Risk Management Models - Article Example

1.0 Introduction Risk modeling a very important to any organization, the security forces are tasked with keeping the security of the country hence they should be in a position to effectively predict the offences and security risks. There must be a better way of analyzing the current situation and correctly infer to the future state. Law enforcement personnel may have skills and experience but the handling of offence risk assessment may prove to be challenging and unclear to them, conducting risk assessment may require skills and background information that is different from other investigations (Fein et al., 1995). Offenders are becoming more advanced in their activities where unpredictable means are being invented to carry out their activities. This report sought to find out the risk model and how it can be modeled while using crime offences from the police crime offence department. The possible security risks are also identified. A detailed risk assessment model was designed and risk assessment sheets are also presented in this report. To begin with we will review at various definitions of the term; risk. Risk can be explained quantitatively in terms of percentages or qualitatively in descriptive terms such as low, medium and high. In the security field risk would be the probability or frequency that a given type of security related incident would or would not occur at a given site. According to NGOs approach to security risk is defined as a combination of the impact and likehood that damage, loss or harm to NGOs from the exposure to threats (SAG,1991). Risk in information security can be defined as an unauthorized access, disclosure modification or destruction of information (Title 44 of the United States Code). While mathematically, risk can be defined a risk = (probability of the accident occurring) x (expected loss in case of the accident) (Dantzing, 1953). Risk assessment is process which evaluates the likelihood of a given hazardous environment this may contribute to a particular disease or illness. Risk assessment is normally used as a measure of having in place regulations which protect the public from hazards in air, food, water and in the entire environment. The process also can be use to determine how much clean up is required when contamination is already exists. Risk assessment is a systematic examination of all factors that led to an offender committing the offence, if this could be solved and if not what other steps should be taken to control the risk. The role of Risk Assessment Risk assessment play various role, for instance, it enable employers to have a general duty to maintain safety and health of employees in every area related to work. In police, for crime control it enables law enforcers to take the measures which are important to protect the safety and health of their countrymen and themselves. Some of these measures can include the preventing occupational risks like accidents in the organization, providing information and training to employees. The information may include promotions and training can involve taking workers for seminars, workshops to learn and organizing an institution and means to implement the important measures. The project risk manager plays a role of providing the overall project risk strategy and to organize the project risk assessment team. In small organization, this can be done by the project manager while on the medium to large organization a different person should fulfill this role. The organization risk manager should come from outside the organization to achieve objectivity. The role of the project risk management team is mainly to gather and organize the necessary project risk data. The number of the team will be determined by the size of the whole project. These people can be internal to the organization but must have a detailed understanding of the organization risk management methodology that is applied. The project risk management team reports directly to the project risk manager (Labuschagne 2002) Security Risk Management (SRM) model Many researchers have come up with various models for risk assessment and management where some do exist as open source while other models are proprietary. The main aim that all this models address is; a. Identification of what needs to be protected b. Examination of the vulnerability and risks (who/what) c. The implications of the risks/vulnerability if they occur. d. The value to the organization e. Mitigation to the identified risks. Fig 1 SRM MODEL adapted from the NGO approach to security risk assessment framework (InterAction security Unit) The SRM model above shows that the location where risk is to be assessed must be identified. Then establish the possible threats and risks with the vulnerability of the given item towards that risk. This model was defined by the NGOs in the risk assessment as a standard model. The main objectives of risk and threat assessment are to provide recommendations that will enable organizations maximize the protection of confidentiality, integrity and availability where functionality and usability of the assets is provided (www.sans.org). Therefore risk assessment is where the internal factors failure to adopt new technological advancement or politics within the organization is analyzed while threat assessment is the external factors like monopoly weather to the organization. 1.3 Process of risk and threat assessment a. Risk assessment There are two major elements in risk assessment; likelihood and consequence therefore risk assessment can be defined mathematically as RISK = Consequence x Likelihood. Likelihood can be defined as a “individual or a group with the motivation and capability for theft or sabotage of assets, or other malevolent acts that would result in loss of assets” (Garcia, 2001, p. 302). Consequence according to Blades is the degree of damage that may in the event of threat occurrence (Blades, n.d. p.38). There are four steps that should be taken into account as assessing risks in an organization. 1. Identifying Hazards Step one is identifying hazards and those at risk t. This involve finding those things at work that have the potential to cause harm, and identifying employees who may be exposed to the hazards known as the scope. 2. Evaluating and Prioritizing Risks Step two is the evaluating and prioritizing risks which basically involve estimating the existing risks and prioritizing them in order of importance. The work to be done to eliminate or prevent risks is vital and thus should be prioritized. The table below illustrates how risks are categorized and prioritized in the assessment process. 3. Identifying the Correct Measures Deciding on preventive action is under step three which involve identifying the correct measures to eliminate or control the risks. Table 1 Risk Assessment Sheet (SAG 1991) 4. Taking Action Step four involve taking action through putting in place the preventive and protective means by prioritization plan and specifying who does what and when. Step five is the final step which involves monitoring and reviewing. The assessment should be reviewed now and then to ensure it remains up to date and it should be revised whenever important changes occur in the organization. The management of an organization will make decisions of protecting its assets according to this assessment. In risk assessment both immediate and long-term solutions are recommended by the risk analyst. Risks are described in terms of likelihood and consequences. In likelihood; a risk can described in a level of very likely to occur, likely, possible, unlikely, rare or unknown. Case study Below is a risk assessment sheet that explains how an organization can assess risk in an organization. The figures below shows screen shot of excel data on the risk assessment of various departments in an organization. The major security risk to an organization are fraud, theft, Bulglary Assualt, Loss of IT services, fire and flood among others as shown in figure 2. Given that risk is defined mathetically as likelihood x Consequence, the figure also has the details on the two factors. The type of the risk is either internal or external, where internal means that someone within the organization can trigger the risk occurance while external the risk is triggered by someone outside the organization. Figure 2 risk assessment sheet with risks for an organization( Likelihood and Consequence taken from AS/NZS4360:1999 Appendix E) This section presents the asset register where the cost, value, replacement and the level of criticality of the given asset in the event that the risk occurs to the organization. The critical level is rated from 1 to 5 where 1 is more critical asset to the organization where the organization can not do without it. An asset rated 5 is less critical and once it breaks down it can be replaced later like within a month. Assets tha enable the organization to deliver its daily services are critical and a plan to replacce then immediately once the risk occurs should be put in place. The figure (fig 3) tabulates the assests, other figures are in the appendix with the details on the organizationl asset. Figure 3 asset register of an organization( Criticality (consequence) taken from AS/NZS4360:1999 Appendix E) Crime statistics, Obtained from East Metropolitan District. MONTHLY REPORTED CRIME STATISTICS: 2003/04 The section presents a report of crime that occurred from as reported in East Metropolitan District policy station between 2003/04. Figure 8 in the appendix, shows the crimes reported within the period of 12 months. The bar chart below represents the total crime occurance in january 2004, there was highest occuarance of the crime. The offence were categorized as offences per person, total property offences and other offinces. The meaning of the offecences are as defined by the Crime statistics for offences(www.slp.wa.gov.au). Continution Figure 4 showing occurred within 2003 in East Metropolitan District (www.slp.wa.gov.au). Risk Tolerance The objective of risk planning is to develop options and plans which will permit an organization to face risks. This enables security forces to be well prepared offence avoidance. Risk response options can be divided into four categories; transfer, mitigation, acceptance, and avoidance The project manager should decide the conditions for which the strategies will need to be applied, since there are situations when applying a certain strategy to specific situation may not be right. The responses that must be taken into consideration must be based on three important features: Value of the expected outcome, This is measured as the product of impact dependent on the probability, with the cost of the response. Worst case scenario, that is, the impact combined with the cost of response. Best case scenario. This is a situation in which the event does not occur, and the response impact can be considered. The risk management plan acts as the basis which allows one to create a synthesis view, i.e the Risk Response Chart (Figure 3). Another thing that should also be kept in mind is that there are situations when certain threats may need more than one strategy. Risk avoidance is also crucial, because it involves the taking of actions which will limit the risk from having an impact on the goals of the project. Risk avoidance is accomplished by altering the way in which activities are done, or altering the goals. If avoidance is gained at a smaller expense, then this should be the approach to be taken. a) Risk Mitigation Risk management is a culture, processes & structure that are carried out to ensure that chances of managing adverse effect (Standards Australia, 2004a, p. 4). The risk associated with a certain attack on an organization can be reduced by reducing the level of threat to it, by reducing its vulnerability to that threat, or by reducing the effect of an attack should it happen. In any organization various managers should play a primary role of reducing threat, by disrupting, investigating, detaining, or removing individuals that threaten an organization. The Managers are principally responsible for trying to mitigate the result of an attack, through rapid response and recovery. The Manager’s primary role is to minimize an asset’s vulnerability. An organization that puts in place a sound risk management structure benefits from the follows; they will have fewer surprises because they are already prepared for a given risk. In occurrence of risk without planning people tend to shift responsibilities hence risk mitigation brings about efficiency working, making informed decisions and enhance stakeholder’s relationship. Risk management reduces chances of self denial and guilty of responsibilities to management or employees if a disaster occurs without preparing. Risk Transfer This describes transferring of a project to a third party who has the ability to shield the project in whole or in part, from risks which can endanger it. This risk transfer comes in the form of a financial plan, which will be between the third party and the project, and it includes the insurance premium, the financial guarantee, or a contract. It will have a powerful effect on the chance of a negative event occurring, that is, it will make the best case a bit negative, it will also have an equal effect on the worst case scenario. This is best used in a scenario where a bad case would cause a more damage than the reduction of the quantities which are best. Risk reduction This is an important issue that should also be considered. It describes the lowering of the chances or the impact of an adverse risk occurring. In its extreme, it can mean getting rid of the risk totally, i.e avoidance. With reduction, it is not difficult to only consider the resultant value which is expected, this is because the outcome will remain above a certain amount. Considering the risk management plan, the threat will not be acceptable. In either situation, one will have to make use of another approach, that is, risk assessment. Risk Acceptance This involves planning the different ways in which one can deal with an event if it occurs, other than trying to maintain its impact. This strategy may be of choice in cases where the impact of a given risk may be known to be contained in a way which is efficient, and acceptable. Conclusion Risk assessment and threat management are very important to the management of any organization. Security monitoring bodies have a role in ensuring that they stay ahead of the criminals. There should be proper assessment that accurately predicts the future happening of the offences. These tasks can be done with an independent body which has no interest in the company or can be done by the task force within the company depending on the nature of the tie and available resource. Risk management and threat assessment are aimed at improving the organization’s disaster preparedness strategy plans. The assessment report of both risk and threat is used to make decisions on how to invest, where to put much resources and what can be deferred for the best of the organizations. Most organization prefer to defer all activities that have been classified as “high risk/threat” and “most likely to occur” with a larger damage to the organizational assets to third party like the insurance companies. Law enforcers on the other hand ensure close monitoring to ‘high risk risks/threats’ which are ‘most likely’ to occur. Other organizations decide to transfer this risks and threat to insurance companies who will compensate them in case such risks/threats strike. Risks/threats that are classified as “low risk/threat” and unlikely to occur with little damage on the company’s assets are mitigated by the companies themselves where few resources are explored. The data from the organization in illustrated in the screen shot from excel shows how an organization can assess the risks. The risks and consequences are given for an organization to have a proper magenism to mitigate the risks, to avoid their occuarance or in the event of risk occuorance. REFERENCE David van Dantzing (1953) Wired Magazine, Before the levees break, page 3. Chadbourne, BC.(1999)To the Heart of Risk Management: Teaching Project Teams to Combat Risk, Sanders, A Lockheed Martin Company, Proceedings of the 30th Annual Project Management Institute 1999 Seminars & Symposium, Philadelphia, Pennsylvania, USA: October 10-16, 1999) Fein, R.A., & Vossekuil, B. (1999). Assassination in the United States: An operational study of recent assassins, attackers, and near-lethal approachers. Journal of Forensic sciences,50, 321-333. Canadian Communications Security Establishment, (1999)“Threat and Risk Assessment Working Guide”, retrieved fromhttp://www.cse-cst.gc.ca/en/documents/knowledge_centre/publications/manuals/ITSG-04e.pdf Fay, J.J. (Ed.). (1993). Encyclopaedia of security management: Techniques and technology. Boston: Butterworth-Heinemann. Hall, EM. (1998). Managing Risk – Methods for Software Systems Development, Addison Wesley, ISBN 0-201- 25592-8, Herzog, Pete,(2001) “Open-Source Security Testing Methodology Manual”, Version 1.5, retrieved from http://uk.osstmm.org/osstmm.pdf Kaye, Krysta,(2001) “Vulnerability Assessment of a University Computing Environment” retrieved from http://rr.sans.org/casestudies/univ_comp.php Koller, G. (1999). Risk assessment and decision making in business and industry: A practical guide. CRC Press. Canadian Communications Security Establishment, (1999)“Threat and Risk Assessment Working Guide”, retrieved fromhttp://www.cse-cst.gc.ca/en/documents/knowledge_centre/publications/manuals/ITSG-04e.pdf Fay, J.J. (Ed.). (1993). Encyclopaedia of security management: Techniques and technology. Boston: Butterworth-Heinemann. Hall, EM. (1998). Managing Risk – Methods for Software Systems Development, Addison Wesley, ISBN 0-201- 25592-8, Herzog, Pete,(2001) “Open-Source Security Testing Methodology Manual”, Version 1.5, retrieved from http://uk.osstmm.org/osstmm.pdf Kaye, Krysta,(2001) “Vulnerability Assessment of a University Computing Environment” retrieved from http://rr.sans.org/casestudies/univ_comp.php Koller, G. (1999). Risk assessment and decision making in business and industry: A practical guide. CRC Press. Koller, G. (2000). Risk modelling for determining value and decision making. CRC Press Labuschagne, L. (2002). Implementing an Information Technology Project Risk Management Initiative, PMISA, ISBN 0-620-28853-1, Naidu, Krishni, (2001) “How to Check Compliance with your security policy”, Retrieved from http://rr.sans.org/policy/compliance.php Raytheon. (2002), “Risk Management and Security, Analysis of the Risk Assessment Process”, Retrieved from http://www.silentrunner.com/files/whitepaperriskassess.pdf Standards Australia. (2006). HB 167: Security risk management. Sydney: Standards Australia International Ltd. Sennewald, C., A. (2003). Effective security management (4th e.d.). Boston: Butterworth-Heinemann. Stephanou, Tony, ( 2001) “Assessing and Exploiting the Internal Security of an Organization”, , retrieved from http://rr.sans.org/audit/internal_sec.php Symantec, January 02 2002), “Vulnerability Assessment Guide”, retrieved From http://enterprisesecurity.symantec.com/PDF/167100088_SymVAGuide_WP.pdf Talbot, J., & Jakeman, m. (2008). SRMBOK: Security risk management body of knowledge (1st ed.). Risk Management Institute of Australia. Carlton. Australia. Turvey, B.E. (1999b). Inductive criminal profiling. In B. Turvey (Ed.), Criminal profiling (pp. 13–23). San Diego, CA: Academic Press Vigilinx, (2001),“Security Assessment Methodology”., retrieved from http://www.vigilinx.com/pdf/50722_White_Paper-SAM.pdf Appendix Figure 5 risk assessment sheet, Likelihood and Consequence taken from AS/NZS4360:1999 Appendix E figure 6 assessment Likelihood and Consequence taken from AS/NZS4360:1999 Appendix E Figure 7 asset register Criticality (consequence) taken from AS/NZS4360:1999 Appendix E Figure 7 Asset register, Criticality (consequence) taken from AS/NZS4360:1999 Appendix E Read More