Effective Risk-Based Approach for Business Processes
Enhance your organization's risk management by applying a structured approach to assessing and mitigating vulnerabilities in all business processes. Learn how to standardize risk assessments, adopt numerical scales for risk impact, and calculate overall risk scores efficiently.
Uploaded on | 1 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Apply a Risk-Based Approach Vulnerability Analysis = Assess Controls Testing / Scans All Business Processes have inherent Risks and should be captured BUT: Risk Management is not about doing more work but structuring work that is done anyway throughout your organisation, being able to quickly find what is needed, making sense of it and make it available to those who need the information = Mitigate = Monitor Information Security Information Security Applicability Policies Reporting = Assess = Mitigate = Monitor Compliance Compliance Vendor Selection Contract Management= Mitigate Service Level Performance = Monitor Assertions Controls Testing = Assess Vendor Management Vendor Management Financial Reporting Financial Reporting = Assess = Mitigate = Monitor Business Continuity Planning Business Continuity Planning Impact Analysis Event Planning Walk-through Exercise = Monitor = Assess = Mitigate screening for business health
5 Steps in Comparing and Prioritising Risks Step 1: Standardize Assessments In order to be able to compare and prioritize risks you need to standardize the risk assessment throughout the company. This is the first step but it still does not enable you to compare the risks Assurance Assurance of Mitigation of Mitigation Impact Impact Likelihood Likelihood High High X X Medium Medium ? ? X Low Low screening for business health
Step 2. Adopt a Numerical Scale: Risk Impact Once, a standardized assessment is implemented, the next step is to adopt a uniform numerical scale which will be used to assess risks. Define a standardized assessment regulation and standardized criteria for each of the groups like in the example here for a major risk impact. Criteria and descriptions need to be adapted to your company 5-6 7-8 1-2 9-10 Major 3-4 Minor Moderate Financial Legal Operational Regulatory Strategic Serious Financial Legal Operational Regulatory Strategic Insignificant Financial Legal Operational Regulatory Strategic Financial Legal Operational Regulatory Strategic Financial Legal Operational Regulatory Strategic Assessment regulation (Example) Assessment regulation (Example) Assess each risk factor to the criteria below. Do not grant credit for existing controls or mitigating strategies. Do not consider how often the impact may occur. Instead, rate as if the factor manifests itself without controls one or more times. Only one criteria for an impact level is needed to assess at that level. Criteria for Major Impacts (Example) Criteria for Major Impacts (Example) Negative impact on net income over XX TEUR Catastrophic impact on financial statements (e.g. critical contractual ratios / covenants are no longer met) Liability threats challenge the going concern status Regulatory agencies seize control of assets screening for business health
Step 3:- The Risk Score Assurance Assurance of Mitigation of Mitigation Impact Impact Likelihood Likelihood The Risks can now be objectively calculated with an overall risk score which allows to prioritize 10 10 9 9 10 10 9 9 10 10 9 9 8 8 7 7 8 8 7 7 8 8 7 7 6 6 5 5 6 6 5 5 6 6 5 5 4 4 3 3 4 4 3 3 4 4 3 3 2 2 1 1 2 2 1 1 2 2 1 1 7 7 x x 9 9 x x 4 4 = 252 = 252 screening for business health
Step 4 Track Risks over time, define tolerance levels Risk Score The risk score now allows you to track risks over time. You can also define certain tolerance levels for each of the risks or for Groups of Risks. This also allows you to develop action plans which get effective once the risk score leaves the tolerance. 150 Tolerance Level 120 90 60 30 0 Jan Feb Mar Apr May Jun Jul Aug screening for business health
Step 5 The Risk Matrix Colour indicates Colour indicates Assurance scores Assurance scores where 1 is the where 1 is the most effective most effective Insignificant Minor Moderate Serious Major In order to have a clear overview about all the risks assessed, they are displayed in a 3- dimensional Risk Matrix with the Risk impact on the X-Axis, the Likelihood on the Y-Axis and the Assurance score displayed by colours. 10 Highly Likely R2 8 1-2 Likely Risk Likelihood Risk Likelihood 6 R5 3-4 Seldom 4 R4 5-6 Remote R1 2 7-8 Unlikely R3 9- 10 6 10 4 8 2 Risk Impact Risk Impact screening for business health
