Professional Documents
Culture Documents
Procedure On Risk Management
Procedure On Risk Management
Procedure On Risk Management
0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14
Purpose The purpose of this procedure is to ensure proper Risk assessment& Risk
Management. The RiskManagement procedure outlines the steps to be taken for
conducting and assessing the risk associated with various processes or equipment
or environment or people assets of and provides a framework for mitigating them.
Scope The scope of this procedure is applicable to all information security risks and EHS
risks covering risk identification,analysis and planning mitigation & tracking of
risks associated with business activities and assets across the organization.
Policy:The senior management of is committed to ensure that the procedures are in placefor
identifying, treating and monitoring the Risk associated with information assets and also EHS Risks.
This is ensured through training the risk management team/ core team identified by Senior
Management and the organization and monitoring the implementation from time to time.
DEFINITIONS:
Asset People, property, and information. People may include employees and customers
along with other invited persons such as contractors or guests. Property assets
consist of both tangible and intangible items that can be assigned a value.
Intangible assets include reputation and proprietary information. Information may
include databases, software code, critical company records, and many other
intangible items.
An asset is what we’re trying to protect.
Threat Anything that can exploit a vulnerability, intentionally or accidentally, and obtain,
damage, or destroy an asset.
A threat is what we’re trying to protect against.
Threats generally can NOT be controlled
Vulnerability Weaknesses or gaps in a security program that can be exploited by threats to gain
(Weakness) unauthorized access to an asset.
A vulnerability is a weakness or gap in our protection efforts.
Environmental The elements of an organization's activities, products and services that can interact
Aspect with the environment are called environmental aspects. Examples include a
discharge, an emission, consumption or reuse of a material, or generation of noise
Environmental Changes to the environment, either adverse or beneficial, that result wholly or
Impact partially from environmental aspects are called environmental impacts. Examples
of adverse impacts include pollution of air, and depletion of natural resources.
Examples of beneficial impacts include improved water or soil quality
Health and Occupational Health and Safety Hazards are situations associated with the
Safety Hazard organization’s business activities which could lead to injuries or cause ill health to
people affected.
Ill Health Identifiable, adverse physical or mental condition arising from and/or made worse
by a work activity and/or work-related situation
In case of EHS risks, risk is a result of an unsafe act occurring with unsafe
condition.
Risk can be mitigated/ managed to either lower vulnerability or the overall impact
on the business.
Risk process of evaluating the risk(s) arising from hazard(s) or vulnerabilities & threats,
Assessment taking into account the adequacy of any existing controls, and deciding whether or
not the risk(s) is/ are acceptable.
Risk Owner A person or entity with the accountability and authority to manage a risk.”
Basically, this is a person who is both interested in resolving a risk, and positioned
highly enough in the organization to do something about it.
So, for instance, an asset owner of a server might be the IT administrator, and a
Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR
Uncontrolled If Printed
REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14
risk owner for risks related to this server might be his boss, the head of the IT
department. The IT administrator will manage the server on a day-to-day basis,
while the head of the IT department will take care of, e.g., investing in better
protection, providing training to the IT administrator, etc.
Examples:
The following 11steps provides methodology for Risk assessment & migitation.The risk assessment
sheet will be prepared by Functional Representative of respective department / function. For
operation department, risk assessment is done at customer group level to capture specific needs to
each customer for data security. For all other departments, it is done at department level. This
procedure defines “Risk acceptance criteria” & “criteria for performing information security risk
assessment”
During this first stage, information about the system is gathered andclassified into one of the
following categories:
Hardware
Software
System interfaces (internal/external connectivity)
Data and information
Users and Administrators of the system
System mission (processes performed)
System and data criticality (value to ‘s ability to perform its mission)
System and data sensitivity
Additional information
Services
Asset owner and Custodian of the asset are identified. Understanding the system mission, system and
data criticality levels, system and data sensitivity levels, the asset value is determined as given below :
Output from this step will be a written “threat statement” listing threat sources that could
exploit vulnerabilities of the system being evaluated.
The goal of this step is to develop a list of system vulnerabilities that could be exploited by
the potential threat-sources.
The goal of this step is to identify the Risk owner who is a person or entity with
accountability and authority to manage a risk. The Functional Representative need to identify
the Risk Owner in consultation with respective HOD/FH.
The goal of this step is to analyze the controls that have been implemented, or are planned for
implementation, by the organization to minimize or eliminate the likelihood (or probability) of a
threat’s exercising a system vulnerability.
To derive an overall likelihood rating that indicates the likelihood that a potential vulnerability may be
exercised within the construct of the associated threat environment, the following governing factors
must be
considered:
Threat-source motivation and capability
Nature of the vulnerability
Existence and effectiveness of current controls
Assign likelihood a numeric value as given below:.
If the risk Value is more than 18, the risk is unacceptable and suitable measures are to be taken to
mitigate the risk.
The goal of controls recommendation is to reduce the level of risk to the system and its data to an
acceptable level.
To determine which controls are required and appropriate for a specific organization, a cost-benefit
analysis should be conducted for the proposed recommended controls to demonstrate that the costs of
implementing the controls can be justified by the reduction in the level of risk.
Additionally, the operational impact (affect on system performance) and feasibility (technical
requirements, user acceptance) of introducing the recommended option should be evaluated carefully
during the risk mitigation process.
And also SVES performs risk assessment (in Risk assessment form) on its system once in year or
whenever there is a new threat or vulnerability identified,whenever there is a change in systems and
processing environment, addition or deletion of assets). Risk assessment & BCP reports to be updated
as mandatory requirement before closure of incident considering the effects of the incident as
applicable.
The risk value is computed again to prioritise the risk and do proper risk treatment.
Avoid:Eliminate threat by eliminating cause (Use a differenttechnology). e.g. Instead of flying plan
due to fear or brakefailure, use a train service. These are usuallydramatic.
Mitigate:Reduce the probability of impact of a threat by making it asmaller risk and removing it
from the top list (e.g. Build inredundancy etc). e.g. To reduce chance of brake failure in aflight,
incorporate triple brake system.
Transfer:Make another party responsible for risk by purchasinginsurance, bonds, warranties etc. e.g.
Life insurance or fire lossinsurance etc
Accept:Accept the risk in concurrent with Management team, revisit them periodically to evaluate
and apply better risk treatment.
The Risk Assessment Form with the above details will be reviewed by respective department /
function HOD/FH/Delivery Heads. After the review by respective HOD/FH/Delivery Heads, the Risk
Assessment Form will be validated by QR for the correctness and completeness.
It is a management decision whether these risks will be acceptedbecause of other constraints (like
costs, or simply impossibility of prevention - as in the case ofplanes crashing on a building or
earthquakes); In case residual risk is unaccepted, further additional controls to be planned to reduce
the risk value.
The MR will approve and release the Risk Assessment Form after acceptance by Management Team.
The above residual risks are reviewed on yearly basis to monitor the likelihood of occurrence. Any
Change in Likelihood will result in the residual risk becoming unacceptable residual risk and suitable
steps to be taken as mentioned above.
EHS Risk Assessment in the organization follows the following steps given below:
As a practice, the environmental risks and occupational health and safety risks are identified by EHS
Core team members in consultation with the other personnel in the organization.
EHS Core Team Members shall follow the methodology given in this document for the above.
This section of the procedure covers those EHS hazards of activities and services that the organization
can control or over, which it can be, expected to have an influence. Significant EHS Hazards
identified through this process shall be considered in the setting EHS objectives and targets.
The procedure consists of an initial screening of activities based on available data by theEHS Core
Team consisting of cross-functional personnel within the organization. Such cross functional team
shall consist of personnel from all levels of the organization.
Cross functional team assesses the environmental aspects and occupational health & safety hazards,
determines which of these might result in significant impacts, then sets priorities for further analysis,
as needed.
The management team consisting of CEO, HODs and MR reviews the information developed during
the evaluation on a regular basis to ensure that it is up-to-date.
All natural resources including water, energy sources used in the operations and
activities.
Use or release or fugitive emission of ozone depleting substances from the Air
Conditioning/ HVAC System.
Authorized by HOD (Operations) Restricted Issued by: HOD(Quality)/ MR
Uncontrolled If Printed
REF. CP07RM01 / 3.0
ISMS Procedures RISK MANAGEMENT W.E.F. August 16, 2016
Manual PAGE 1 of 14
In case an Aspect or Hazard of the activity has an Emergency impact, the same shall be addressed in
the Emergency Preparedness Plan.
Once the EHS Hazard is identified, the source of hazard shall also be determined by the EHS Core
Team.
EHS Core team shall also identify if there are any legal requirements applicable or legal obligations
for controlling the respective EHS hazards.
Team shall also identify the current controls, if any to mitigate the EHS hazards.
EHS Core Team shall brainstorm to determine the impact of each of the EHS Hazard identified.
While determining the same, EHS Core Team shall consider the following cause – effect scenarios/
combination to ensure completeness of the EHS impact assessment.
One to One Relationship One EHS Hazard leading to One Impact
One to Many Relationship One EHS Hazard leading to more than one impacts
Many to One Relationship Many EHS Hazards leading to one Impact
Many to Many Relationship Many EHS Hazards leading to many Impacts.
While determine the impact, EHS Core Team shall clearly describe the impact in terms of the
environment, property of people affected, scale of the impact to enable consistent estimation of the
severity rating.
Once the impact assessment is carried out, EHS Core Team shall analyze all the EHS Hazards
identified as given below:
EHS Risk Assessment involves three paratmeters viz., Severity Rating, Occurrence Rating and
Compliance with Legal and other Requirements and interested parties concerns.
In case LOR and interested party concerns are not applicable, then
RPN (Risk Priority Number) or Risk Value = Severity Rating X Occurrene Rating
Severity, Occurrence and Compliance Ratings are determined based on the following tables:
SEVERITY RATING
Severity Severity Level Severity Description
Rating
5 Fatal/ Dangerous Health and Safety - Could lead to loss of Life,
Environment - may cause environmental pollution beyond permissible levels
causing large scale pollution to the environment
4 Extremely Health and Safety - Could lead to ill health and permanent disability, non-
Harmful/ Very compliance with legal or other requirements
High Impact Environment - may cause environmental pollution beyond permissible levels
causing large scale pollution to the environment for a short duration or
generate hazardous waste
3 Moderately Health and Safety - Could lead to Lost Time Injuries/ Property Loss
Harmful/ Impact Environment - may cause environmental pollution within permissible levels, or
consume natural resources
2 Low Harm/ Impact Health and Safety - Could lead to discomfort but no lost time injuries,
Environment – may cause slight environmental pollution, generate solid waste
(non-toxic)
1 Very Low Impact Health and Safety – No impact on people,
Environment – No or negligible environmental impact
OCCURRENCE RATING
Probability Probability Level Probability Description
Rating
5 Very High Health and Safety – Hazards exist continuously and people are exposed to the
hazard
Environment – continuous emission into air. Releases into water or soil
pollution
4 High Health and Safety – Hazards are found once in a month to six months
Environment – Environmental Hazards found once in a month to six months
3 Medium Health and Safety – Hazards are found once in a six months to one year
Environment – Environmental Hazards found once in a six months to one year
2 Low Health and Safety – Hazards are found once in a one to two years
Environment – Environmental Hazards found one to two years
1 Very Low Health and Safety – Hazards rarely occur
Environment – Environmental Hazards rarely occur
COMPLIANCE RATING
Complince Compliance Level Compliance Description
Rating
2 Non-Compliant Requirements of the Statute or Legal or Other Requirements not being met
completely.
1 Compliant Requirements of the Statute or Legal or Other Requirements met completely.
EHS Risks shall be prioritized for mitigation or improvement action based on their significance
determined as given below
PRIORITIZATION GUIDELINES
Risk Prioritization Rule to classify as Significant EHS Risk.
– When legal and other requirements and interested party concerns are applicable to a risk
– Any Risk with a RPN Value of “15 or More”
– Any Risk with a Severity Rating of 5.
Note:With reference with above prioritization guidelines it implies that when LOR and interested
party concerns are applicable for a risk it shall be considered as Significant Risk and under such cases
assessment shall be done for only to check if complied or not i.e ratings for serverity and occurrence
is not required in such cases
Threshold Values of Risk Priority Number and Other Parameters defined above shall be reviewed
periodically during the Management Review Meetings to drive improvements and reduce EHS risks
and ensure compliance with the applicable legal, regulatory and other requirements and other
interested parties concerns.
Risk assessment is done for all activities and reports are summarized as below:
1) Risk assessment report for Admin department
2) Risk assessment report for N&S department
3) Risk assessment report – Common (Marketing, Operations, HR, Quality, Commercial,
Systems, Finance, Corporate(Legal)
Reporting the Risk Assessment Results
Once the significant EHS risks are determined, EHS Core Team shall present the same to the Top
Management consisting of MR, CEO and other HODs.
If the EHS Core Team determines that additional information is needed to evaluate a particular
activity, the Top Management shall assign the responsibility for collecting that information to
appropriate personnel. Once the information is made available, then EHS Core Team shall continue
with the EHS risk assessment.
The details of the assessment as described above are recorded in EHS Risk Assessment Report.
On approval or acceptance of the significant EHS risks by the top management team, the significant
EHS Risks shall be prioritized for initiating mitigation actions.
MR and CEO shall ensure that significant EHS Risks identified by the EHS Core Team & HODs are
considered in setting EHS objectives and targets at functional level.
Mitigation of EHS risks are primarily of two types either initiating an EHS Management Program or
establishing an Operational Control Procedure as mentioned below:
Establishing OCP – in case mitigation plan involves establishing monitoring and control
activities on a routine/ periodical basis, then an Operational Control Procedure shall be
established detailing the monitoring, measuring and initiating immediate reaction plan in
case of out of control situation.
While determining controls, respective HODs/ MR shall ensure that all associates at all levels are
included as appropriate.
While determining the controls, respective HODs/ MR shall also consider the legal requirements,
voluntary standards and codes of practice that can specify appropriate controls for specific hazards.
Respective HODs/ MR shall ensure to the extent possible, determine controls that are capable of
attaining “As Low As Reasonably Practicable” (ALARP) levels of risk.
Follow-up Evaluation:
Follow-up evaluations or periodical evaluations are carried out once in a year or as decided in the
management reviews. The results of the most recent EHS Risk Assessment shall be reviewed during
the Management Reviews.
Based on this review, the EHS Core Team determines the need to update the EHS Risk Assessment.
Factors such as improved assessment methodologies, or major changes to the organization’s mission,
facilities, services are considered in determining the need to update the assessment.
Whenever changes in legal requirements arise, respective HODs shall review the same against the
most recent EHS Risk AssessmentResults. The results are reviewed with the MR, EHS Core Team
and the required changes in EHS RiskAssessment Reports (both environment and occupational health
& safety) are incorporated.
Then the process described above is followed for identification of significant EHS Risks.
The need to determine whether existing controls are effective and adequate
The need to respond to new hazards
The need to respond to feedback from monitoring activities, incident investigation,
emergency situations or the results of testing of emergency procedures (mock
drills)
External factors such as emerging occupational health issues
Advances in control technologies
Changing diversity in the workforce, including the contractors
Changes proposed by corrective and preventive action
Top Management Team reviews the impact of changes on environment, occupational health
& safety and decides whether to approve the change or not.
In case the change is not approved, ICR is returned to the initiator. In case the change is
acceptable, then approved ICR is sent to respective HODs for initiating the required actions.
Respective HOD with assistance from EHS Core Team then modifies the EHS Risk Assessment
Report. In case the changes result in possibility of any significant EHS risks, the same are handled as
described above
References
Associated Risk Assesment Form
Documentation Risk Assessment Flow Chart
EHS Risk Assessment Report
Infrastructure Change Request
EHS Management Programs
Operational Control Procedures