is therefore a possible hazard or opportunity that if it occurred or was captured would threaten or benefit business outcomes.
PD 6668:2000 provides guidance on how organizations can establish and manage their strategic and operational risks. Some risks must be taken to be successful and survive. risks, if realized, can put an organization in jeopardy, and these risks should be mitigated. BS 6079-3:2000 provides specific guidance on the management of business-related project risk. The standard describes a process for identifying, assessing, and controlling risk within a broad framework.
Risk management then is the systematic application of policies, procedures, methods, and practices to the tasks of identifying, analyzing, evaluating, treating, and monitoring risk. BS 6079 confirms that risk involves three key issues: the frequency, the consequences, and the perception of loss. BS 6079 focuses on how risk affects all stakeholders. It emphasizes the importance of communications among stakeholders in the process of seeking responses. It identifies a \cycle\It recommends the creation of a \external experts, as well as perhaps some stakeholder representatives, to address the major risk issues facing an organization. It suggests creating a \documentation of issues, scope of decisions, identification of roles and responsibilities, identification of decision makers, details of analyses, stakeholder responses, and support documentation for decisions.
?
Risk = Hazard × Consequence
Risk can be rated for a specific resource or value (specific risk), or it can be determined for all resources and values (total risk).
The framework comprises an iterative process embracing the following:
? ? ? ? ?
Understanding context : Project objectives and business objectives—project in the business context and business in the project context
Identifying risk: The sources of risk, and understanding how risks arise Analyzing risk : Characterization Evaluating risk: Identifying priorities Treating risk : Taking action
Maintaining the Knowledge Pool, Plans, and the Management Process
The risk management culture is exemplified by encouraging everyone, especially managers, to continuously consider and monitor risk, including that arising from their own decision making and actions. Training and simulations can heighten awareness and responsibilities of decision makers
(BS 6079-3:2000 cls 4.4), and help them adopt a priority of actions for treating risk (BS 6079-3:2000 cls 4.3.4). The phases outlined by BS 6079 are as follows:
1. 2. 3. 4. 5.
Eliminate risk. Avoid risk. Share risk.
Reduce the probability of occurrence of risk. Reduce the consequences of risk.
Canadian Standard 1797 (CSA-Q85-97)
Canada followed Australia and New Zealand in creating a \Australasian \Canadian Standards Association published CAN/CSA-Q850-97 in October 1997, \Guideline for Decision Makers, a National Standard for Canada.\document than a financial or operational risk management guide. CSA-Q850-97 confirms that risk involves three key issues: the frequency, the consequences, and the perception of loss. The Canadian guideline also focuses on how risk affects all stakeholders. It emphasizes the importance of communication among stakeholders in the process of seeking responses. It identifies a \cycle\It recommends the creation of a \external experts, as well as stakeholder representatives, to address the major risk issues facing an organization.
The decision-making process described in the CSA Risk Management Guideline
(CAN/CSA-Q850-97) consists of six steps, which follow a standardized management or systems analysis approach. The process is iterative and allows for the return to previous steps at any time throughout the process. The features of the Q850 approach are as follows:
?
It incorporates stakeholder perceptions of the acceptability of the risk into the decision process, providing for more informed decision making and ensuring that the legitimate interests of all affected stakeholders are considered.
? ? ?
It incorporates a risk communication framework into the decision process, ensuring reasonable and effective communication among stakeholders.
It provides a standardized terminology used to describe risk issues, thus contributing to better communication about risk issues.
It provides for an explicit treatment of uncertainty.
The CSA risk management process is illustrated in Figure 1.2.
Figure 1.2: The risk analysis, assessment, and management process.
Walking through the CSA risk management process, one begins with the initiation phase. Risk Assessment and Analysis begins in the Preliminary Analysis phase, coming to completion in Risk Estimation. Risk Assessment ends in Risk Evaluation. Risk Control and Action Monitoring complete the risk management process.
The definition of risk for the CSA risk management process involves three key issues: the frequency, consequences, and perception of loss. The process focuses on how risk affects all stakeholders. It emphasizes the importance of communication among stakeholders in the process of seeking responses. It identifies a \methods of financing are implicitly included. The CSA process recommends the creation of a \management team,\some stakeholder representatives, to address the major risk issues facing an organization. The process suggests creating a \of decisions, identification of roles and responsibilities, identification of decision makers, details of analyses, stakeholder responses, and support documentation for decisions.
Germany IT-Grundschutz 100-3
German-headquartered global businesses follow ISO 17799 as their horizontal best standard practice of corporate security. If more than 50 percent of their business remains in Germany, corporations will generally opt for the BSI-issued IT Grundschutz. IT Grundschutz is a more detailed version of ISO 17799, and Germans argue over which came first, Grundschutz or the British BS 7799. They see theirs as the more stringent, realistic approach to a baseline. Under the IT-Grundschutz risk analysis approach, the threats are identified and assigned a likelihood of occurrence. The results of this analysis are then used to select the appropriate IT security measures, following which the residual risk can be assessed. Figure 1.3 outlines how threats are managed.
Figure 1.3: Threat assessment process flow.
The procedure illustrated in Figure 1.3 can be used to reveal the most important areas in which there is still a need for action after application of the IT Baseline Protection Manual with the least possible effort and expense. Treats listed in the IT Baseline Protection Manual that are relevant to the IT asset under review are used as the starting point for risk analysis.
?
Preparing the threat summary—When determining relevant threats, the protection requirement for the target object under review must be considered in terms of the three basic parameters for IT security: confidentiality, integrity, and availability.
?
Determination of additional threats—Regardless of the protection requirements of the target object under review, it is important to determine additional relevant threats when there exists a special need for analysis. this is the case, for example, if there is no appropriate module in the IT Baseline Protection Manual.
?
Treat assessment—The threat summary is worked through systematically. It is checked to see if the IT security safeguards are already implemented or at least planned in the IT security concept and do provide adequate protection for each target object and threat. These are usually standard security safeguards from the IT Baseline Protection Manual.
From this point three options exist: risk reduction, risk transference, and risk acceptance. Risk reduction is accomplished through further security safeguards, where the threat remaining is removed by preparing and implementing additional security measures that counteract the threat adequately; risk transference through restructuring, where the remaining threat is removed by restructuring the business asset; or risk acceptance, where the remaining threat and the risk arising from it are accepted.
South Africa: IRMSA and King II Report Section 2
In 1994 the King Committee on Corporate Governance, headed by former High Court judge Mervyn King S.C. King I, published the King Report on Corporate Governance (King I),
incorporating a code of corporate practices and conduct. It was the first of its kind in the country and was aimed at promoting the highest standards of corporate governance in South Africa. Over and above the financial and regulatory aspects of corporate governance, King I advocated an integrated approach to good governance in the interests of a wide range of stakeholders. Although groundbreaking at the time, the evolving global economic environment, together with recent legislative developments, has necessitated that King I be updated. To this end, the King Committee on Corporate Governance developed the King Report on Corporate Governance for South Africa, 2002 (King II). King II acknowledges that there is a move away from the single bottom line (that is, profit for shareholders) to a triple bottom line, which embraces the economic, environmental, and social aspects of a company's activities. The South African corporate governance report provides a unique definition of risk in the context of regulations designed to promote operational transparency and stakeholder accountability, and to that end we will break down the report into its core areas of focus to differentiate it from the purely operational or purely riskoriented taxonomies, which occupy a common subject area. Although focused on South Africa, the rigor of the King reports has earned international recognition and acclaim. King II requires the majority of members of the audit committee to be financially literate and, in four chapters, defines risk for the purpose of legislative accountability. The following paragraphs present an overview of the report broken down by chapter:
?
Chapter 1: Introduction and definition—Risk management is defined as the identification and evaluation of actual and potential areas of risk as they pertain to a company, followed by a procedure of termination, transfer, acceptance (tolerance), or mitigation of each risk. Risk management is therefore a process that utilizes internal controls as a measure to mitigate and control risk.
?
Chapter 2: Responsibility for risk management—The board is responsible for setting risk tolerance and related strategies and policies. It is also the board's responsibility to review the effectiveness of these policies on a regular basis and in a manner in which its objectives are clearly defined for the benefit of management to guide them in carrying out their responsibilities. The board is responsible for ensuring that the company has implemented an effective ongoing process to identify risk, measure its potential impact against a set of assumptions, and then activate what it believes is necessary to proactively manage these risks. The board must then decide on what risk that company is prepared to take and what risks it will not take in pursuance of its goals and objectives.
?
Chapter 3: Assimilating risk to the control environment—The board is required to implement a comprehensive system of controls to ensure that risks are mitigated and that the company's objectives are attained. The control environment must then set the tone of the company and cover ethical values, management's philosophy, and the competence of employees. Any vulnerability in the achievement of the company's objectives, whether caused by internal or external risk factors, should be detected and reported by the systems of control in place and met with appropriate intervention. this is intended to improve the company's risk profile, enhancing the company's investment attraction, and increase the positive influences of risk on the business.