Professional Documents
Culture Documents
Young 20210326 SIRA Final Final
Young 20210326 SIRA Final Final
InfoSec/
Risk types to consider
Cyber
Business Threats/
Cycles Vulns.
Everything
else...
Risk Business
Continuity
Market/ Strategic/
Credit Reputation
Supplier/
Third party
4
• I like heat maps as a visualization tool – provided there is some
rigor to the underlying analysis as to why the risk is in a certain
“box.”
Cyber Risk
Of or relating to computers, Exposure to
information technology, electronic danger, harm, or loss
communications (especially the
internet), or virtual reality
Identify Manage
11
Threat management and threat modeling
Risk Ecosystem is used to detect, analyze, respond
to potential security incidents
Vulnerability Management process
deals with day-to-day patching, release
management, and refer others to Risk Threat
or Issue Management Mgmt
Vul
Mgmt
Risk Criteria
Risk
Mgmt Risk Taxonomy
Risk Management process
Risk Register
should continually identify,
analyze, address, monitor,
and report risks
Controls Management is generally done with
compliance or audit rather than an optimization of
control design and control selection based on risk.
Enterprise Services, Products, Mission
• Outputs of an organization
• Can be internally or externally focused
• Typically align with a specific organizational unit, but can cross units
and organizational boundaries
• Collectively they enable an organization’s mission
Business Operations, Business Processes,
Productive Activities, Projects, Initiatives
• The activities that the organization (and/or its suppliers) perform to
ensure that services and products are produced
• Traverse the organization; cross organizational lines
• A service or a product is made up of one or more Business Processes,
productive activities, projects or whatever they are called in your
organization.
Assets
• Something of value to the organization
• Placed into production to deliver and support services
• Asset value relates to the importance of the asset in
meeting the enterprise mission.
Organizational Context for Risk
Scenario Creation – Moving
from Areas of Concern to Risk
Where does Risk Analysis and Business
Impact Evaluation fit in Risk Management
Internal Factors External Factors
OBJECTIVES/ MISSION
RISK APPETITE STATEMENTS
DESIRED OUTCOMES
RISK TOLERANCE STATEMENTS
ASSESSMENTS/ SCOPING
SCENARIO DEV & ANALYSIS
20
Another Example of Risk Universe or Risk
Landscape
21
Another Example of Risk Appetite and
Risk Tolerance
22
Mission: To be the leading producer of premium household
products in the regions in which we operate
Strategy
Expand production of our top-
Strategic Objectives five selling retail products to Risk Appetite
meet increased demand -Accept that the company
To be in the top will consume large
quartile of product amounts of capital
sales for retailers of investing in new assets,
our products people, and process
Related Objectives
1. Increase production of Unit X by 15% in -Accept that competition
the next 12 months could increase (e.g.
2. Hire 180 qualified new staff across all through predatory pricing,
manufacturing divisions etc.) as we seek to
3. Maintain product quality of 4.0 sigma increase market share,
4. Maintain 22% staff cost per dollar order thereby reducing profit
margins
Measures
Measures -Units of production -We do not accept erosion
-Market share -Number of staff hired of product quality
-Product quality by sigma
Risk Tolerances
Measure Target Tolerances – Acceptable Range
-Market share 25th percentile 20% - 30%
-Units of production 150,000 units -7,500/+10,000
-Number of staff hired (net) 180 staff -15/+20
-Product quality index 4.0 sigma 4.0 – 4.5 sigma
Example Risk Appetite and Risk Tolerance
Statements
24
Example Business Impact Evaluation Criteria
25
Considerations for threats and vulnerabilities
as inputs to loss event scenarios
Identities
Personally Identifiable Information Payment Card Numbers (PCI)
Data Breach / Theft / Health Records (PHI)
Spillage IP / Trade Secrets
Other Confidential Data
Financial Data
Ransomware
Data Destruction Shamoon-style attacks
Physical Theft or Sabotage
Cyber Attacks on OT Threat trees
Physically Destructive Events Firmware Destruction (Bricking) derived from
Physical Attacks on People or Property OCTAVE
Denial of Service Attacks
Network Infrastructure Attacks
Availability Events Cloud or Communications Outages
Sabotage or Vandalism
26
Physical Theft
VERIS - http://veriscommunity.net/veris-overview.html
University of Cambridge
Centre for Risk Studies
• …taxonomy of macro-catastrophe
threats that have the potential to cause
damage and disruption to social and
economic systems in the modern
globalized world.
• Contains
• 5 Primary Classes
• 11 Families
• 55 (Genus) Types
• Very high level
Operational Risk Taxonomy
30
Developing Scenarios and
Reporting on Risk
Considerations for Risk
Scenario Development
Scenario brainstorming workshop
Business unit/
function
Enterprise
Identity, Business Knowledge & Situational
and
Access & Continuity & Information Awareness &
Operational
Asset Disaster Management Partner, Incident
Audit & Risk
Management Recovery Supplier & Management
Assurance Management
Dependencies
Strategic Management
Planning and
Governance
Drawing adapted from FRBNY Management in Central Banking (MIBC) Implementation Support course 9/25/2018 by Brian Watson, used with permission
42
Resilience Example
Threats, Exposures, Events, Conditions
Cyber attack renders the Business and Terrorism or crime may
External Mistakes,
technology and economic Weather,
be the motive for the
Dependencies, errors,
information assets
omissions cycles attack but that may Pandemic
not
Partners & Suppliers
unavailable be known immediately
43
The objectives for operational resilience go
well beyond traditional business continuity
Operational resilience principle - The ability to anticipate, Operational resilience
prepare for, and adapt to changing conditions and withstand Key objectives
and recover from disruptions.
Alignment & Integration
Resilience includes the ability to continue to operate (even
in a degraded state) and recover from deliberate attacks, Develop an adaptive operating
accidents, and other threats or incidents.” model and integrate resilience
objectives into business strategies
1 Compliance
2 Resilience
3 Presilience®
So, What is Risk Intelligence
REWARD RISK
Risk Intelligence (RI) is a living skill and applied
attribute that enables better decision making
to proactively embrace opportunity and
manage negative outcomes.
RISK
INTELLIGENCE
https://risk2solution.com/
• Manage uncertainty
Conceptual • Achieve objectives
Integration for Risk • Ability to move, think, and understand
quickly
Intelligence • Focus on change and creating more
effective processes, products, and ideas
• Improved productivity and performance
• Share information, rewards, and power,
appropriately and fairly
• Take initiative and make decisions to
solve problems and improve service
delivery and performance
• Display toughness in the face of adversity
and have the capacity to recover quickly
and respond to short term shocks
• The ability to adapt and evolve personally
and shape teams and organizational
structures to respond to long term
challenges
• Make data-driven decisions that evolve
as we learn more
Delivering the transformational change necessary to
achieve Presilience® requires addressing a number of key
challenges
Acquiring expertise
Designing and implementing a presilience program requires a deep
understanding of the internal and external conditions needed to develop
situational awareness, decision architectures, and take actions to observe,
orient, adapt, and respond nimbly to changes
Breaking silos
Presilience requires convergence of people, process, technology to achieve
resilient business outcomes
Changing culture
Presilience requires a culture shift from ‘a business line or functional area
point of view’ to ‘a holistic and ecosystem view’
Managing complexity
Presilience has to be built into the fabric of the organization which requires
fundamental changes to how the organization operates
All Roads Really do Lead to Risk
InfoSec/
Cyber
Business Threats/
Cycles Vulns.
Everything
else... Risk Business
Continuity
Market/ Strategic/
Credit Reputation
Supplier/
Third party
Questions? Comments?
Lisa Young
VP, Cyber Risk Engineering
LinkedIn: Lyoung@brightmsi.com