ISF Congress Post 5: Expect the worst; Operational risk quantification process

Expect the worst case;

Approach for quantifying operational risks – special focus on cyber security risks

Presentation by Hanno Lenz for the ERGO Insurance group

ERGO splits risk management into three categories / lines of defence;

  • Risk Taker (Owner) – Business line
  • Risk Controller – Risk Management
  • Independent Assurance – Internal Audit

 

This is then further split into lines of business and risk categories (Strategic Risks, Market and credit risks, operational risks, liquidity risks, repetitional risks).

This presentation had some excellent graphics highlighting their risk process, how they move from threats to risks, how to assess the probability, impacts and then the actual risk.  This process is outlined below.  Click on the images for a larger view.

 

They created this Security and Continuity Risk management model;

Screen Shot 2013-11-04 at 09.38.08

This model for working through from threats to the actual risks;

Screen Shot 2013-11-04 at 09.39.15

The process they follow from threat to actual business risk and impact is outlined in the diagrams below.

Assessing the Probability of the threat occurring;

Screen Shot 2013-11-04 at 09.42.44

Assessing the Impact should the risk occur;

Screen Shot 2013-11-04 at 09.44.35

And finally, working out the actual risk by combining the probability with the impact;

Screen Shot 2013-11-04 at 09.46.09

 

I think this provides a very good, easy to understand overview of a relatively simple and workable risk assessment process.

Remember in order to make any risk assessment process success and for the results to be worthwhile you need to ensure the input data is as accurate as possible, and also that the analysis is performed by people with the relevant expertise.

For the inputs, ensure you consult with the business streams, have an in depth understanding of the organisation, it’s IT structure, where the data and applications are, the number of employees, office locations etc.  Also ensure you have engaged with the BCM teams to understand recovery requirements and plans, recovery costs, degree of outsourcing etc.

For the outputs, as well as the IT security and BCM teams, ensure you have the right experts for creating realistic examples, creating actual security situations, estimating the costs of the risk should it occur, and also experts in mathematical modelling so that the results are modelled correctly and not just estimates.

K

Leave a Reply

Your email address will not be published. Required fields are marked *