Risk Determination & Decision Tree Analysis
Harrisburg University ISEM 580 Summer 2017
Business Risk Management Overview
Objectives
Key Terms
Risk Management Overview
Types of Risks
Risk Informed Decision Model
Risk Management Important to Project Success
Decision Tree Analysis
2
Risk Management – Key Terms
Risk: is the potential of gaining or losing something of value. Values (such as physical health, social status, emotional well-being, or financial wealth) can be gained or lost when taking risk resulting from a given action or inaction, foreseen or unforeseen.
Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility whereby the "true" outcome/state/result/value is not known, unpredictable, or uncontrollable.
Risk Perception: is the subjective judgment people make about the severity and probability of a risk, and may vary person to person. Any human endeavor carries some risk, but some are much riskier than others.
Default: is failure to meet the legal obligations or terms and conditions of a contract (loan, bond, bank notes, line of credit, unpaid wages, tax liabilities, other debt obligations, etc.).
Threat: is the intent to inflict harm or loss on another person; Threats can be subtle or overt. From a IT perspective: a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause harm.
3
Risk Management – Key Terms
Vulnerability: Susceptible to physical harm or damage. A security vulnerability is a weakness in a product or systems that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or system.
Risk Tolerance: is a more specific measure of the degree of uncertainty that an organization is willing to accept in respect to negative changes to its business, assets, or security.
Risk Appetite: the amount and type of risk that an organization is prepared to pursue, retain, or take (according to ISO 31000)
Residual Risk: is defined as the threat a risk poses after considering the current mitigation activities in place to address it.
4
Risk Management – Strategic Alignment
Align your risk tolerances with your strategic goals and business models When risk tolerances are aligned with both overall risk appetite and strategic goals, they will lower residual risk and contribute to achieving your strategic goals.
5
Risk Management Overview
6
What is Risk Management, Approach & Plan?
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level
The risk management approach determines the processes, techniques, tools, and team roles and responsibilities for a specific project.
The risk management plan describes how risk management will be structured and performed on the project
7
Effective Risk Management Characteristics
Create value – resources expended to mitigate risk should be less than the consequence of inaction
Be an integral part of organizational processes (strategic, Tactical, operational)
Be part of decision making process
Explicitly address uncertainty and assumptions
Be a systematic and structured process
Be based on the best available information
Be tailorable
Take human factors into account
Be transparent and inclusive
Be dynamic, iterative and responsive to change
Capable of continual improvement and enhancement
Continually or periodically re-assessed
8
Business Owner’s Perspective on Risk
Business Owner’s Perspective on Risk:
Business Risk: refers to the chance a business's cash flows are not enough to cover its operating expenses like cost of goods sold, rent and wages.
Systematic risk refers to the chance an entire market or economy will experience a downturn or even fail.
Unsystematic risk describes the chance a specific company or line of business will experience a downturn or even fail.
Financial risk refers to the chance a business's cash flows are not enough to pay creditors and fulfill other financial responsibilities.
9
Business Financial Risk – Internal & External Factors
Interest Rate Risk: The interest rate is often the number-one component of financial risk. Banks and lenders offer business loans at a specific interest rate.
A credit risk is the risk of default on a debt that may arise from a borrower failing to make required payments.
Market risk is the risk of losses in positions arising from movements in market prices. Financial risks can also be linked to the overall market risk in the business environment.
10
Business Financial Risk – Internal & External Factors
Cash Flow plays an important role in financial risk. Business owners often use external financing to start their new business venture. External financing represents fixed cash outflows that must be paid regardless of the company profitability.
Volatility risk is the risk of a change of price of a portfolio as a result of changes in the volatility of a risk factor.
Legal risk is the risk of litigation resulting in financial or reputational loss due to the lack of awareness or misunderstanding of, ambiguity in, or reckless indifference to, the way law and regulation apply to your business, its relationships, processes, products and services.
11
Business Financial Risk – Internal & External Factors
Compliance Risk: Risks associated with compliance are those subject to legislative or bureaucratic rule and regulations, or those associated with best practices for investment purposes.
Reputation risk, is a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.
Liquidity risk is a financial risk that for a certain period of time a given assets, security, or commodity cannot be traded quickly enough in the market without impacting the market price.
12
Business Financial Risk – Internal & External Factors
Economic Risk: Companies are exposed to financial risk from various aspects of the overall economy.
Performance Risk: include the risks that the completed project, when complete, fails to perform as intended or fails to meet business requirements that justified it.
Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses
13
Business Operational Risk – Causes
Internal Fraud
External Fraud
Employment Practices and Workplace
Clients, Products, and Business Practice
Damage to Physical Assets
Business Disruption and Systems Failures
Execution, Delivery, and Process Management
Project and Portfolio Management
14
Risk Informed Decision Model
15
International Organization for Standardization (ISO)- (Defined the Principles of Risk Management)
How to reduce Business Risk
16
Reducing Business Risk – Recommendations
Review the existing system of internal controls, which provide checks and balances for every aspect of a company
Establish Business Risk Assessment & Measurement Methods
Develop Risk Management & Contingency Plans
Plan Evaluations
Employ the services of an internal control consultant
17
Risk Response Strategies
18
Risk – Response Strategies
Avoidance
Transference
Mitigation
Acceptance
Contingency Planning
19
Benefits of Risk Management Program
20
Risk – Response Strategies
Financial
Protecting Resources
Business Culture
21
Why Risk Management is Important to Project Success
22
Risk – Response Strategies
Plans
Preparation
Results
Evaluation
23
Conducting Quantitative Risk Analysis
Decision Tree
24
Creating Procedures – Starting Block
A decision tree is a graph that uses a branching method to illustrate every possible outcome of a decision. Decision trees can be drawn by hand or created with a graphics program or specialized software.
Informally, decision trees are useful for focusing discussion when a group must make a decision
25
Decision Tree – Decision Paths
26
Decision Tree – Evaluate Options & Outcomes
27
Decision Tree – Calculation of Uncertain Outcome Nodes
28
| 0.4 (probability good outcome) x $1,000,000 (value) = | $400,000 |
| 0.4 (probability moderate outcome) x $50,000 (value) = | $20,000 |
| 0.2 (probability poor outcome) x $2,000 (value) = | $400 |
| TOTAL | $420,400 |
Decision Tree –Calculate Value of Decision Nodes
29
Decision Tree –Calculate Value of Decision Nodes
30
Assignments
Chapter 8 (IT Managers Handbook)
Homework 3: IT Policy Management
Project 1:
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications
31