Self reflective report
toygikiller
RiskManagement2019.pptxInformation Systems Management
Risk Management
Assignment 2 feedback return date
Assignment 3 should be underway, further guidance in Week 10 if required
Next week we take a practical look at the concept of Change Management (Week 11)
In our final knowledge week we explore geo-political and cultural issues for IS managers
2
Housekeeping
Heard the one about the CIO and the dog?
Heard the one about the CIO and the dog? So this CIO is talking to her boss, and she says, “You know, I really only need two things to run IT: a person and a dog.” The CEO says “OK, so what does the person do?” The CIO: “They make sure everything’s set up right and all the dials are set properly.” The CEO asks: “And what’s the dog for?” CIO: “The dog’s there to make sure nobody adjusts the dials.”
Well, it’s an exaggeration, of course, but still, an apt picture of a common approach to IT risk management – and one that’s entirely understandable. Given the fragility and complexity of the infrastructure at many organizations, the “dog” – change control – is key. It’s the IT systems, after all, that keep the business running.
But building a fence around the infrastructure introduces critical consequences that won’t serve businesses in a highly competitive landscape. One is the risk of becoming too rigid to seize opportunities fast enough; another, being blindsided by a competitor that appears on the scene with a radical new business model driven by next-gen apps.
3
What is risk?
Risk formularised
Risk Management?
What are we managing
The need to understand risk management
The merging of crisis management and risk management
Categorising risk
Risk Management / How to go about it
Risk Measurement
Risk Management Principles
Benefits of Risk Management
Risk/Agile/ Making risk planning more ‘visual’
(Some) Takeaways
Housekeeping
4
Swinburne
SCIENCE | TECHNOLOGY | INNOVATION | BUSINESS | DESIGN
4
4
A risk is a potential activity or event that could harm the organisation’s finances, revenues, reputation, market position and capacity to deliver services.
Risks may be of a strategic nature or operational nature. Examples of both are as follows:
Strategic risks:
not preparing adequately for new trends and shifts in the marketplace
taking a course of action that is not in line with the strategic objectives of the business
making a major investment in technologies, systems and methodologies that are about to become obsolete due to changes in the environment.
Operational risks:
a cost overrun on an infrastructure project
the mismanagement of a business unit
a lack of training and induction about critical incident reporting.
5
Risk
Risk
Risk/s?
risk = probability (of a disruption event) x loss (connected to the event occurrence)
risk = failure probability x damage related to the failure
8
Risk Formularised
Value is a function of risk and return. Every decision either increases, preserves, or erodes value. Strategic-minded enterprises do not strive to eliminate risk or even to minimise it. This is a perspective that represents a critical change from the traditional view of risk as something to avoid.
Rather, these enterprises seek to manage risk exposures across all parts of their organisations so that, at any given time, they incur just enough of the right kinds of risk—no more, no less—to effectively pursue strategic goals.
This is the ‘sweet spot,’ or optimal risk-taking zone.
Some form of anxiety
9
Risk /Integral to the pursuit of value
Categorising Risk
11
Known risks
- Those risks that can be uncovered after careful evaluation of the project plan, the business and technical environment in which the project is being developed, and other reliable information sources (e.g., unrealistic delivery date)
Predictable risks
- Those risks that are extrapolated from past project experience (e.g., past turnover)
Unpredictable risks
- Those risks that can and do occur, but are extremely difficult to identify in advance (e.g., staff turnover, but often External: e.g., GFC
Categorising Risks
11
The Known Knowns
12
Embedded video
YOU may be in an audience in the future when a concept is explained to you as poorly as this…
Strategies for you as a future IS manager:
Are you clear on what was said?
Can you repeat it to someone else so that they comprehend the concept?
12
Strategies for dealing with RISK
13
14
Reactive risk strategies
"Don't worry, I'll think of something"
The majority of managers and teams rely on this approach
Nothing is done about risks until something goes wrong
The team then flies into action in an attempt to correct the problem rapidly (fire fighting)
Crisis management is the choice of management techniques
Proactive risk strategies
Steps for risk management are followed
Primary objective is to avoid risk and to have a contingency plan in place to handle unavoidable risks in a controlled and effective manner
Common strategy types for dealing with Risks
14
Accept it
Accepting the risk means that while you have identified it and logged it in your risk management software, you take no action. You simply accept that it might happen and decide to deal with it if it does.
This is a good strategy to use for very small risks – risks that won’t have much of an impact on your project if they happen and could be easily dealt with if or when they arise. It could take a lot of time to put together an alternative risk management strategy or take action to deal with the risk, so it’s often a better use of your resources to do nothing for small risks.
15
Risk /Ways to deal with it
15
16
Acceptance of risk /
16
Retain it
Also called ‘managed’ or ‘residual’ risk (Rival & Fichadia, 2007).
Risk identified and kept by the risk manager
The consequences of any exposure will be absorbed
A person deciding against having the flu shot, retains the risk of influenza.
This is a legitimate method of dealing with risk
May be conscious or unconscious, voluntary or involuntary (Vaughan, 1997)
Common approaches for dealing with Risks
17
17
Avoid it
This is a good strategy for when a risk has a potentially large impact on your project.
Timing/Planning
For example, if January is when your company Finance team is busy doing the corporate accounts, putting them all through a training course in January to learn a new process isn’t going to be a great idea. There’s a risk that the accounts wouldn’t get done. It’s more likely, though, that there’s a big risk to their ability to use the new process, since they will all be too busy in January to attend the training or to take it in even if they do go along to the workshops. Instead, it would be better to avoid January for training completely. Change the project plan and schedule the training for February when the bulk of the accounting work is over.
18
Risk /Ways to deal with it /2
18
19
Avoidance of risk /
19
Mitigate
Mitigating against a risk is probably the most commonly used risk management technique. It’s also the easiest to understand and the easiest to implement. What mitigation means is that you limit the impact of a risk, so that if it does occur, the problem it creates is smaller and easier to fix.
For example, if you are launching a new washing machine and the Sales team then have to demonstrate it to customers, there is a risk that the Sales team don’t understand the product and can’t give good demonstrations. As a result, they will make fewer sales and there will be less revenue for the company.
A mitigation strategy for this situation would be to provide good training to the Sales team. There could still be a chance that some team members don’t understand the product, or they miss the training session, or they just aren’t experts in washing machines and never will be, but the impact of the risk will be far reduced as the majority of the team will be able to demonstrate the new machine effectively.
You can mitigate against the impact, like in this example, and you can also mitigate against the likelihood of it happening. Sometimes the actions will be broadly the same; sometimes you’ll have to have some tasks to reduce the chance that the risk happens and some separate tasks to make the impact of the risk smaller if it happens.
20
Risk /Ways to deal with it
20
21
Mitigation of risk /
21
Transfers
Transference is a risk management strategy that isn’t used very often and tends to be more common in projects where there are several parties. Essentially, you transfer the impact and management of the risk to someone else. For example, if you have a third party contracted to write your software code, you could transfer the risk that there will be errors in the code over to them. They will then be responsible for managing this risk, perhaps through additional training.
Normally transference arrangements are written up into project contracts. Insurance is another good example. If you are transporting equipment as part of your project and the van is in an accident, the insurance company will be liable for providing new equipment to replace any that was damaged. The project team acknowledges that the accident might happen, but they won’t be responsible for dealing with sourcing replacement kit, moving it to the right location or paying for it as that is now the responsibility of the insurance company.
22
Risk /Ways to deal with it
22
23
Transfer of risk /
23
Merging the concept of a crisis into the concept of risk
24
Concept map of risk management approaches
25
Risk management
25
Risk Management What are we actually managing?
What can go wrong (risk event).
How to minimize the risk event’s impact (consequences).
What can be done before an event occurs (anticipation).
What to do when an event occurs (contingency plans).
What are we managing against?
AS/NZS ISO 31000:2009, Risk management - Principles and guidelines.
27
Risk Management /What are we managing?
An understanding of risk and the application of risk assessment methodology is essential to being able to efficiently and effectively create a secure computing environment.
Consistent & stable computing environment
Reduction in ambiguity and complexity
Structure
Unfortunately, this is still a challenging area for information professionals due to:
the rate of change in technology, “What is the NEXT?”
the relatively recent advent and explosive growth of the Internet, and
perhaps the prevalence of the attitude (or reality) that assessing risk and identifying return on investment is simply too hard to do.
Why the need to understand risk management?
28
28
RISK Management How to go about it
29
A crisis is an event that occurs at a specific point in time. It is usually something that is unforeseen, public in nature and has the potential to cause great harm to an organisation in terms of finances, revenues, reputation, market positioning and service delivery.
The following are examples of a crisis:
the sudden departure of a long-standing CEO or board chair
fraud – this will impact on trust of donors, funders and stakeholders
accusations of sexual misconduct or abuse
a viral video that compromises the organisation’s credibility.
30
Crisis Management
Why the need to understand risk management?
An understanding of risk and the application of risk assessment methodology is essential to being able to efficiently and effectively create a secure computing environment.
Unfortunately, this is still a challenging area for information professionals due to the rate of change in technology, the relatively recent advent and explosive growth of the Internet, and perhaps the prevalence of the attitude (or reality) that assessing risk and identifying return on investment is simply too hard to do.
31
RISK Management How to go about it
Identify - Risk identification allows individuals to identify risks so that the operations staff becomes aware of potential problems. Not only should risk identification be undertaken as early as possible, but it also should be repeated frequently.
Analyse and prioritise - Risk analysis transforms the estimates or data about specific risks that developed during risk identification into a consistent form that can be used to make decisions around prioritisation. Risk prioritisation enables operations to commit resources to manage the most important risks.
Plan and schedule - Risk planning takes the information obtained from risk analysis and uses it to formulate strategies, plans, change requests, and actions. Risk scheduling ensures that these plans are approved and then incorporated into the standard day-to-day processes and infrastructure.
Identify, analyse & plan
33
Information gathering techniques:
Brainstorming
Delphi technique
Interviewing
SWOT
33
Track and report - Risk tracking monitors the status of specific risks and the progress in their respective action plans. Risk tracking also includes monitoring the probability, impact, exposure, and other measures of risk for changes that could alter priority or risk plans and ultimately the availability of the service. Risk reporting ensures that the operations staff, service manager, and other stakeholders are aware of the status of top risks and the plans to manage them.
Control - Risk control is the process of executing risk action plans and their associated status reporting. Risk control also includes initiating change control requests when changes in risk status or risk plans could affect the availability of the service or service level agreement (SLA).
Learn - Risk learning formalises the lessons learned and uses tools to capture, categorise, and index that knowledge in a reusable form that can be shared with others.
Track, control & learn
34
34
Another model
35
35
Some form of measurement of risk is necessary. Without a standard of comparison, it’s simply not possible to compare and aggregate risks across the organisation.
Most organisations define scales for rating risks in terms of impact, likelihood, and other dimensions. These scales comprise rating levels and definitions that foster consistent interpretation and application by different constituencies.
The more descriptive the scales, the more consistent their interpretation will be by users. The trick is to find the right balance between simplicity and comprehensiveness.
36
Risk Assessment /Measurement
37
Risk Assessment Matrix
Failure Mode and Effects Analysis (FMEA)
Impact × Probability × Detection = Risk Value
37
38
Risk Severity Matrix
38
39
Risk Severity Matrix
39
40
Risk Response Matrix
40
Accept risk only when benefits outweigh the cost
Accept no unnecessary risk
Anticipate and manage risk with planning
Make risks decisions at the right levels
Document all risk decisions
41
Risk Management Principles
41
Benefits of Risk Management
42
A proactive rather than reactive approach.
Reduces surprises and negative consequences.
Prepares the project manager to take advantage of appropriate risks.
Provides better control over the future.
Improves chances of reaching project performance objectives within budget and on time.
42
43
43
44
Risks /Agile
(Make risk planning more ‘visual’)
45
46
Risks /Sources
(Supply Chain example)
Terrorism, conflict, and political instability are other potential causes of supply chain disruption. The character of conflict is changing and is often unexpected, resulting in increased disruption.
47
Risk Sources /Supply Chain Example
48
(some) Takeaways
49
Each organisation owns its risks
Each organisation must characterise its risks
Each organisation must analyse its risks
Each organisation must manage its risks
Effective risk management and crisis management starts with the board.
You can’t consistently and effectively manage what you can’t measure and you can’t measure what you haven’t defined.
‘Unknowns’ are the greatest risk.
In essence we have to manage our risks (and technology) before it manages us…
(some) takeaways
49
50
IT risk management does not work "out of the box." It is not a product to purchase or a policy to put in place. Instead, it is a process of business risk management that must be performed on an ongoing basis. It is critical for an organization to continuously examine the risks and security objectives within its business environment, and systematically bake protection into the way it operates.
Gartner Consulting
IT Risk Management
50
2
52
52
References
53
Boddy, D., Boonstra, A & Kennedy, G 2002, Managing Information Systems. An organisational perspective, Pearson, Harlow.
Westertman, G & Hunter, R 2007, IT Risk: Turning business threats into competitive advantage, Harvard Business School Press, MA.
53
