to provide the services desired or expected. The concept this objective supports is the implementation of controls at a cost significantly less than suffering the problems to which they apply, thereby bringing the associated data processing operations risk to an acceptable level. The overall goal is to protect the provision of data processing services through the protection of the capabilities needed to provide those services. Thus, the concern is with the protection of means or capabilities not physical assets.

The Evaluation Process Should Identify and Prioritize:

All critical functions supported by the data processing facility The critical resources required to support provision of those critical functions

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Problem Sources
Data Security problems are those presented by any of the six undesirable things that could happen to data. They are: Accidental disclosure Accidental modification Accidental destruction Intentional disclosure Intentional modification Intentional destruction In addition, there can be the denial of processing capability. Because there are six categories of undesirable things which can happen to data in addition to the inability to process it, and because the cost or probability of their occurrence, or both, may vary widely as a function of which data is being considered, experience has shown it to be desirable to look at potential cost of an event and its probability of occurrence in a rather fine-grained structure; that is, to look at the results of each bad thing happening to every file, dataset, or other convenient aggregation.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Sample Risk Assessment Form

This sample form can be used to evaluate the risk to data from all causes, including its loss to physical threats such as fire. Although the form suggested for use in the accumulation of data to support the risk assessment forces the examination of the consequence of security problems to the data set level, the data sets listed are grouped application by application. The risk assessment, then, is done at the application level not at the data set level.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Doing a Risk Analysis

Refer to the form on the previous slide. The far left column is for listing the data collections needed to support the application under consideration. If this application is easier to consider with further subdivision, these datasets should be grouped accordingly. However, further subdivision should not be forced. Some datasets support multiple applications. In such cases, it is necessary to list them with each corresponding application and note in the comments column that they have been so listed. It is not satisfactory to list only once those datasets which are used to support several applications because some applications may be more dependent on that dataset than others. Furthermore, unless a file is listed with each corresponding application, the totality of the dependence may not be calculable. The first objective is to assign Values for impact (V), Probability of frequency (P), and annualized risk cost Sum (E), at each intersection in the matrix. Refer to the next slide for V, P, and E values. Many intersections may describe problems that are sufficiently small and, therefore, they may be neglected. Ordinarily, if the sum of V and P, as described on the next slide, is less than 6, the intersection can be neglected. Care must be taken to avoid disregarding an intersection because the per-instance dollar impact (V) is low. It may be that the probability of occurrence (P) is sufficiently high enough to yield a high annual cost (E) for this problem.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Sample Value Matrix

P=1 V=1 2 3 4 5 6 7 $300 $3K $30K $300 $3K $30K $300K $300 $3K $30K $300K $3M $300 $3K $30K $300K $3M $30M 2 3 4 5 $300 $3K $30K $300K $3M $30M $300M $3K $30K $300K $3M $30M $300M 6 7 $30K $300K $3M $30M $300M 8 $300K $3M $30M $300M

If: $ Impact of the event is: $ 10 $ 100 $ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 10,000,000 V=1 V=2 V=3 V=4 V=5 V=6 V=7

Estimated frequency of occurrence is: Once / 300 Years: Once / 30 Years: Once / 3 Years: Once / 100 Days: Once / 10 Days: 1 Time / Day: 10 Times / Day: 100 Times / Day: P=1 P=2 P=3 P=4 P=5 P=6 P=7 P=8

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Sample Value Matrix

P=1 V=1 2 3 4 5 6 7 $300 $3K $30K $300 $3K $30K $300K $300 $3K $30K $300K $3M $300 $3K $30K $300K $3M $30M 2 3 4 5 $300 $3K $30K $300K $3M $30M $300M $3K $30K $300K $3M $30M $300M 6 7 $30K $300K $3M $30M $300M 8 $300K $3M $30M $300M

If: $ Impact of the event is: $ 10 $ 100 $ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 10,000,000 V=1 V=2 V=3 V=4 V=5 V=6 V=7

Estimated frequency of occurrence is: Once / 300 Years: Once / 30 Years: Once / 3 Years: Once / 100 Days: Once / 10 Days: 1 Time / Day: 10 Times / Day: 100 Times / Day: P=1 P=2 P=3 P=4 P=5 P=6 P=7 P=8

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Probability Analysis
It is important to recognize that assessment of probabilities is dependent on the background, knowledge and behavioral characteristics of the individuals assigned to perform the risk analysis. With on-going systems with which there is a body of knowledge, particularly as it applies to high probability errors and omissions problems, the task of assigning probability is relatively easy. There is usually an experience base from which the team can work. It is usually more difficult to assign probabilities to dishonest behavior problems. Informed judgment based on a thorough knowledge of the environment under consideration is the best approach. Common sense is also a very powerful weapon in attacking a probability analysis. For example, in a life insurance beneficiary payment system where several hundred to a thousand or more people know that it is easy to change a beneficiary address without the risk of anyone verifying the new address, there is an exposure to at least one dishonest person successfully diverting checks to an address where they can be obtained and cashed. Obviously, the probability of occurrence is much higher than once in 30 years and probably much lower than every ten days. Factoring in the real number of people who know of the potential for harm can then influence the final risk selection. For example, if the number of people is high, then one instance every 100 days may be a reasonable choice. If the number of people is significantly less, then one instance every 3 years may be a possible choice.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Contingency Planning
Most organizations have a critical dependence on the timely conduct of certain data processing functions. These functions are usually in the order of 15% to 20% of the total workload. It is important that this portion of the workload be specifically identified, and that contingency plans be laid which include the availability of all the things necessary to process elsewhere in the event of a loss of the primary facility. The identification and quantification of any potential problems associated with delaying the performance of critical tasks is usually necessary to the establishment of cost-effective contingency plans. These plans should reflect the needs of the organization for the processing of jobs by the data processing facility. If the nature of this dependence is not known, a good contingency plan is difficult to justify with a subsequent risk of spending an inappropriate amount for a workable back-up arrangement. Another product of the risk assessment is the identification of these time-dependent applications and an awareness of the cost to the organization as a function of the length of time it is without the ability to perform the work in this category. Therefore, the need for the time columns on the risk assessment form. The time intervals selected should be appropriate to the particular organization and the particular business function.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Sample of Filled in Risk Form

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Helpful Hints
Performing a risk assessment often leads to a number of unanticipated questions in a number of areas that may impede progress. The following charts address the most common areas of concern: o Threat Analysis o Errors and Omissions o Dishonest Employees o Personal Integrity o White Collar Crime o Physical/Processing Loss o Fire Damage o Avoidance of Subdivision o Security/Risk Maintenance o Security Assessment Questions

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Helpful Hints
Threat Analysis: There is often a tendency to think that a threat analysis needs to be conducted before a risk assessment can be accomplished. Listing threats can be an endless task and experience strongly implies that, no matter how long the list, it will be sufficiently incomplete and planning about it will be less effective than desirable. A list of generic threats, such as fire, water, communications failures, power failures, data entry errors, and programming errors is generally adequate. Vulnerabilities are far more important to the risk determination than are detailed lists of threats. Errors and Omissions: It is important that proper weight be given to the importance of errors and omissions. Data is more often destroyed or otherwise rendered useless or even harmful by people making mistakes than through dishonesty or malice. The principal difference between dishonesty and mistakes lies not in how they are thwarted, but in the intent of the offender. They are both costly. Dishonest Employees: Of utmost importance when considering the potential for damage by dishonest or malicious people to keep in mind that the vast majority of all white collar crime is committed by employees, not outsiders. Most improprieties directly involving data processing are conducted by people who are very familiar with the particular functional area of the business from which the theft occurs.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Helpful Hints
Personal Integrity: The factors that influence individual integrity are not easily perceptible and individual integrity is not a constant. It varies dramatically with time and with personal situations of which a risk assessment team may be totally unaware. For this reason, it is best to eliminate perceived individual personal integrity when performing a risk analysis. White Collar Crime: A meaningful deterrent to white collar crime is often achieved by limiting its reward to the absolute minimum. If all persons having access to the information system are given the least privilege necessary to getting their job done, the potential rewards for dishonest conduct will be lessened. Most people are strongly deterred by fear of being caught and, to a lesser extent, by fear of formal punishment. Physical/Processing Loss: The loss of the physical facility should be treated independent from the loss of processing capability. It is misleading to consider the loss of processing capability as part of the cost of loss of the physical facility. The loss of the physical facility, in a properly planned operation, may not result in a loss of all processing ability. The loss of all processing ability need not involve the loss of the physical facility.

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Helpful Hints
Fire Damage: Bear in mind that fire can deprive a facility owner of services without destroying on in any way damaging the data processing complex itself. In high rise buildings, for example, severe fires on any floor below the facility, and frequently on any floor above, can disable the facility by depriving it of power, air conditioning, elevators, and communications. Fire destroyed customized business dependent pre-printed forms may well take longer to replace than the hardware facility. It is therefore necessary to consider all aspects of each possible loss to fire. Avoid Subdivision: Whenever possible, it is best to avoid subdividing consideration of the protection of all data processing resources into such categories as physical security and data security. Aside from such obvious problems as security of data clearly requiring physical security, separating or compartmentalizing concerns tends to obscure desirable trade-offs between candidate protective measures. The problem is further aggravated by assigning responsibilities to different people.

Security/Risk Maintenance: A pitfall many organizations fall into is that of treating risk assessment as a one-time project. However, old applications are constantly changing and new applications are continually being developed to support new or existing business functions. Therefore, it is advisable that risk assessment be implemented as an on-going process. In addition, periodic reassessments of at least key critical applications supporting major business functions should be completed.
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Helpful Hints
Security Assessment Questionnaire: An integral step in any risk assessment project should be an evaluation of existing security measures versus the risk potential for the determination of specific actions required to either strengthen and/or relax controls. Executive Blueprints has developed and provides you with a comprehensive Security Assessment Questionnaire. You can obtain and utilize this material by accessing the training module Security is a Management Issue.

This document can be useful to data processing management, general management, auditors, and risk assessment teams in evaluating and developing security programs and highlighting those areas that need additional attention. Thru a series of simple yes/no answers to a series of questions in fourteen categories the questionnaire covers:
Physical Security: Fire, Rising Water, Falling Water, Intrusion Controls and Procedures: Organizational Controls, Personnel, Operational Controls, Interface Controls, Application Development, and Other. Contingency Planning: General, Emergency, Backup, Recovery
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

The Risk Assessment Team

Team Composition: Composition of the team to perform the risk assessment is critical to success. Proper consideration of the impact and probabilities required to complete the recommended procedure requires the assignment of well informed, properly motivated people. The job cannot be delegated to clerks as a routine task. It must also be recognized that the assessment cannot be done quickly if it is to be done well. It takes time. Therefore, it is suggested that the people assigned to the team be dedicated to a specific number of hours per day until the assessment is completed. Participants on the risk assessment team must include representatives from: Information Systems operations The department owning the data under consideration The programmer responsible for support of the function under consideration Systems programming if the installation is large enough to have this function The data security coordinator or administrator (if any) The communication network administrator (if any) The data base administrator (if any) The internal audit function The department responsible for physical security
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Management Commitment
Strong senior management commitment to risk assessment is essential to its success. No amount of lower level concern will be truly effective unless everyone who has a role in achieving protection of the business assets believes that senior management has sufficient commitment to this task. It is often difficult to convince senior management that they should be concerned without a quantitative expression of the problems as might be derived from the risk assessment. This situation leads to a chicken and egg syndrome. There is need for senior management support to organize a properly manned risk analysis team, but management may not be sufficiently concerned about data protection until it sees the product of the assessment for financial risk.

< -- (OR)-- >

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Implementation Checklist
Check these process steps for implementation status
In Place Process Action
We have Senior Management support to do risk assessment We have identified the risk assessment team participants We have identified all of the critical business applications

Needs Work

We have identified and involved all critical application owners

(*)

We have identified custodians and users of critical applications (*) We have agreement on our risk assessment methodology We have tested our methodology for reasonableness We have provided for inclusion of new critical applications We have a notify process when critical applications are modified

We are confident that our program will meet all of our needs
(*) Need help ? See Ownership and Classification training module on Executive Blueprints
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

Review Risk Mgmt Process

Have we adequately identified our critical information assets Have we analyzed our ability to protect our proprietary information Have we provided for adequate protection Have we considered needs and opportunity to enhance our procedures Have we gained the support of all employees to protect our assets

Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

About Executive

Blueprints, Inc

Business Consulting Professionals

Affiliated Consultants with years of Executive Business management and real life experience and success Characterized by a passion for learning and talent for teaching. We consolidate experience and relevant information into seminars, self-paced tutorials, coaching and targeted support Projects to accommodate the demands of modern management.
www.ExecutiveBlueprints.com
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

So much more from

Executive Blueprints is designed and managed by business leaders, with input and suggestions from business leaders, to support the efforts of current and future business leaders. Get Connected, share your knowledge and learn from the experience of other successful executives.
Go to www.ExecutiveBlueprints.com for Calendar of Seminars Case Studies BizRolodex of Discounts

Executive Coaching
Business Consulting Travel Tips and the list keeps growing

Training Tools
electronic Books Email Newsletter
Copyright 2006-2007 Executive Blueprints Inc. All Rights Reserved

www.ExecBlue.com