Professional Documents
Culture Documents
Risk Management: by Dr. Selasi Ocansey
Risk Management: by Dr. Selasi Ocansey
RISK MANAGEMENT
BY DR. SELASI OCANSEY
LEARNING OBJECTIVES
1. Discuss the risk management process, and how it plays an important
role in protecting organizations’ information from IT threats.
COSO-ERM model.
Internal Environment
The internal environment of a company is everything. It refers to its
culture, its behaviors, its actions, its policies, its procedures, its tone,
its heart. The internal environment is crucial in setting the company’s
goals, strategies, and objectives; establishing procedures to assess or
mitigate risk business areas; and identifying and implementing
adequate controls to respond to those risk areas.
A strong internal environment often prevents a company from
breakdowns in risk management and control. The internal environment
is the base and infrastructure for all other seven ERM components, and
consists of:
Management’s beliefs, attitudes, operating style, and risk appetite
Management’s commitment to integrity, ethical values, and competence
Management’s oversight over the company’s internal control and structure
Internal Environment
Methods of assigning authority and responsibility through the
establishment of formal policies and procedures that are consistent
with goals and objectives.
Human resource policies, procedures, and practices overseeing
existing working conditions, job incentives, promotion, and career
advancement.
Procedures in place to comply with industry external requirements,
as well as regulatory laws, such as those imposed by banks, utilities,
insurance companies, the SEC and the PCAOB, among others.
Objective Setting
Objectivesrefer to the goals the company wants to achieve.
Objectives are established at various levels within a
company.
That is, companies may set objectives at the top/management
level, say to guide their direction or strategy (e.g., become
the best seller in the market, acquire a separate business,
merge with a competitor, etc.);
Or at lower levels, like improving existing operations (e.g.,
hiring quality personnel, improving current processes,
implementing controls to address additional risks,
maintaining certain levels of production, etc.).
Objective Setting
Companies may also set goals for reporting and compliance purposes.
Reporting-like objectives are set, for instance, to ensure reliability,
completeness, and accuracy of reports (e.g., financial statements, etc.).
These objectives are achieved via adequately safeguarding financial
application systems, as well as performing timely and thorough
management reviews, for example.
Compliance objectives, on the other hand, ensure all applicable
industry-specific, local, state, and federal laws are properly followed
and observed.
Failureto comply with these can result in serious consequences,
leaving the company vulnerable to lawsuits, on-demand audits, and
sanctions that can ultimate lead to dissolution.
Event (or Risk) Identification
Events impact companies internally or externally. For instance,
events could occur outside the company (e.g., natural disasters,
enactment of new laws and regulations, etc.) that can significantly
affect its goals, objectives, and/or strategy. Identification of these
events or risks can result from responding to management questions,
such as:
(1) What could go wrong?
(2) How can it go wrong?
(3) What is the potential harm? And
(4) What can be done about it? An example would be an office desk
manufacturer that relies on sourcing the wood necessary to build the
desks from specific regions in the Caribbean.
Event (or Risk) Identification
The manufacturer’s organizational objective is to keep up with
production demand levels. So, here are the management questions
from above with hypothetical responses to identify internal or
external events:
1. What could go wrong? Shipment of wood may fail or may not be
received on time resulting in not having enough supplied wood to
meet customer demands and/or required production levels.
2. How can it go wrong? Weather conditions (e.g., hurricanes,
flooding, etc.) may affect safe conditions to cut trees and prepare the
necessary wood; or prevent timely shipment of the wood to the
manufacturing site.
Event (or Risk) Identification
3. What is the potential harm? The lack of or limited supply may
prompt the manufacturer higher costs which could translate into
higher costs and prices to customers.
4. What can be done about it? Solutions may include identifying at
least one or two additional suppliers (outside of the Caribbean), and/or
having higher amounts of wood inventory on hand. These will help in
preventing or mitigating the issues just identified, and ensure that
minimum production levels are kept consistent with organizational
objectives.
Risk Assessment
Inview of the increased reliance on IT and automated systems,
special emphasis must be placed in the review and analysis of risk in
these areas.
IT facilities and hardware are often included in the company’s
overall plant and property review; however, automated systems
require a separate analysis, especially when these systems are the
sole source of critical information to the company as in today’s e-
business environments. There are many risks that affect today’s IT
environment.
Companies face loss from traditional events, such as natural
disasters, accidents, vandalism, and theft, and also from similar
events in electronic form. These can result from computer viruses,
theft of information or data, and so on.
Risk Assessment
Some examples of resources to assist in the identification and
evaluation of these IT-related risks include:
NIST.gov. The NIST has been a leader in providing tools and
techniques to support IT. It has a number of support tools that can be
used by private small-to-large organizations for risk assessment
purposes.
GAO.gov. The U.S. Government Accountability Office (GAO) has
provided a number of audit, control, and security resources as well as
identification of best practices in managing and reviewing IT risk in
many areas.
Expected loss approach. A method developed by IBM that assesses
the probable loss and the frequency of occurrence for all
unacceptable events for each automated system or data file.
Risk Assessment
Unacceptable events are categorized as either: accidental or
deliberate disclosure; accidental or deliberate modification; or
accidental or deliberate destruction.
Scoring approach. Identifies and weighs various characteristics of IT
systems. The approach uses the final score to compare and rank their
importance
Once identified, risks are assessed, meaning that the probability of
their potential losses is quantified and ranked. Risks are assessed
from two perspectives: Likelihood and Impact.
Likelihood refers to the probability that the event will occur. Impact,
on the other hand, is the estimated potential loss should such
particular event occurs.
Risk Assessment
Risks are categorized as follows:
Critical—exposures would result in bankruptcy, for instance.
Important—possible losses would not lead to bankruptcy, but
require the company to take out loans to continue operations.
Unimportant—exposures that could be accommodated by
existing assets or current income without imposing undue financial
strain.
Assigning identified risks to one of the above categories gives
them a level of significance and helps determine the proper
means for treating such risks. Assessment of risks is discussed in
more detail in a later section.
Risk Response
After assessing risks, the next step is to put an action plan
together and determine the applicable technique(s) to respond to
the identified risks.
Typically,the risk response process starts with companies
evaluating their inherent risks, then selecting the appropriate
response technique, and finally assessing the residual risk.
Management can react or respond to identified risks in one of the
following four ways: Avoid, Prevent, Reduce, or Transfer.
Risk Response
Avoid or completely eliminate the risk. For example, a new
feature included within the next application software release is
estimated to downgrade application performance by slowing
down some critical processing. To avoid the risk, the software
feature is eliminated from the next release.
Prevent a risk through implementing IT controls, such as
(1) performing validity checks upon inputting data;
(2) cleaning disk drives and properly storing magnetic and optical media to
reduce the risk of hardware and software failures;