Final Risk Management Slides
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Final Risk Management Slides as PDF for free.
More details
- Words: 2,934
- Pages: 65
Insurance and Risk Management
Group Members
Risk
The Ali possibility or chance of loss or injury; the property or Riaz BT-04-01 person exposed to damage or injury; an insurance Waqar Farooqi company's uncertaintyBT-04-47 regarding the ultimate amount of any claim payment (underwriting risk) or uncertainty regarding the timing of claim payments (timing risk), or both.
Types of Risk Subjective Risk Psychological uncertainty which stems from the individual mental attitude or state of mind. It could be measure by different psychological test .The degrees of subjective risk depend upon the attitude of the person who perceived the risk. E.g. A person who knows that there is only one chance in a million that a loss will occur may still worry while another would not.
Types of Risk(cont..) Objective Risk The relative variation of actual from expected loss. In dealing with objective risk we are concerned maily with the range of variability of economic losses about of some most probable loss in a group large enough to analyze significantly in a statically sense. Objective risk = (Actual loss – Expected loss) / Expected loss
Law of Large Numbers
A basic law that states that as the number of exposure units increases the more certain it is that actual loss experience will equal to expected loss experience. Examples: Chinese Traders Insurance Companies
Managing Objective and Subjective Risk C. Managing objective risk • • • • •
Assuming the risk or retention Combination of objects subject to risk Risk transfer or shifting Loss control or prevention Risk avoidance
•
Managing subjective risk
• • •
Search for information Group discussion Training and education
Managing Objective Risk Assuming the risk or retention
Planned Risk Retention Often called self-insurance in which firms or individuals decides to pay losses out of currently available funds (rainy day funds) Unplanned Risk Retention exists when a person does not recognize a risk exists and unwittingly believes that no loss could occur.
Managing Objective Risk(cont..)
Combination of objects subject to risk The system of handling risk that usually involves the use of large numbers. Examples: Chinese Merchants Commercial insurance companies
Managing Objective Risk(cont..) Risk transfer or shifting One individual pays another to assume a risk that the transferor desires to escape. The risk bearer or transferee assumes the risk for a price.
Managing Objective Risk(cont..)
Loss control or prevention It usually reduces the degree of risk, people may worry less when they are ridding in a large automobile, which is less susceptible to crushing during a collision.
Managing Objective Risk(cont..) Risk avoidance Closely related to loss control is the method of avoidance of the possibility of loss in the first place, thus avoiding the risk? A person who has a high aversion toward risk may avoid entering a certain business at all.
Managing Subjective Risk Search for information A risk averting person may be more willing to accept risk once there is a better understanding of uncertainties, because with better knowledge one is likely to perceive less risk in a situation. A risk taking person may be willing to assume event greater risks they formerly rejected and at a reduced premiums
Managing Subjective Risk(cont..) Group discussion Perceived subjective risk decline after group discussion and bolder and quicker action may result. Training and education Education in risk and insurance might improve the efficiency with which insurance is employed by making the user a more sophisticated buyer.
Degree Of Risk The uncertainty that can arise from a given set of circumstances; the probability that actual experience will differ from what is anticipated.
Degree of Risk in Subjective Risk The high degree of subjective risk exists when a person experiences great mental uncertainness as to the frequency of occurrence of some event that make cause a loss, and as to the amount or severity of the possible loss. • High subjective risk produces conservative conduct • Low subjective risk produces less conservative conduct
Degree of Risk in Objective Risk Objective risk varies according to the probable variation of actual from expected loss. If the variation is high, the risk will be high and if the variation is low the risk will be low.
Hazard and Perils Peril The contingency that may cause a loss. Perils for an automobile are collision, fire and for a building is fire etc. Hazard A condition or situation that creates or increases the probability of loss from a peril, such as unsafe or unclean conditions, cheap or flammable building materials for building and fog, icy streets, congested roads etc for an automobile.
Types of Hazards Physical hazard Moral hazard Morale hazard
Physical Hazard A hazard that results from material, structural, and physical characteristics of an object that increases the probability or severity of loss from given perils. Examples: Dry forests-hazard for fir Earth faults-hazard for earthquake Icebergs -hazard for ocean shipping
Moral Hazard A moral hazard stems from mental attitude of the insured. Because of the indifference to loss or owning to an outright desire for the loss to occur, the individual either brings about personal loss or intentionally does nothing to prevent its occurrence. Example: ü An insured fails to repair faulty wiring, believing it is less expensive to pay insurance premiums than to pay an electrician.
Morale Hazard The morale hazard includes the mental attitude that characterizes an accident-prone person. Even though an individual does not consciously want a loss, there may be a sub-conscious desire for loss. The psychologists would probably diagnose the cause of excessive and repeated accidents as a sub conscious problem of morale.
Static Risk vs. Dynamic Risk Static Risk A risk that arises from the normal course of business activities and does not involve changes in the environment or technology. Static risk can only result in a loss. Examples: ü Fire ü Windstorm ü death
Dynamic Risk A risk that arises from the continuous change that exists in the business or economic environment or in technology. Dynamic risk can produce a gain (or savings) as well as a loss (or expenses). Examples: ü Urban Unrest ü Increasing complex technology Greater legal liability due to changing attitude of courts
Pure Risk vs. Speculative Risk Pure Risk A risk involving the probability or possibility of loss with no chance for gain. A pure risk is generally insurable. Example: A loss to one’s property due to fire, flood windstorm or any other peril.
Speculative Risk A risk for which it is uncertain as to whether the final outcome will be a gain or loss. Generally, speculative risks cannot be insured. Example: Gambling
Insurance
A contract whereby one person (insurer) agrees to indemnify or guarantee another (insured) against loss caused by a specified cause or future contingency in return for the present payment of premium.
Types of Risks on the Basis of Insurable or Non- Insurable Risks Insurable Commercially Property risk Personal risk Legal liability risk Risks Non-Insurable Commercially Market risk Political risk Production risk
Risks Insurable Commercially A. Property risk – the uncertainty surrounding the occurrence of loss to property from perils the cause; 1. Direct loss of property 2. Loss of property indirectly
Risks Insurable Commercially(cont..) Personal risk- the uncertainty surrounding the occurrence of loss of life or income due to: 1. Premature death 2. Physical disability 3. Old age 4. Unemployment
Risks Insurable Commercially(cont..) Legal liability risk- the uncertainty surrounding the occurrence of loss due to negligent behavior resulting in injuring to persons arising out of: 1. The use of automobile 2. The occupancy of building 3. Employment 4. The manufacture of product 5. Professional misconduct
Risks Non-Insurable Commercially Market risk- factor that may result in loss to property or income such as: 1. Price change, seasonal or cyclical 2. Consumer indifference 3. Style change 4. Competition offered by better product
Risks Non-Insurable Commercially(cont..) Political risk- the uncertainty surrounding the occurrence of: 1. over throw of the government or war 2. Restriction imposed on free trade 3. Unreasonable or punitive taxation 4. Restrictions on free exchange of currencies
Risks Non-Insurable Commercially(cont..) Production risk- the uncertainty surrounding the occurrence of: 1. Failure of machinery to function economically 2. Failure to solve technical problem 3. Exhaustion of raw material resources 4. Strikes, absenteeism, labor unrest
Insurance vs. Gambling
Insurance may appear to be a contract under which there is a possibility for the insurance company to pay to a given party a great deal more than it has receive in premium. • In insurance one party shifts its risk to another i.e. insurance occur after the realization of risk. • On the other hand, Gambling creates a new risk where none existing before. • After the gamble each party become subject to a new risk of losing money.
Requisites of Insurable Risk We can classify the requisites of insurable risk under two general heading: The insurer’s standpoint The insured’s standpoint
The insurer’s standpoint 1. The objective must be sufficient number and quality to allow a reasonably close calculation of probable loss. 2. The loss, should it occur, must be accidental and unintentional in nature from the viewpoint of insured. 3. The loss, when it occurs, must be capable of being determined and measured. 4. The insured object should not be subject simultaneous destruction i.e. catastrophic hazard should be minimal.
The Insured’s Standpoint 1. That the potential loss must be severe enough to cause financial hardship. 2. That the probability of loss must not be too high.
Riaz Ali BT-04-01
Practical Demonstration
Risk Management
Risk Management
Risk management is the human activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources.
Traditional Risk Management Some traditional risk managements are focused on risks stemming from physical or legal causes. Exemples: Natural disasters or fires Accidents Deaths
Objective of Risk Management Objective of risk management is to: Reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand it involves all means available for humans, or in particular, for a risk management entity (person, staff, organization).
Risk Management Process
Steps of Risk Management Process 1. 2. 3. 4. 5. 6.
Recognition of risk Risk Assessment Developing Strategies to Manage it Mitigation of risk using managerial resources Implementation Review and Evaluation Risk Management Plan
Some Explanations
Which Risk Should be Handeld First?
Risk = Probability of Occurrence* Loss of the event
Risks with the greatest loss and the greatest probability of occuring should be handled first. Risks with lower loss and lower probability of occurrence are handled in descending order. Intangible Risk Management A risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. Deficient knowledge-Knowledge risk Ineffective collaboration-Relationship risk
Some Explanations Con’t
Opportunity Cost Resources spent on risk management could have been spent on more profitable activities.
Steps of Risk Management Process
Step 1. Identification Risks are about events that, when triggered, cause problems. Source of Risk/Problem Risk/Problem
Identification Con’ t Risk Source Analysis Source of Risk may be internal or external to the system that is the target of risk management. Stakeholders of a project Employees of a company The weather over an airport Risk Analysis Risks are related to identified actual threats from any source to the organization. The threat of losing money The threat of abuse of privacy information The threat of accidents and casualties
Common Risk Identification Methods 1. Objective-based risk identification Any event that may endanger achieving an objective partly or completely is identified as risk. Example:
Weather over an airport
2. Scenario-based risk identification
Different scenarios are created. The scenarios may be the alternative ways to achieve an objective. Any event that triggers an undesired scenario alternative is identified as risk. Example:
Common Risk Identification Methods Con’t 3. Taxonomy-based risk identification The taxonomy is a breakdown of possible risk sources. A questionnaire is compiled Based on the taxonomy and knowledge of best practices. The answers to the questions reveal risks. 1. Employees 2. Suppliers 3. Government 4. Common-risk Checking Lists with known risks are available. Each risk in the list can be checked for application to a particular situation.
Common Risk Identification Methods Con’t 5. Risk Charting This method combines the above approaches by listing: Resources at risk. Threats to those resources. Consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. 7. One can begin with resources and consider the threats they are exposed to and the consequences of each. 8. One can start with the threats and examine which resources they would affect. 9. One can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.
1. One can begin with resources and consider the threats they are exposed to and the consequences of each.
Sources Production
Channel distribution
Supply
Threat 1
Threat 2
Threat 3
Consequence
Consequence
Consequence
Threat 1
Threat 2
Threat 3
Consequence
Consequence
Consequence
Threat 1
Threat 1
Threat 1
Consequence
Consequence
Consequence
2. One can start with the threats and examine which resources they would affect. Threats Fire
Theft
Source 1
Source 2
Source 3
Consequence
Consequence
Consequence
Source 1
Source 2
Source 3
Consequence
Consequence
Consequence
Source 2
Source 3
Consequence
Consequence
Damage Source 1 Consequence
3. One can begin with the consequences and determine which combination of threats and resources would be involved to bring them about. Consequences
Causalities
Accidents
Threat 1
Threat 2
Threat 3
Source
Source
Source
Threat 1
Threat 2
Threat 3
Source
Source
Source
Threat 2
Threat 3
Source
Source
Information Threat 1 Stolen
Source
Step 2. Risk Assessment
Potential Severity of loss Probability of occurrence
Risk = Rate of occurrence* impact of the event Difficulties: o
Determining the rate of occurrence since statistical information is not available on all kinds of past incidents.
o
Evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets.
Step 3. Developing Strategies
Risk Avoidance (Elimination) Risk Reduction/Prevention/Control Risk Retention Risk Transfer (buying insurance) Risk Diversification
Developing Strategies Con’t
Risk Avoidance
Includes not performing an activity that could carry risk. Example: would be not doing the business. would be not flying the airplane. o
Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.
Developing Strategies Con’t
Risk Prevention/Reduction Involves methods that reduce the severity of the loss.
Examples:
People may worry less when they are ridding in a large automobile, which is less susceptible to crushing during a collision. Modern software development methodologies reduce risk by developing and delivering software incrementally. Sprinklers designed to put out a fire to reduce the risk of loss by fire.
Developing Strategies Con’t
Risk Retention Involves accepting the loss when it occurs. True self-insurance falls in this category. All risks that are not avoided or transferred are retained by default. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. Risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible.e.g. War
Developing Strategies Con’t
Risk Transfer Means causing another party to accept the risk. Contract Example: Liability among constructors Hedging Insurance -Simply by getting insured by some insurance company Outsourcing -Outsource only some of their departmental needs.
Developing Strategies Con’t
Risk Diversification Risk may be reduce through diversification.
Several warehouses in different locations to store goods. Mutual funds Chinese Traders
Step 4. Create a Risk Mitigation Plan
Mitigation of risks often means selection of Security Controls. For example an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. Risk mitigation needs to be approved by the appropriate level of management. The risk management plan should propose applicable and effective security controls for managing the risks. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.
Step 5. Implementation
Follow all of the planned methods for mitigating the effect of the risks. Purchase insurance policies for the risks that have been decided to be transferred to an insurer. Avoid all risks that can be avoided without sacrificing the entity's goals. Reduce others . And retain the rest.
Step 6. Review and Evaluation of the Plan Initial risk management plans will never be perfect. Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: • To evaluate whether the previously selected security controls are still applicable and effective • To evaluate the possible risk level changes in the business environment. Example: Information risks are a good example of rapidly changing business environment.
Limitations
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Prioritizing too highly the risk management processes could keep an organization from ever completing a project or even getting started.
Group Members
Risk
The Ali possibility or chance of loss or injury; the property or Riaz BT-04-01 person exposed to damage or injury; an insurance Waqar Farooqi company's uncertaintyBT-04-47 regarding the ultimate amount of any claim payment (underwriting risk) or uncertainty regarding the timing of claim payments (timing risk), or both.
Types of Risk Subjective Risk Psychological uncertainty which stems from the individual mental attitude or state of mind. It could be measure by different psychological test .The degrees of subjective risk depend upon the attitude of the person who perceived the risk. E.g. A person who knows that there is only one chance in a million that a loss will occur may still worry while another would not.
Types of Risk(cont..) Objective Risk The relative variation of actual from expected loss. In dealing with objective risk we are concerned maily with the range of variability of economic losses about of some most probable loss in a group large enough to analyze significantly in a statically sense. Objective risk = (Actual loss – Expected loss) / Expected loss
Law of Large Numbers
A basic law that states that as the number of exposure units increases the more certain it is that actual loss experience will equal to expected loss experience. Examples: Chinese Traders Insurance Companies
Managing Objective and Subjective Risk C. Managing objective risk • • • • •
Assuming the risk or retention Combination of objects subject to risk Risk transfer or shifting Loss control or prevention Risk avoidance
•
Managing subjective risk
• • •
Search for information Group discussion Training and education
Managing Objective Risk Assuming the risk or retention
Planned Risk Retention Often called self-insurance in which firms or individuals decides to pay losses out of currently available funds (rainy day funds) Unplanned Risk Retention exists when a person does not recognize a risk exists and unwittingly believes that no loss could occur.
Managing Objective Risk(cont..)
Combination of objects subject to risk The system of handling risk that usually involves the use of large numbers. Examples: Chinese Merchants Commercial insurance companies
Managing Objective Risk(cont..) Risk transfer or shifting One individual pays another to assume a risk that the transferor desires to escape. The risk bearer or transferee assumes the risk for a price.
Managing Objective Risk(cont..)
Loss control or prevention It usually reduces the degree of risk, people may worry less when they are ridding in a large automobile, which is less susceptible to crushing during a collision.
Managing Objective Risk(cont..) Risk avoidance Closely related to loss control is the method of avoidance of the possibility of loss in the first place, thus avoiding the risk? A person who has a high aversion toward risk may avoid entering a certain business at all.
Managing Subjective Risk Search for information A risk averting person may be more willing to accept risk once there is a better understanding of uncertainties, because with better knowledge one is likely to perceive less risk in a situation. A risk taking person may be willing to assume event greater risks they formerly rejected and at a reduced premiums
Managing Subjective Risk(cont..) Group discussion Perceived subjective risk decline after group discussion and bolder and quicker action may result. Training and education Education in risk and insurance might improve the efficiency with which insurance is employed by making the user a more sophisticated buyer.
Degree Of Risk The uncertainty that can arise from a given set of circumstances; the probability that actual experience will differ from what is anticipated.
Degree of Risk in Subjective Risk The high degree of subjective risk exists when a person experiences great mental uncertainness as to the frequency of occurrence of some event that make cause a loss, and as to the amount or severity of the possible loss. • High subjective risk produces conservative conduct • Low subjective risk produces less conservative conduct
Degree of Risk in Objective Risk Objective risk varies according to the probable variation of actual from expected loss. If the variation is high, the risk will be high and if the variation is low the risk will be low.
Hazard and Perils Peril The contingency that may cause a loss. Perils for an automobile are collision, fire and for a building is fire etc. Hazard A condition or situation that creates or increases the probability of loss from a peril, such as unsafe or unclean conditions, cheap or flammable building materials for building and fog, icy streets, congested roads etc for an automobile.
Types of Hazards Physical hazard Moral hazard Morale hazard
Physical Hazard A hazard that results from material, structural, and physical characteristics of an object that increases the probability or severity of loss from given perils. Examples: Dry forests-hazard for fir Earth faults-hazard for earthquake Icebergs -hazard for ocean shipping
Moral Hazard A moral hazard stems from mental attitude of the insured. Because of the indifference to loss or owning to an outright desire for the loss to occur, the individual either brings about personal loss or intentionally does nothing to prevent its occurrence. Example: ü An insured fails to repair faulty wiring, believing it is less expensive to pay insurance premiums than to pay an electrician.
Morale Hazard The morale hazard includes the mental attitude that characterizes an accident-prone person. Even though an individual does not consciously want a loss, there may be a sub-conscious desire for loss. The psychologists would probably diagnose the cause of excessive and repeated accidents as a sub conscious problem of morale.
Static Risk vs. Dynamic Risk Static Risk A risk that arises from the normal course of business activities and does not involve changes in the environment or technology. Static risk can only result in a loss. Examples: ü Fire ü Windstorm ü death
Dynamic Risk A risk that arises from the continuous change that exists in the business or economic environment or in technology. Dynamic risk can produce a gain (or savings) as well as a loss (or expenses). Examples: ü Urban Unrest ü Increasing complex technology Greater legal liability due to changing attitude of courts
Pure Risk vs. Speculative Risk Pure Risk A risk involving the probability or possibility of loss with no chance for gain. A pure risk is generally insurable. Example: A loss to one’s property due to fire, flood windstorm or any other peril.
Speculative Risk A risk for which it is uncertain as to whether the final outcome will be a gain or loss. Generally, speculative risks cannot be insured. Example: Gambling
Insurance
A contract whereby one person (insurer) agrees to indemnify or guarantee another (insured) against loss caused by a specified cause or future contingency in return for the present payment of premium.
Types of Risks on the Basis of Insurable or Non- Insurable Risks Insurable Commercially Property risk Personal risk Legal liability risk Risks Non-Insurable Commercially Market risk Political risk Production risk
Risks Insurable Commercially A. Property risk – the uncertainty surrounding the occurrence of loss to property from perils the cause; 1. Direct loss of property 2. Loss of property indirectly
Risks Insurable Commercially(cont..) Personal risk- the uncertainty surrounding the occurrence of loss of life or income due to: 1. Premature death 2. Physical disability 3. Old age 4. Unemployment
Risks Insurable Commercially(cont..) Legal liability risk- the uncertainty surrounding the occurrence of loss due to negligent behavior resulting in injuring to persons arising out of: 1. The use of automobile 2. The occupancy of building 3. Employment 4. The manufacture of product 5. Professional misconduct
Risks Non-Insurable Commercially Market risk- factor that may result in loss to property or income such as: 1. Price change, seasonal or cyclical 2. Consumer indifference 3. Style change 4. Competition offered by better product
Risks Non-Insurable Commercially(cont..) Political risk- the uncertainty surrounding the occurrence of: 1. over throw of the government or war 2. Restriction imposed on free trade 3. Unreasonable or punitive taxation 4. Restrictions on free exchange of currencies
Risks Non-Insurable Commercially(cont..) Production risk- the uncertainty surrounding the occurrence of: 1. Failure of machinery to function economically 2. Failure to solve technical problem 3. Exhaustion of raw material resources 4. Strikes, absenteeism, labor unrest
Insurance vs. Gambling
Insurance may appear to be a contract under which there is a possibility for the insurance company to pay to a given party a great deal more than it has receive in premium. • In insurance one party shifts its risk to another i.e. insurance occur after the realization of risk. • On the other hand, Gambling creates a new risk where none existing before. • After the gamble each party become subject to a new risk of losing money.
Requisites of Insurable Risk We can classify the requisites of insurable risk under two general heading: The insurer’s standpoint The insured’s standpoint
The insurer’s standpoint 1. The objective must be sufficient number and quality to allow a reasonably close calculation of probable loss. 2. The loss, should it occur, must be accidental and unintentional in nature from the viewpoint of insured. 3. The loss, when it occurs, must be capable of being determined and measured. 4. The insured object should not be subject simultaneous destruction i.e. catastrophic hazard should be minimal.
The Insured’s Standpoint 1. That the potential loss must be severe enough to cause financial hardship. 2. That the probability of loss must not be too high.
Riaz Ali BT-04-01
Practical Demonstration
Risk Management
Risk Management
Risk management is the human activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources.
Traditional Risk Management Some traditional risk managements are focused on risks stemming from physical or legal causes. Exemples: Natural disasters or fires Accidents Deaths
Objective of Risk Management Objective of risk management is to: Reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand it involves all means available for humans, or in particular, for a risk management entity (person, staff, organization).
Risk Management Process
Steps of Risk Management Process 1. 2. 3. 4. 5. 6.
Recognition of risk Risk Assessment Developing Strategies to Manage it Mitigation of risk using managerial resources Implementation Review and Evaluation Risk Management Plan
Some Explanations
Which Risk Should be Handeld First?
Risk = Probability of Occurrence* Loss of the event
Risks with the greatest loss and the greatest probability of occuring should be handled first. Risks with lower loss and lower probability of occurrence are handled in descending order. Intangible Risk Management A risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. Deficient knowledge-Knowledge risk Ineffective collaboration-Relationship risk
Some Explanations Con’t
Opportunity Cost Resources spent on risk management could have been spent on more profitable activities.
Steps of Risk Management Process
Step 1. Identification Risks are about events that, when triggered, cause problems. Source of Risk/Problem Risk/Problem
Identification Con’ t Risk Source Analysis Source of Risk may be internal or external to the system that is the target of risk management. Stakeholders of a project Employees of a company The weather over an airport Risk Analysis Risks are related to identified actual threats from any source to the organization. The threat of losing money The threat of abuse of privacy information The threat of accidents and casualties
Common Risk Identification Methods 1. Objective-based risk identification Any event that may endanger achieving an objective partly or completely is identified as risk. Example:
Weather over an airport
2. Scenario-based risk identification
Different scenarios are created. The scenarios may be the alternative ways to achieve an objective. Any event that triggers an undesired scenario alternative is identified as risk. Example:
Common Risk Identification Methods Con’t 3. Taxonomy-based risk identification The taxonomy is a breakdown of possible risk sources. A questionnaire is compiled Based on the taxonomy and knowledge of best practices. The answers to the questions reveal risks. 1. Employees 2. Suppliers 3. Government 4. Common-risk Checking Lists with known risks are available. Each risk in the list can be checked for application to a particular situation.
Common Risk Identification Methods Con’t 5. Risk Charting This method combines the above approaches by listing: Resources at risk. Threats to those resources. Consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. 7. One can begin with resources and consider the threats they are exposed to and the consequences of each. 8. One can start with the threats and examine which resources they would affect. 9. One can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.
1. One can begin with resources and consider the threats they are exposed to and the consequences of each.
Sources Production
Channel distribution
Supply
Threat 1
Threat 2
Threat 3
Consequence
Consequence
Consequence
Threat 1
Threat 2
Threat 3
Consequence
Consequence
Consequence
Threat 1
Threat 1
Threat 1
Consequence
Consequence
Consequence
2. One can start with the threats and examine which resources they would affect. Threats Fire
Theft
Source 1
Source 2
Source 3
Consequence
Consequence
Consequence
Source 1
Source 2
Source 3
Consequence
Consequence
Consequence
Source 2
Source 3
Consequence
Consequence
Damage Source 1 Consequence
3. One can begin with the consequences and determine which combination of threats and resources would be involved to bring them about. Consequences
Causalities
Accidents
Threat 1
Threat 2
Threat 3
Source
Source
Source
Threat 1
Threat 2
Threat 3
Source
Source
Source
Threat 2
Threat 3
Source
Source
Information Threat 1 Stolen
Source
Step 2. Risk Assessment
Potential Severity of loss Probability of occurrence
Risk = Rate of occurrence* impact of the event Difficulties: o
Determining the rate of occurrence since statistical information is not available on all kinds of past incidents.
o
Evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets.
Step 3. Developing Strategies
Risk Avoidance (Elimination) Risk Reduction/Prevention/Control Risk Retention Risk Transfer (buying insurance) Risk Diversification
Developing Strategies Con’t
Risk Avoidance
Includes not performing an activity that could carry risk. Example: would be not doing the business. would be not flying the airplane. o
Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.
Developing Strategies Con’t
Risk Prevention/Reduction Involves methods that reduce the severity of the loss.
Examples:
People may worry less when they are ridding in a large automobile, which is less susceptible to crushing during a collision. Modern software development methodologies reduce risk by developing and delivering software incrementally. Sprinklers designed to put out a fire to reduce the risk of loss by fire.
Developing Strategies Con’t
Risk Retention Involves accepting the loss when it occurs. True self-insurance falls in this category. All risks that are not avoided or transferred are retained by default. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. Risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible.e.g. War
Developing Strategies Con’t
Risk Transfer Means causing another party to accept the risk. Contract Example: Liability among constructors Hedging Insurance -Simply by getting insured by some insurance company Outsourcing -Outsource only some of their departmental needs.
Developing Strategies Con’t
Risk Diversification Risk may be reduce through diversification.
Several warehouses in different locations to store goods. Mutual funds Chinese Traders
Step 4. Create a Risk Mitigation Plan
Mitigation of risks often means selection of Security Controls. For example an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. Risk mitigation needs to be approved by the appropriate level of management. The risk management plan should propose applicable and effective security controls for managing the risks. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.
Step 5. Implementation
Follow all of the planned methods for mitigating the effect of the risks. Purchase insurance policies for the risks that have been decided to be transferred to an insurer. Avoid all risks that can be avoided without sacrificing the entity's goals. Reduce others . And retain the rest.
Step 6. Review and Evaluation of the Plan Initial risk management plans will never be perfect. Risk analysis results and management plans should be updated periodically. There are two primary reasons for this: • To evaluate whether the previously selected security controls are still applicable and effective • To evaluate the possible risk level changes in the business environment. Example: Information risks are a good example of rapidly changing business environment.
Limitations
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Prioritizing too highly the risk management processes could keep an organization from ever completing a project or even getting started.
Related Documents
Final Risk Management Slides
May 2020 16
Time Management Slides Final
May 2020 8
Risk Management
June 2020 20
Risk Management
June 2020 17
Risk Management
June 2020 11
Risk Management
May 2020 10More Documents from ""
Muhammad Munir
June 2020 15
Repo
May 2020 10
Final Risk Management Slides
May 2020 16
Cultural Differences
June 2020 17