Risk Determination & Decision Tree Analysis

profilepraveen1993
ISEM580_RiskManagent_Overview-Lecture-07.pptx

Harrisburg University ISEM 580 Summer 2017

Business Risk Management Overview

Objectives

Key Terms

Risk Management Overview

Types of Risks

Risk Informed Decision Model

Risk Management Important to Project Success

Decision Tree Analysis

2

Risk Management – Key Terms

Risk: is the potential of gaining or losing something of value. Values (such as physical health, social status, emotional well-being, or financial wealth) can be gained or lost when taking risk resulting from a given action or inaction, foreseen or unforeseen.

Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility whereby the "true" outcome/state/result/value is not known, unpredictable, or uncontrollable.

Risk Perception: is the subjective judgment people make about the severity and probability of a risk, and may vary person to person. Any human endeavor carries some risk, but some are much riskier than others.

Default: is failure to meet the legal obligations or terms and conditions of a contract (loan, bond, bank notes, line of credit, unpaid wages, tax liabilities, other debt obligations, etc.).

Threat: is the intent to inflict harm or loss on another person; Threats can be subtle or overt. From a IT perspective: a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause harm.

3

Risk Management – Key Terms

Vulnerability: Susceptible to physical harm or damage. A security vulnerability is a weakness in a product or systems that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or system.

Risk Tolerance: is a more specific measure of the degree of uncertainty that an organization is willing to accept in respect to negative changes to its business, assets, or security.

Risk Appetite: the amount and type of risk that an organization is prepared to pursue, retain, or take (according to ISO 31000)

Residual Risk: is defined as the threat a risk poses after considering the current mitigation activities in place to address it.

4

Risk Management – Strategic Alignment

Align your risk tolerances with your strategic goals and business models When risk tolerances are aligned with both overall risk appetite and strategic goals, they will lower residual risk and contribute to achieving your strategic goals.

5

Risk Management Overview

6

What is Risk Management, Approach & Plan?

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level

The risk management approach determines the processes, techniques, tools, and team roles and responsibilities for a specific project.

The risk management plan describes how risk management will be structured and performed on the project

7

Effective Risk Management Characteristics

Create value – resources expended to mitigate risk should be less than the consequence of inaction

Be an integral part of organizational processes (strategic, Tactical, operational)

Be part of decision making process

Explicitly address uncertainty and assumptions

Be a systematic and structured process

Be based on the best available information

Be tailorable

Take human factors into account

Be transparent and inclusive

Be dynamic, iterative and responsive to change

Capable of continual improvement and enhancement

Continually or periodically re-assessed

8

Business Owner’s Perspective on Risk

Business Owner’s Perspective on Risk:

Business Risk: refers to the chance a business's cash flows are not enough to cover its operating expenses like cost of goods sold, rent and wages.

Systematic risk refers to the chance an entire market or economy will experience a downturn or even fail.

Unsystematic risk describes the chance a specific company or line of business will experience a downturn or even fail.

Financial risk refers to the chance a business's cash flows are not enough to pay creditors and fulfill other financial responsibilities.

9

Business Financial Risk – Internal & External Factors

Interest Rate Risk: The interest rate is often the number-one component of financial risk. Banks and lenders offer business loans at a specific interest rate.

A credit risk is the risk of default on a debt that may arise from a borrower failing to make required payments.

Market risk is the risk of losses in positions arising from movements in market prices. Financial risks can also be linked to the overall market risk in the business environment.

10

Business Financial Risk – Internal & External Factors

Cash Flow plays an important role in financial risk. Business owners often use external financing to start their new business venture. External financing represents fixed cash outflows that must be paid regardless of the company profitability.

Volatility risk is the risk of a change of price of a portfolio as a result of changes in the volatility of a risk factor.

Legal risk is the risk of litigation resulting in financial or reputational loss due to the lack of awareness or misunderstanding of, ambiguity in, or reckless indifference to, the way law and regulation apply to your business, its relationships, processes, products and services.

11

Business Financial Risk – Internal & External Factors

Compliance Risk: Risks associated with compliance are those subject to legislative or bureaucratic rule and regulations, or those associated with best practices for investment purposes.

Reputation risk, is a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.

Liquidity risk is a financial risk that for a certain period of time a given assets, security, or commodity cannot be traded quickly enough in the market without impacting the market price.

12

Business Financial Risk – Internal & External Factors

Economic Risk: Companies are exposed to financial risk from various aspects of the overall economy.

Performance Risk: include the risks that the completed project, when complete, fails to perform as intended or fails to meet business requirements that justified it.

Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses

13

Business Operational Risk – Causes

Internal Fraud

External Fraud

Employment Practices and Workplace

Clients, Products, and Business Practice

Damage to Physical Assets

Business Disruption and Systems Failures

Execution, Delivery, and Process Management

Project and Portfolio Management

14

Risk Informed Decision Model

15

International Organization for Standardization (ISO)- (Defined the Principles of Risk Management)

How to reduce Business Risk

16

Reducing Business Risk – Recommendations

Review the existing system of internal controls, which provide checks and balances for every aspect of a company

Establish Business Risk Assessment & Measurement Methods

Develop Risk Management & Contingency Plans

Plan Evaluations

Employ the services of an internal control consultant

17

Risk Response Strategies

18

Risk – Response Strategies

Avoidance

Transference

Mitigation

Acceptance

Contingency Planning

19

Benefits of Risk Management Program

20

Risk – Response Strategies

Financial

Protecting Resources

Business Culture

21

Why Risk Management is Important to Project Success

22

Risk – Response Strategies

Plans

Preparation

Results

Evaluation

23

Conducting Quantitative Risk Analysis

Decision Tree

24

Creating Procedures – Starting Block

A decision tree is a graph that uses a branching method to illustrate every possible outcome of a decision. Decision trees can be drawn by hand or created with a graphics program or specialized software.

Informally, decision trees are useful for focusing discussion when a group must make a decision

25

Decision Tree – Decision Paths

26

Decision Tree – Evaluate Options & Outcomes

27

Decision Tree – Calculation of Uncertain Outcome Nodes

28

0.4 (probability good outcome) x $1,000,000 (value) = $400,000
0.4 (probability moderate outcome) x $50,000 (value) = $20,000
0.2 (probability poor outcome) x $2,000 (value) = $400
TOTAL $420,400

Decision Tree –Calculate Value of Decision Nodes

29

Decision Tree –Calculate Value of Decision Nodes

30

Assignments

Chapter 8 (IT Managers Handbook)

Homework 3: IT Policy Management

Project 1:

Part A: Create an IT Governance Matrix

Part B: Create a Governance Charter for Enterprise Security Committee

Part C: Write a Information Security Policy for Data Classifications

31