Date post: | 20-Jun-2015 |
Category: |
Education |
Upload: | advance-innovation-group-wwwadvanceinnovationgroupcom |
View: | 280 times |
Download: | 0 times |
Risk Management Framework
www.sdgc.com SDG Confidential & Proprietary
2
Introduction
What is Risk?
Risk may be defined as “the threat or probability of an action or event, that may adversely affect an organization's ability to achieve its objectives”.
What is Risk Management?
Risk management is the identification, assessment and prioritization of risk followed by coordinated and economical application of resources to minimize, monitor and control probability and/or impact of action or event identified as risk.
www.sdgc.com SDG Confidential & Proprietary
The Risk Framework
Risk Identification
Assess the Possible Impact
Quantify the Risk - Risk Priority Number
Determine Monetary Value
Determine the Current Control
Identify Residual Risk (Revisit RPN)
Determine Monetary Value
Classify Risk Based on Residual RPN
Risk Management Strategy
Risk Treatment Plan
Risk Monitoring & Closure
www.sdgc.com SDG Confidential & Proprietary
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
D
et
RP
N
Determine
Monetary
Value
Determine Current Controls Se
v O
cc
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
SSO ID requested
without BGC is complete
Risk shall be identified by identifying any activity that may impact organization’s business, reputation, profitability, operations, effectiveness, productivity, etc.
Risk Identification
www.sdgc.com SDG Confidential & Proprietary
Assess the Possible Impact
Impact of Risk on end desired result shall be assessed by respective process owners.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
D
et
RP
N
Determine
Monetary
Value
Determine Current Controls Se
v O
cc
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be
impacted
SSO ID requested
without BGC is complete
Breach of compliance
www.sdgc.com SDG Confidential & Proprietary
Quantify the Risk - Severity
For every risk event the severity of impact that the risk may have on the desired output shall be identified & captured in the Risk Template.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
D
et
RP
N
Determine
Monetary
Value
Determine Current Controls Se
v O
cc
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be
impacted 10
SSO ID requested
without BGC is complete
Breach of compliance
9
Note: To be rated on a scale of 1 -10, where 1 would mean least severe & 10 extremely severe.
www.sdgc.com SDG Confidential & Proprietary
Quantify the Risk - Occurrence
Periodicity of occurrence of identified Risk shall be determined & captured.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
D
et Resid
ual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10
SSO ID requested
without BGC is complete
Breach of compliance
9 5
Note: To be rated on a scale of 1 -10, where 1 would mean least occurring & 10 would mean very
frequently occurring.
www.sdgc.com SDG Confidential & Proprietary
Quantify the Risk - Detection
Probability of detection of the identified risk shall be determined & captured.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
D
et Resid
ual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4
Note: To be rated on a scale of 1 -10, where 1 would mean easily detectable & 10 would mean
Non detectable.
www.sdgc.com SDG Confidential & Proprietary
Quantify the Risk - Risk Priority Number
Multiply the Severity (Sev), Occurrence (Occ) and Detection (Det) to get the Risk Priority Number (RPN).
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
D
et Resid
ual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Note: Higher the value of RPN, higher the probability of risk impacting the desired result.
www.sdgc.com SDG Confidential & Proprietary
Determine Monetary Value
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
D
et Resid
ual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Management Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Every risk shall be captured in terms of monetary impact that is associated with it. These can be Cost of replacement, Cost of lost opportunities, Cost of poor quality, Cost of correction and corrective action, Cost of prevention and preventive action, Cost of repair/rework etc.
www.sdgc.com SDG Confidential & Proprietary
Determine the Current Control
Current Controls that are in place for avoiding, reducing or transferring the impact/occurrence of the risk event shall be determined.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
www.sdgc.com SDG Confidential & Proprietary
Identify Residual Risk (Revisit RPN)
Reassign the Severity (Sev), Occurrence (Occ) and Detection (Det) values after the implementation of the current controls.
The New RPN derived as a result is known as Residual Risk (RPN).
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged 6 2 3 36
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
9 5 3 135
www.sdgc.com SDG Confidential & Proprietary
Determine Monetary Value
Monetary Value shall be recalculated after determination of current control.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged 6 2 3 36
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
9 5 3 135
www.sdgc.com SDG Confidential & Proprietary
Classify Risk Based on Residual RPN
Risk shall be classified as Critical, High, Medium, Low based on the residual RPN.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged 6 2 3 36 Low
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
9 5 3 135 High
Risk impact categorization is as follows: Critical: Residual RPN greater than or equal to 300.
High: Residual RPN falls between 100 to 299.
Medium: Residual RPN falls between 60 to 99.
Low: Less than 60.
www.sdgc.com SDG Confidential & Proprietary
Risk Management Strategy
Risk management strategy to be used to handle the particular risk shall be identified under one of the four subgroups given below:
Accept (the risk) : Acceptance involves making a conscious decision to accept the outcome should the risk event occur.
Avoid (the risk) : The organization may avoid the risk by deciding to stop, postpone, cancel, divert or discontinue with an activity that may be the cause for that risk.
Reduce (the risk) : Risk may be reduced by implementing controls to do so.
Transfer (the risk) : Risk can also be transferred to a third party (insurance company or a sub-contractor etc.).
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged 6 2 3 36 Low
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
9 5 3 135 High Reduce
www.sdgc.com SDG Confidential & Proprietary
Risk Treatment Plan
The risk treatment plan shall outline the steps, controls etc implemented in accordance with the Risk Management Strategy chosen.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged 6 2 3 36 Low Accept
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
9 5 3 135 High Reduce
BGC clearing date to be mentioned
on the SSO ID request form as a
mandate field.
www.sdgc.com SDG Confidential & Proprietary
Responsibility
Responsibility for the particular risk treatment plan shall be assigned to identified individuals.
Risk Identificatio
n
Assess the Possible Impact
Sev
Occ
Det
RP
N
Determine
Monetary Value
Determine Current Controls
Sev
Occ
Det
Residual RPN
Determine
Monetary
Value
Classify Risk
Based on
Residual RPN
Risk Managem
ent Strategy
Risk Treatment Plan
Responsibility
Date
Laptop not working
Project delivery timeline may be impacted
10 10 3 300 Replacement system can be
arranged 6 2 3 36 Low
SSO ID requested
without BGC is complete
Breach of compliance
9 5 4 180
Documented process in place to ensure that the request is sent only after BGC is cleared
(green).
9 5 3 135 High Reduce
BGC clearing date to be mentioned
on the SSO ID request form as a
mandate field.
XYZ
www.sdgc.com SDG Confidential & Proprietary
Risk Monitoring & Closure
Process Owners to revisit the risk register once every month or sooner to review the residual RPN. Critical and high risks from all departments (HR, Admin, Technology etc) will need to be compiled
and sent across to the PDQ team for consolidation every quarter. It will be presented for quarterly review by Ajay, Deepak, Nag, Kaushal and who so ever they feel
needs to be a part of the review process, by PDQ. Once reviewed and actions identified PDQ will publish an organizational risk register to the relevant
stakeholders every quarter.
www.sdgc.com SDG Confidential & Proprietary
THANK YOU