Risk Management - Fundamentals

Classification Internal
Contact Paresh Deshmukh ( paresh@baseel.co.uk )
https://www.baseel.com/
Risk Management - Fundamentals

• Common Cybersecurity Threats

• Risk Management basics
What You’ll • Risk management Framework
Learn • Case study
• Summary & Wrapup

2
 Risk Management - Fundamentals

Cybersecurity Basics
Cybersecurity Threats

• Phishing Attacks
• Ransomware
• Hacking
• Imposter Scams
• Environmental events

3
Risk Management - Fundamentals

Environmental Threats Threats

• Natural threats such as fire, Example:

earthquake, flood can cause Ellicott City flooding wiped
harm to computers or disrupt out businesses and their
business access computers
• Recovery efforts attract
scams such as financial fraud
• Downtime can lose
customers, clients who can’t
wait

4
 Risk Management - Fundamentals

Elements of Risk

What are the threats?

What are the vulnerabilities?
What is the likelihood of a threat exploiting a
vulnerability?
What would be the impact of this to your business?

5
Risk Management - Fundamentals

What are you protecting?

To practice cybersecurity risk management,
you can start with these steps:
1. Identify your business’ assets
2. Identify the value of these assets
3. Document the impact to your business of
loss or damage to the assets
4. Identify likelihood of loss or harm
5. Prioritize your mitigation activities
accordingly

6
 Risk Management Fundamentals
Risk Management and its Benefits
To understand the practical aspects of risk management as a discipline, one first needs to understand the term
risk.
A dictionary definition of risk is: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive
action.

2 Although the word risk is often associated with avoiding hazards or negative impact from an event or
circumstance, that is not the only definition. ISACA uses the International Organization for Standardization (ISO)
definition of risk, which combines “the probability of an event and its consequence.”

3 Enterprises exist to produce products and deliver services and generally have strategies, goals and objectives to
achieve as part of their mission. In formulating a business or operational strategy, an enterprise often decides
explicitly to accept some level of risk to achieve its objectives.

4 Risk management is an organizational discipline that identifies, analyzes and addresses risk whenever it carries
the potential to jeopardize the enterprise’s stated goals and objectives; combined with strategic planning, risk
management ensures that risk remains commensurate with the enterprise’s risk appetite and tolerance.

7
 Risk Management Fundamentals
Explicitly defining risk appetite and understanding tolerances for different types of risk are important components
of risk management.

Risk appetite is the amount of risk that an enterprise is willing to accept to meet its strategic objectives. Risk
appetite can be expressed in qualitative or quantitative terms.

For example, an enterprise wants to expand its current service-desk call center to better serve its customers and
must allocate US $10 million to fund the project, buy equipment, hire staff and provide training.

The business has a defined and stated risk appetite of $10 million to achieve this objective.

Risk tolerances reflect the thresholds or guardrails that help management determine when identified risk exceeds
the risk appetite. In the call center example, the enterprise should determine the variation from risk appetite that it
will accept before taking action; there may be tolerances, or acceptable variations, for example, with regards to
staffing, dates for delivery of technology equipment or availability of facilities to house the call center.

The risk tolerances may be expressed as a statement, such as, “The project budget is US $10 million; however, the
acceptable range of spending is $8 million to $12 million.” If the project is completed successfully for $12 million or
less, then the risk has been managed within defined tolerances.

8
 Risk Management Fundamentals
An effective risk management process enables the enterprise to make better-informed decisions about accepting
risk to create value and managing risk to minimize negative impact on organizational objectives.

Risk management is not merely a function or a department, nor is it only limited to internal controls.
Risk management comprises the activities and culture that an enterprise undertakes to create and preserve value
when meeting its strategic objectives.

Many frameworks, techniques or methods may be used by an enterprise to establish and maintain the capability for
managing risk in a way that is efficient and effective.

Whether risk is administered holistically (as in enterprise risk management) or managed as a single type or category
(such as compliance or cybersecurity), the underlying principles of the risk management process apply.

9
 Risk Management Fundamentals
Mission, Strategy and Objectives: Setting the context, the enterprise mission, strategy and objectives
are the basis for understanding the risk landscape in which the enterprise operates.

Whether an enterprise is public or private, for profit or nonprofit, government or military, it has a
mission to deliver value to stakeholders and customers. In most enterprises, information about the
mission, business and objectives is usually documented and readily available. For large enterprises,
the information may exist for each organizational unit, line of business or division.

Understanding risk to the enterprise in the context of the mission, strategy and objectives is the first
step in making sure that activities add value to the overall risk management process.

This is known as setting the context for risk management.

The foundational concepts of setting the context require the enterprise to maintain clear traceability
between the mission and assets through which the mission is achieved and services and products
are delivered.

10
 Risk Management Fundamentals
To accomplish the mission, assets—such as people, information, technology, raw materials and
service providers—are essential.

Clearly tracing a path from the mission, products, and services that the enterprise delivers to the
underlying assets that support delivery aids in fostering the ownership and personal responsibility
needed to effectively manage risk.

Action items:
1. Determine if risk appetite is established.
- Establishing and maintaining risk appetite and risk tolerance statements support appropriate risk taking within the
predetermined limits (tolerances).

2. Communicate the risk vision to all enterprise employees and explain each employee’s individual
responsibilities with respect to risk management.

3. Identify the high-value services and products that fulfill the enterprise mission, strategy and
objectives.
- This provides some prioritization to the risk management activities by placing focus on the critical assets.

11
 Risk Management Fundamentals
Risk management is a continual process that involves the following key steps: 1. Communicate and consult 2. Establish the context 3.
Identify risks 4. Analyse risks 5. Evaluate risks 6. Treat risks 7. Monitor and review of risks
• It is important to follow this process when conducting risk management as this ensures that the approach to risk management is
both comprehensive and consistent.
• This process is formally conducted across the entire organization on an annual basis. This occurs in conjunction with the corporate
and business planning process and involves the review and update of risk profiles for the enterprise as a whole includes a review
for each individual department. This illustrates a “top-down” and a ”bottom-up” approach to risk management.
•Although this process is conducted across the entire organization on an annual basis, risk management is not solely an annual process.
It should be conducted as per required by the business. Therefore everyone has a responsibility to continually apply this process when
making business decisions and when conducting day-to-day management.

Establishing the Context

Risk Assessment

Risk Identification

Communication Monitoring &

Risk Analysis
& Consultation Review

Risk Evaluation

Risk Treatment

Risk management process in accordance with ISO 31000

Client Confidential Slide 12

 Risk Management Fundamentals
Step 1: Communication and consultation
Communication and consultation with internal and external stakeholders is important throughout the risk
management process to ensure SCUK has a comprehensive overview of the risks that may evolve.

External communication and consultation is targeted at informing external stakeholders of:

• SCUKs risk management approach.
• The effectiveness of the risk management approach.
• Requesting feedback where appropriate.

Risk management is a key governance and management function, which external stakeholders, including
Government, legal, regulatory and contractual bodies are paying, increased attention to. Satisfying these
stakeholders that we use appropriate risk management practices will influence their perception of the
organisation.

Internal communication and consultation is aimed at informing internal stakeholders of:

• The risk management process.

• Seeking feedback in relation to the process.
• Key risks and their responsibilities relating to management of these.

13
 Risk Management Fundamentals
Step 2: Establish the Context

2.1. The external context

Building an understanding of our external stakeholders and hence the extent to which this external environment will
impact on our ability to achieve corporate objectives:
 Business, Social, Regulatory, Cultural, Competitive, Financial and Political Environments in which SCUK operates.
 It also involves considering SCUKs strengths, weaknesses, opportunities and threats.

2.2. The internal context

This is aimed at understanding organisational elements and the way they interact, such as:
 Culture, internal stakeholders, structure, capabilities (in terms of resources such as people, systems, processes
and capital), goals and objectives and the strategies in place to achieve these.

2.3. The risk management context

The goals, objectives, strategies, scope and parameters for the risk management process itself must also be
considered.

Note: The “Establish the Context” part of the risk management process will only need to be repeated when there are
significant changes to either the organization’s external environment or business operations.

14
 Risk Management Fundamentals
Risk assessment

General Risk assessment is the overall process of

• Risk identification,
• Risk analysis and
• Risk evaluation.

Risk assessment should be conducted

- systematically,
- iteratively and collaboratively,

drawing on the knowledge and views of stakeholders.

It should use the best available information, supplemented by further enquiry as necessary.

15
 Risk Management Fundamentals
Step 3: Risk identification
The purpose of risk identification is to find, recognize and describe risks that might help or prevent an
organization achieving its objectives. Relevant, appropriate and up-to-date information is important in
identifying risks.
(Cyber security) Risks are identified by the following ways:
– By performing gap analysis of existing processes
– Findings from internal audits
– Insurance requirements (to be eligible for Cyber Insurance)
– Independent External assessments
– Requirements to comply with Cyber Essential certifications
– Inputs from internal and external experts
– By Brainstorming with risk owners,
– Responses to Risk assessment Questionnaire from Risk owners,
– Due to changes in legal, regulatory or contractual (i.e PCI DSS, FCDO) requirements
– Business impact analysis

16
 Risk Management Fundamentals
Step 4: Risk Analysis and Evaluation
Information security, Cyber risks are analysed based on their impact and probability of occurrence based on steps described in ‘Risk Identification”

Once a risk is identified, it is important to adequately describe it. The components of a comprehensive risk description are:
 Event e.g. Low customer satisfaction
 Cause e.g. Too many defects in product deliverables; and
 Impact i.e. Inability to achieve strategic objectives.

Risk analysis involves:

 Identifying controls currently in place to manage the risk by either reducing the consequence or likelihood of the risk;
 Assessing the effectiveness of current controls;
 Identifying the likelihood of the risk occurring; and
 Identifying the potential consequence or impact that would result if the risk was to occur.

When evaluating the effectiveness of current controls, the factors to consider include consistency of application, understanding of control content and
documentation of controls where appropriate. Controls are aimed at bringing the risk within an acceptable level. The evaluation of current controls
can occur through several different processes including:

 Control self assessment;

 Internal Audit reviewing the effectiveness of controls; and
 External Audit reviewing the effectiveness of controls.

17
 Risk Management Fundamentals
Th e co n se q ue n ce a n d like lih o o d ra t in gs, a s id e n t ifie d a ft e r co n sid e ra t io n o f cu rre n t co n t ro ls, are
co mb in e d t o d e t e rmine t h e o ve rall risk le ve l Imp act a nd Like lih o o d w ill b e ra t e d as fo llo w s:

Impact Likelihood
Score Descriptor Score Descriptor
5 Crit ical 5 Ne ar ce rt ain
4 Se ve re 4 Like ly
3 Significa nt 3 Po ssib le
2 Mo d e rat e 2 Unlike ly
1 Ne gligib le 1 Rare

Th e Risk Ra t in g o r Risk Sco re w ill t he n b e ca lcula t e d u sin g t h e b e lo w fo rmu la :

Risk = (Likeliho o d x Impact)

Rat ing o ut c o m e s
(Likeliho od x Impact )
Sc o re Risk rat ing
20-25 Cr it ical
15-19 High
10-14 Medium
5-9 Lo w
0-4 N egligible

5 Low Me dium High Critical Critical

5 10 15 20 25
4 Ne gligible Low Me dium High Critical
Impact

4 8 12 16 20
3 Ne gligible Low Low Me dium High
3 6 9 12 15
Ne gligible Low Low Me dium
2
2 4 6 8 10
1 Ne gligible Ne gligible Ne gligible Ne gligible Low
1 2 3 4 5

1 2 3 4 5 1 2 3 4 5
Likelihood.  Likelihood. 

The basis for scoring risk levels is a five by five scale representing Likelihood (Probability) and potential
impact. The information Cyber Security team will subsequently share a detailed Risk Analysis and a Risk
Treatment Plan.

18
 Risk Management Fundamentals
Step 5 : Risk Evaluation
Risk evaluation involves considering the risk’s overall risk level. This allows determination of whether
further risk treatment actions are required to bring the risk within a level acceptable.

The output of the risk evaluation phase is a prioritised list of risks.

There may be cases when the action required will differ from that identified above; however where this
is the case, the Chief Executive Officer must approve deviation from the above action.

19
 Risk Management Fundamentals
Step 6 Risk treatment
Risk treatment involves examining possible treatment options to determine the most appropriate action for managing a risk.
Treatment actions are required where the current controls are not managing the risk within defined tolerance levels. Treatment
options could involve improving existing controls and implementing additional controls.
•Possible risk treatment options include:
 Avoid the risk – change business process or objective so as to avoid the risk;
 Change the likelihood – undertake actions aimed at reducing the cause of the risk;
 Change the consequence – undertake actions aimed at reducing the impact of the risk;
 Share/transfer the risk – transfer ownership and liability to a third party; and
 Retain the risk – accept the impact of the risk.
Risk Tre atme nt

-------------------------------------------------------------------------------------------

Risk Treatment Options

Risk Reduction Risk Retention Risk Avoidance Risk Transfer

REEvaluati Manage
on ment

Residual Risks

20
 Risk Management Fundamentals
Risk Response and Treatment
When risk is deemed unacceptable or out of tolerance based on the enterprise risk appetite, activities for risk
response are selected. Generally, the main responses or treatments are: accept, avoid, mitigate and transfer.

• Risk Acceptance is just that; the identified risk is within tolerance of the risk appetite and no further action is
necessary.
- Although not generally a best practice, there may be some cases in which risk is accepted even
if it is out of tolerance.

- This is more often the case when an enterprise does not have a set of risk tolerances that are embedded in the
risk management process.

- Some items may not rise to the level of risk today but merit close monitoring for certain conditions that can
elevate them to risk; for such items, one alternative is to create a watch list.

21
 Risk Management Fundamentals

Risk Response and Treatment (continued)

• Risk Avoidance involves taking steps to remove a hazard or exposure, or to engage in an alternate activity that
lowers the probability of risk occurrence.

• Risk Mitigation is probably the most common response to identified risk, and many people in the risk industry
are familiar with the different types of controls that are available as mitigating actions to bring the identified risk
within tolerance and appetite.

• Risk Transfer is often underutilized and misunderstood as a risk response, especially for cybersecurity risk.
- Risk transfer involves shifting risk from one party to another through a contract. It is most often
accomplished using an insurance policy, but a noninsurance agreement may also be used for risk transfer.

- Responsibility for the risk cannot be transferred, but options like insurance, a liability waiver with a client or
an indemnification agreement with a supplier can help manage any impact from realized risk.

22
 Risk Management Fundamentals
Step 7 : Monitor and Report
Monitor & Report on Risk Under Management Reporting on risk activities ensures a continuous feedback loop to
management, senior leaders, risk committees and other stakeholders.
As the risk management activities progress, analysis should be performed to understand the root causes of any
realized risk with the intent of deriving key risk indicators.

Key risk indicators provide a leading metric that can be tracked over time to better understand the conditions that
contribute to realized risk. Effective risk management requires periodic monitoring until the risk treatment plan is
completed. Periodically reevaluate conditions that might elevate any watch item or vulnerability to a full-fledged
risk.

1. Monitor the status of identified risk, risk treatment plans and measures of the risk management process.
In some enterprises, the project management function can be leveraged to embed the risk management
processes into daily business routines.

2. Periodically revisit areas of concern, watch items and identified risk as conditions change. Update the risk
register as needed.

3. Report the progress of risk management activities to all relevant stakeholders.

Possible stakeholders are: • Process and system owners • Audit and risk committees • Governance boards •
External regulators (if an enterprise is subject to such regulation)

23
Risk Management - Fundamentals

• Case study

Client Confidential Slide 24

Risk Management - Fundamentals

1. Identify Your Business Assets

List the types of information, processes, important

people and technology your business relies upon

Customer info Key employees

Also consider
critical business
Banking info Manufacturing Process processes like sales
and budgeting.
Proprietary technology

25
 Risk Management - Fundamentals

I. Identify Your Business Assets on the Worksheet (cont.)

• In column 1 of the
worksheet, list the assets
(e.g., information,
people, processes, or
technology) that are most
important to your
business
• Add more rows, if
needed

26
Risk Management - Fundamentals

2. Identify the Value of the Assets

• What would happen to my business if

Go through this asset was made public?
each asset type • What would happen to my business if
you identified this asset was damaged or inaccurate?
• What would happen to my business if
and ask these
I/my customers couldn’t access this
questions: asset?

27
Risk Management - Fundamentals

2. Identify the Asset Values on the Worksheet (cont.)

• Pick an asset value

scale that works for
you (e.g., low,
medium, high or a
numerical range
like 1-5)

28
Risk Management - Fundamentals

3. Document the Impact to your Business of Loss/Damage

to the Assets

• Consider the impact to your business if each asset were lost,

damaged, or reduced in value (e.g., intellectual property
revealed to competitors)
• This impact may differ from the asset value determined in
step 2.

29
 Risk Management - Fundamentals

3. Document the Impact to your Business of Loss/Damage to

the Assets (cont.)
• Pick an impact
value scale that
works for you (e.g.,
low, medium, high)
• Consider if any
business processes
have manual
backup methods

30
 Risk Management - Fundamentals

4. Identify likelihood of loss or damage to the asset

• List the threats to each business asset

• Evaluate the likelihood that the asset
may be lost or damaged by the threat(s)

31
 Risk Management - Fundamentals

44.Identify likelihood of loss or damage to the asset (cont.)

32
Risk Management - Fundamentals

5. Identify Priorities and Potential Solutions

• Compare your impact and likelihood
scores. Assets with high impact Sample Priority
and/or likelihood scores should be Structure
assigned top priorities. High: Implement
• Identify your priorities. immediate resolution.
Medium: Schedule a
• Identify potential solutions. resolution.
Low: Schedule a
• Develop a plan, including funding, resolution.
to implement the solutions.

33
 Risk Management - Fundamentals

5. Prioritize Assets - Risk Matrix

The table below forms the basis for risk assessment in conjunction with the Risk
Management Policy

Current / Treated Risk Matrix

Level of Impact

Level of Probability 1 2 3 4 5
5 (Almost Certain) Medium High Very High Critical Critical

4 (Probable) Medium High Very High Critical Critical

3 (Possible) Low Medium High Very High Very High

2 (Improbable) Low Low Medium High High

1 (Rare) Low Low Low Medium Medium

1 (Insignificant) 2 (Minor) 3 (Moderate) 4 (Major) 5 (Catastrophic)

34
Risk Management - Fundamentals

5. Prioritize Asset Protection

35
• Summary & Wrap up

Client Confidential Slide 36

Risk Management - Fundamentals

Identify

Develop
organizational
understanding to
manage cybersecurity
risk to systems, assets,
data, and capabilities.

37
Risk Management - Fundamentals

Sample Identify Activities

• Identify critical business processes
Business Asset • Document Information flows
Environment Management • Establish policies for cybersecurity that
includes roles and responsibilities
• Maintain hardware and software
inventory
• Identify contracts with external
Risk
Governance partners
Assessment
• Identify Risk Management processes

38
Risk Management - Fundamentals

Protect
Protect
Develop and
implement the
appropriate
safeguards to
ensure delivery of
services.

39
 Risk Management - Fundamentals

Sample Protect Activities

• Manage access to assets and
Information information
Maintenance Protection
Processes and • Conduct regular backups
Procedures
Awareness
• Protect sensitive data
and Training • Patch operating systems and
Identity
Management applications
and Access
Data
Security • Create response and recovery plans
Contro
Protective • Protect your network
Technology • Train your employees

40
Risk Management - Fundamentals

Detect

Develop and implement

the appropriate
activities to identify the
occurrence of a
cybersecurity event.

41
Risk Management - Fundamentals

Sample Detect Activities

Anomalies • Install and update anti-virus and other

and Events malware detection software

• Know what are expected data flows for

your business

Continuous • Maintain and monitor logs

Monitoring

42
Risk Management - Fundamentals

Respond

Develop and implement

the appropriate activities
to take action regarding
a detected cybersecurity
event.

43
Risk Management - Fundamentals

Sample Respond Activities

• Coordinate with internal and

Response external stakeholders
Planning
• Ensure response plans are tested

• Ensure response plans are

Communications updated

44
Risk Management - Fundamentals

Recover

Develop and implement

the appropriate activities
to maintain plans for
resilience and to restore
any capabilities or services
that were impaired due to
a cybersecurity event.

45
Risk Management - Fundamentals

Sample Recover Activities

• Manage public relations and company

Recovery
Planning reputation

• Communicate with internal and external

stakeholders

Communications
• Ensure recovery plans are updated

• Consider cyber insurance

46
Risk Management - Fundamentals

Information
Protection
Processes and
Procedures
Maintenance Communications
Identity
Asset Management
Management Anomalies Recovery
and Access
and Events Planning
Control
Governance Awareness Response
and Training Planning
Risk
Assessment Protective Continuous Communications
Technology Monitoring
Business
Environment Data Security

Source: NIST

47