2. Understand Risk - Intro
IT Risk
Risk Management
IT Value
Risk &
Opportunity
Value
Management
IT Event
IT Process
Management
IT Governance
Managing risk not only reduce negative impact of technology but also increase positive
impact for Business
2
3. Mengerti Resiko
ISO 31000:2009 defines risk as:
“The effect of uncertainty on objectives”
A deviation from the
expected – positive
and/or negative
Deficiency of
information relating to
an event,its
consequence, or
likelihood
• Can have different aspects
e.g. finance, safety,
environment goal
• Can apply at different levels
e.g. strategic, department,
project
What can go wrong?
How likely is it?
3
What are the consequences?
4. Mendaftar Resiko
Risk Register
Minimum
Records
A source of risk
(hazard)
An event (including when and
where)
An outcome
(consequence)
A cause (how and
why)
Fire
Fire at head office
Estimated cost 100
million dollar
Short circuit
Virus
H1N1 Pandemic
Operations Interruption
Employees contact
virus
4
5. Risk Key Element
A risk cause is something that leads to the source of risk,
to an exposure to it, or to a risk event. A cause can also
be called contributory factor particularly when it does not
necessarily result in the risk occurring but increases its
likelihood.
RISK CAUSE
A risk factor is something that makes the magnitude of
risk (likelihood or consequence) higher or lower without
being specifically a cause. It may also be called a
vulnerability.
RISK FACTOR
A control failure can be considered to be an uncertain
event with an outcome that affects objectives. However a
control failure only becomes a problem if there is a
source of risk and an event occurs, i.e. it is a conditional
risk.
CONTROL
FAILURE
5
6. Mengukur Resiko
Level of Risk (Magnitude
of a risk)
Likelihood of
occurrence
Consequence of an
event
Risk is often expressed in terms
of the consequences of an event
or a change in circumstances
and the associated likelihood of
occurrence
7. Evolution of Risk Management
The Past
Risk Management as
Compliance
Identify problems
Rank them
Demonstrate every
risk has a control
(usually a standard
procedure)
Monitor controls
The Present
Risk Management to
Prioritise Problems
The Future
Risk Management as Business
Optimisation
Identify problems
Rank them
Check if level of risk
above target level
(qualitative)
Implement improved
controls starting from
highest risks
Monitor implementation
Identify potential problems and
opportunities
Understand causes and factors which
affect likelihood and consequence
Optimise treatment considering
Effectiveness of current and
proposed controls
Causal factors
Costs and benefits of treating the
risk
Costs and benefits of taking the risk
Treat according to risk appetite
Monitor and feedback
7
8. Risk Management Process
Establishing the context
Risk
assessment
Risk identification
Communication
and
Consultation
Risk analysis
Risk evaluation
Risk treatment
Monitoring
and
Review
9. a) Creates value
b) Integral part of
organizational
processes
c) Part of decision
making
d) Explicitly addresses
uncertainty
e) Systematic,
structured and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and
inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles
(Clause 3)
Mandate
and
Commitment
(4.2)
Design of
framework
(4.3)
Continual
improvement
of the
Framework
(4.6)
Implementing
risk
Management
(4.4)
Monitoring
and review
of the
Framework
(4.5)
Framework
(Clause 4)
C
o
m
u
n
i
c
a
t
i
o
n
&
c
o
n
s
u
l
t
a
t
i
o
n
5.2
ISO 31000:2009 Relationship between the Principles, Framework and Process
Establishing
the context (5.3)
Risk assessment
(5.4)
Risk
identification
(5.4.2)
Risk analysis
(5.4.3)
Risk
evaluation
(5.4.4)
Risk treatment
(5.5)
Process
(Clause 5)
M
o
n
i
t
o
r
i
n
g
&
r
e
v
i
e
w
(5.6
)
11. Managing Risks is Shared Responsibilities
ERM Activities Objective :
– To ensure the Risk owners in departement
/division level (Business Unit)are understand
about the risk sorrounding their
departement and take the appropiate Risk
Mitigations actions related the risk
– To have update on current company risk
profile which is include update the existing
risk rating and identified the new risk, and as
– The Result could be part of tools for
management on business decision making
process
– To ensure the information related risk and its
mitigation control are properly documented
Business Unit Roles (Risk Owners) :
Update the risk and identifying new risks drivers (i.e. what
trigger things to happen) related their department /division
and update their risk mitigation action plan
Risk Management Unit Roles
• Facilitate and assist the risk owners related with
framework and the process
• To communicate and report to the Management, Board
of Directors and Board Audit Committee the result of
ERM activities
12. Criteria of Likelihood
Rare
Unlikely
General
Description
Event may occur
in exceptional
circumstances
only
Expected to
occur less
frequently
Estimated
Frequency
Once every 5
years
Once every 3
years
Estimated
Probability
< 10%
10% < 25%
Moderate
Likely
Event has
Event might
happened
occur at some before and will
time
probably occur
again
At least once
Several times
in the next 12
in a year
months
25% < 50%
50% < 75%
Almost Certain
Event is
common and
is expected to
occur in most
circumstances
At least
monthly
> 75%
13. Criteria of Impact
Insignificant
Moderate
Major
Catastrophic
< 1 hour
0 -15 min
nil
Disruption to Service:
i)
Localised*
ii)
Regional*
iii)
Nationwide*
Minor
1 hours – 4 hours
15 min – 1 hours
0 -15 min
4 hours – 10 hours
1 hours – 4 hours
15 min - 1 hours
10 hours – 48 hours
4 hours – 10 hours
1 hours- 4 hours
> 48 hours
> 10 hours
> 4 hours
Injuries
Nil
Minor injury
Minor injury
Minor treatment (first
Requires outpatient
aid)
Extensive bodily injuries
/permanent disability
treatment
permanent disability requiring
hospitalisation
Hospitalisation required
Financial ** and
Aggregate Loss
< 1% variance against
target s/ budget financial
indicator
1% <5% variance against
targets/ budget financial
indicator
5% <10% variance against
targets/ budget financial
indicator
Aggregate loss <0.25%
p.a against Gross
Revenue
Aggregate loss ≥ 0.25% and
<0.5% p.a against Gross
Revenue
Aggregate loss ≥ 0.5% and
<1% p.a against Gross
Revenue
Customer
Customer complaints
Customer complaints
Aggregate loss ≥ 2 p.a against Gross
Revenue
Aggregate loss ≥ 1% and <2%
p.a against Gross Revenue
Widespread negative
Death
≥15% variance against targets/ budget
financial indicator
10% <15% variance against
targets/ budget financial
indicator
Extensive bodily injuries /
Widespread negative publicity
complaints
generally restricted to
include negative posts
publicity online (e.g.
online (e.g. blogs, twitter,
generally
hotline / emails
online (e.g. blogs, twitter,
blogs, twitter, YouTube
YouTube etc.)
etc.)
etc.)
restricted to
hotline / emails
Reputation
Estimated time to restore
reputation: 3 months
Estimated time to
Estimated time to restore
reputation: 6 months
restore reputation:
significantly affected
1 week
Corporate image
Estimated time to restore
Long-standing reputation damage
Criminal prosecutions
Political intervention
reputation: 1 year
Media Attention
None
Media enquires only
One-off newspaper article / radio
/ television / online mention
Sustained media attention for > 3
days
Sustained media attention for > 5 days
14. Risk Rating Matrix
LEVEL OF IMPACT
LEVEL OF
LIKELIHOOD
Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certain
Moderate
Moderate
Significant
High
Extreme
Likely
Moderate
Moderate
Significant
High
High
Moderate
Low
Moderate
Significant
Significant
High
Unlikely
Low
Low
Moderate
Significant
Significant
Rare
Low
Low
Moderate
Moderate
Significant
Risk Rating
What it Means
Extreme
Board attention is required.
Immediate action by Board with a detailed research and management risk treatment plan.
High
Board attention is required.
Senior management responsibility specified.
Risk must be managed by senior management with a detailed risk treatment plan.
Significant
Senior management attention required.
Management responsibility specified.
Risks should be treated using one or more of the risk treatment options
Moderate
Management attention required.
Management responsibility specified.
Risks should be treated using one or more of the risk treatment options
Low
Risk is accepted with minimal treatment and can normally be managed using existing routine procedures.
Low risks need to be monitored and periodically reviewed to ensure they remain acceptable.
15. Criteria of Risk Treatment Measures
Effective
Mostly Effective
Fairly Effective
Ineffective
• >75% of necessary/
identified risk
treatment measures
are implemented
• Significant attention
to the risk exists
• Current risk
treatment measures
mitigate risks to a
level where there is
no desire/need to
take more or less risk
• On going risk
monitoring system is
maintained
• From 50% to 75% of
necessary/ identified risk
treatment measures are
implemented
• Current risk treatment
measures provide a
reasonable certainty of
control over the risk
• Current risk treatment
measures mitigate risks
to an extent that
requires some actions to
enhanced
design/operation of risk
treatment strategies
• From 25% to 50%
of necessary/
identified risk
reduction
measures are
implemented
• Current risk
treatment
measures
mitigate risks to
an extent that
requires major
actions to
enhance
design/operation
of risk treatment
strategies
• <25% of necessary/
identified risk
reduction measures
are implemented
• Current risk treatment
insufficient/ineffective
to mitigate risks
16. Criteria of Managing Risk Action
4T Strategy – Take, Treat, Transfer, and
Terminate (1)
RISK TREATMENT
TAKE
Accept the risk within the Group and establish an
appropriate plan to manage such risks.
TREAT
Option 1 – Reduce the likelihood or probability
through
Option 2 – Reduce the impact of risk through
WHAT YOU CAN DO?
• Setting loss targets and tolerance levels
• Establish and monitor risk indicators
• Charge premium price to cover the risk
• Finance the consequences
• Vision, mission, strategies, objectives and goals
• Policies, plans, guidelines and standards
• Values and ethics
• Clear assignment of responsibility
• Audit and compliance program
• Review of specification, design, engineering and operations
• Inspection and process control
• Investment and portfolio management
• Corrective and preventive maintenance
• Quality assurance, management and standards
• Research and development
• Training and supervision
• Performance measurement and tracking
• Performance appraisals and feedback
• Contingency planning
• Disaster recovery plan
• Engineering and structural barriers
• Fraud management
• Separation or relocation of activity/resources
• Contractual transfer
• Design features
• Reduce scale of activity or business
17. Criteria of Managing Risk Action
4T Strategy – Take, Treat, Transfer, and
Terminate (2)
RISK TREATMENT
WHAT YOU CAN DO?
TRANSFER
Transfer the risk by moving the risks to third party – full
transfer or sharing some parts of the risks at a cost.
These can be done through:
• Contracts
• External insurance contract
• Partnership, alliances and joint-ventures contracts
• Hedging
• Diversification
Note: It is important to note that transfer of risk does
not result in transfer of accountability; the risk owner
will remain accountable.
TERMINATE
Avoid the risk by terminating the activity likely to
generate risks (where this is practicable) through:
• Cease the activity
• Pull out of market
• Divest
• Change the business objectives