iii. Risk

1 comment 5.868 views

This page is part of the risk (you are here) services which belongs to the Governance, compliance and risk assessment section of our services that includes: risk assessmentinternal controlsrisk management, the risk checklist (you are here) and why penetration testing fails.

To know risk is to know profit, whereby if one were not to take a risk, profits might not be forthcoming.

What is risk?Image - Twitter - @InfoSec tweet - Trouble with #risks: we pay attention to the new, while #discounting the familiar, regardless how small the new ones are http://ad.vu/79d4

    Risk is the threat or possibility that an action or event will adversely or beneficially affect the enterprise’s ability to reach its objectives.
    More simply: what are the chance of loss, damage or injury for the company, employee or investor.

Investors define risk as the possibility that the value of their stocks and bonds will go down. Of course, the longer the maturity of a bond (see image below) the greater the risk that the debtor might go out of business before the debt gets repayed.

Here it is also important to address and articulate the amount of risk taking that is acceptable to the organization and helping staff to understand the relative significance of the risks faced by the organization.
Image - FTfm 2010-11-29 graphic - Issuance of bonds with 50 years or more maturity - Despite low yields, investor appetite for these products is unabated. Inflation expectations have pushed up long bond yields, aptly demonstrating onf of the risks to long-term nominal bonds - we at the early stages of a corporate bond bubble

In turn, this allows for more efficient and effective risk management.

Risk means: the product of a hazard (such as damage costs) and the probability that this hazard occurs.

    Calculating risk means: (probability) x (hazard) = risk.

The probability that a threat materializes and the type of hazard involved are two values that either must be known or at least estimated in order to define risk.

Risks that are left untracked can cause serious damage to the firm by being part of a  litigation case, experiencing a product flop and so forth.

To track and manage risks effectively one must:

    – implement and
    – monitor

the appropriate control and risk indicators that empower one to manage risk mitigation satisfactorily.

CyTRAP Labs and Commetrics provide clients with tools that facilitate the:

    A – better articulating and documenting of the amount of risk taking that is acceptable to the firm, and
    B – more efficient and effective risk management to assure better risk governance

ExamplesImage - How the Stuxnet virus works - 1st time a worm has attacked the software that runs industrial operating systems - infects PC Windows operating system through the USB drive, if it finds the Siemens software it can then reprogram the programmable logic control (PLC) and send new instructions to the power plant such as shutting of temperature controls or pressure gauges.
In the health care industry, data services and IT are often being outsourced to the firm that sumbitted the lowest bid.  Considering electronic health cards with plenty of information being stored on them, at the hospital and the IT services provider (e.g., on its servers), hospitals are having to assess the risk regarding data security breaches of patient records.

In proper risk management at the outsourcer and the hospital that gave the firm patients data to process and administer can be extremely costly when things go wrong:

4 data security breach regulation – Verus Inc – IT service provider had to close

Another example is that because people put far more importance on new risks while discounting the familiar.

For instance, a plane’s engine failure as illustrated by the Qantas A380 – emergency landing in Singapore after part of the plane’s engine-cover fell off mid-flight, is a well-known risk and a serious one at that.

Because of a recently foiled attempt to use airfreight to ship printer cartridges containing explosives from Oman via Germany to the US, the public and governments are  putting much more attention on this type of new risk. Instead the public is discounting the familiar risk, such as a plane’s engine failure.

In turn, travellers have become supportive of the  introduction of strict security measures at airports.  These include full-body scanners and controversial profiling techniques that could identify passengers who pose a terrorist threat.

Finally, each one of us manages risks every day from what we have for breakfast,  how we commute to and from work and the risks we take at our workplace. Check out this video.

YouTube Preview Image

More resources:  Six steps for proper risk assessment and risk management, 2011 trends: Risk management and social media ROI