GROUP 2 REPORT

LEA 13
CHAPTER 5
CONCEPT OF RISK MANAGEMENT

• Is a field of management focusing on rist reduction and analysis

using different methods and techniques of risk prevention.
• It is a systematic, repitative set of interconnected aimed at
managing potential risk.
• The purpose of risk management is to avoid negative phenomena
for crisis management and to avoid problems.
The Basic Principle of Risk Management

• Every human activity brings some risk.

• The responsibility for risk management in organization is distributed
throughout the management.
• In a medium and large organization the responsibility is spread Among
individual managers.
• In a small organization the responsibility for risk management is
concentrated at the executive, because it is enefficient to employ A
dedicated full time risk manager.
• Almost Always, risk management is associated with the role of chief
financial officer as the impact of risk (damage)
OPERATIONAL TERMINOLOGIES

• Asset => Any real or personal property, or tangible intangible that

a company Or insividual owns that can be given or assigned a
monetary value.
• Consequential => A sexondary result ensuing from an action or
decision.
• Cost/benefit analysis => A process in planning related to the
decition to commit funds or asset. This is a systematic attempt to
measure or analyze the value of all the benefits that accrue from
a particular expenditure.
 OPERATIONAL TERMINOLOGIES
• Criticality => The impact of a loss event, Typically calculated as the Net cost Of the
event
• Events => something that happen, a noteworthy happening or experiences
• Good will=> The value of a business That has been built up through the reputation of
business concern and its owners.
• Loss event => An occurrence that is actually produces a financial loss or negative impact
to assets.
• Natural disaster => A naturally occurring calamitous Event bringing Great damage or loss.
• Probability => The ratio of the number outcomes in an exhaustive set of Equally likely
outcomes That produce A given event to the total number of possible outcomes.
• Qualitative => relating to that which is characteristic of something and which make it
what it is.
 OPERATIONAL TERMINOLOGIES
• Quantitative => relating to or concerning on the amount Of something, that can be
measured in numerical terms.
• Risk => The possibility of a loss Resulting from a threat, security Incident or event.
• Risk analysis => an analytical process To provide Information regarding undeserible
event, the Process of qualification of rhe probabilities and expected consequences
For identified risk.
• Risk assessment => The process of assesing Security related risk from internal and
external threats ro entity, its assets or personnel.
• Security incedents => an assault against an employee, customer or supplier on
company property are some example of security incedents.
• Security vulnerability => An exploitable security weakness or deficiency at a facility
entity, venue or of a person.
 OPERATIONAL TERMINOLOGIES
• Site => A special location That can be designated by longitude and latitude
• State of the Art => The most advanced level of knowledge and technology Currently
achieved in any field at any given time.
• Statistics => In security this could represent a collection of quantitative data such as
security incidents, crime reports, and related infirmation that, together with Other
like information, serve as security related statistics used for a number of application
including risk and vulnerability evaluation.
• Threat => an intent of damage or injury an indication of something impending.
 PHASES OF RISK MANAGEMENT
1. RISK IDENTIFICATION => Is the process of listing potential risk and their
characteriatics, and their result should be normally documented in a risk register
• Its important to remember that risk identification is an iterative process; New risk
can be identified throughout the project life cycle as the result of internal or
external Changes to a project

=Risk essentials=
Risk identification is the first step in minimazation and understanding that if a threat is
not found in the first phase it will identified through the nature of risk identification
.it is a non-stop process involving teamwork and communication the objective is to
identify all possible risk
• Being vital to the management process there are some essential to risk identification
Team participation Documentation
Repitition roots and symtoms
Approach Project Definition rating index
Event trees.
 Type of Security Risk

Personal Security = property damage, health and life, protection of personal data
Physical Security = Equipment damage, disruption of objects and system
Information of Security Risk = Breach of data security, network or information system, data abuse or
corruption

Type of Risk Sources

Exposure
Failure
Crisis
Disaster
Oppurtunity
Attack
Human Stupidity
 Risk identification technique

• Documentation review = The standard practice is to identify Risk is reviewing Project Related documents
• Information gathering techniques = The given technique is to collect requirements This includes
a) Brainstorming – groups who focus on identification of risk for the project
b) Delphi tecnique – a team of experts is consulted anonymously
c) Interviewing – interview is conducted by stakeholder, expert etc. to identify risk
d) Swot analysis – understanding and analysis of the (internal strength-weaknesses) and the external
oppurtunity threats factor
e) Checklist analysis – checklist of ris will come-up with additional risk for the project
f) Root cause analysis – are further used to identify additional risk
g) Assumption analysis – This are the different assumption of the project and determining their validity,
further helps in identifying risk For the project.
h) Risk register – is a living document That is updated regularly in the lifecycle of the project.
 2. Risk Assessment

• Security risk assessment – is the process of assesing key security controls in

application security defects and vulnerabilities.
Carrying out a risk assessment allows an organization to view The application
portfolio
Hollistically from attackers perspective.
In rist manangement risk analysis exposes the degree of danger that an
organization facing and asset is vulnerable to these threat, how high is the
probality of threat is and what impact it can have in an organization.
 Security Risk Asessment

1. Understanding The organization And identify the asset.

- develop an understanding of the organization to be assessed it includes the
consideration of various factors such as hours of operation, type of clients Served,
nature of business activity, Type of services provided and so on Then
- Identify the assets of organization that are at risk To a variety of hazards Such as
people and properties.
- People includes Employees, visitors and any other person who are lawfully present in
the Property being assessed.
- Property includes real state, land and building, facilities and many more, as well as
anything that can be stolen, damaged or otherwise adversely affected by risk event.
2. Specify Loss event/Vulnerabilities
- Identify the type of events or incidents based on the previous incidents at the sites in
a certain geographical location of business.
- Loss Risk events can fall in three Distinct categories;
a) Crimes
b) Non criminal event
c) Consequential event caused by interprises relationship with other organization
3. Established probability of loss risk and frequency of events.
- The probability of Loss is not based upon mathematical certainty, but it is upon
the historical data At the site, Like events in similar similar interprises, political
and social condition and changes in the economy as well as other factors that
affect probability for example The business that had a criminal activity both at
and around its property will likely have a higher brobability of future crime if no
steps are taken, to improve security measures. The degree of probability will
effect the decision making process in determining the appropriate solution to be
applied to the potential exposure.
4.Determine the impact of the events.
- Consider all the potential Cost direct and indirect and other hidden or less obvious ways in
which a loss risk event impacts an interprises security solution still are necessary to manage.
- Direct cost may include.
A. Financial losses Associated with the event like The value of goods or stolen
B. Increase insurance premium for several years after a major loss
C. Deductive expenses on insurance coverage
D. Loss business from immediate Post risk event
E. Labor expenses incurred as result of the event
F. Management time dealing With the media
G. Punitive damages award not covered by ordinary insurance
Indirect cost may include
A. Negative media coverage
B. Long term negative consumer Perception
C. Additional public relation cost To overcome poor image problem
D. Lack of insurance coverage due to higher risk category
E. Higher wages needed to attract future employees
F. Share holder derivative suites for mismanagement
G. Poor imployee morale
5. Develop options to mitigate Risk
- Option are made available To address the types of Loss risk events faced by an
interprisses.
- Security measures, policies and procedures, management practices etc. Are the
General categories of a security related options
6. Study feasibility Of implimenting options
- Practical consideration of each option or strategy should be taken into account at
this stage of security risk asessment. While financial cost is often a factor The
common consideration is weather The strategy interfere Substantially with the
operation of ther interprisess.
7. Perfort cost/benefit Analysis.
- Consider the cost versus benefit of a given
security strategy the security practitioner
should determine what The actual cost are;
of the implementation Of a programs and
weight those cost against the impact of the
loss financially or otherwise.
Security Assessment Tool

Tools use forQualitative risk And analysis

• Probability and impact matrix

• Risk data Quality Assessment
• Probability and impact analysis
• Monte Carlo analysis (Simmulation technique
• Decission Tree
• Risk register updates
 Risk Probability Factor

Set of condition that will worsen Or increase asset exposure to risk of loss
• Physical environment – Such as construction location, Composition and configuration
• Social environment – such as demographics and Population dynamics
• Political environment – such as the type and stability of government and local Law
enforcement
• Historical experiences – such as the Type and Frequency of prior loss event
• Procedures and processess – Such as how the asset be used, stored and secured
• Criminal state of art – Such as type and effectiveness of tools Of aggression.
• Risk Assessment matrix
Base on two criteria
Likelihood – The probability of a risk
Consequences – The severiety of the impact Caused by the risk.

Likelihoof Occurrences
Risk can be clasiffied under one of the five categories.
Definite
Likely
Occasional
Seldom
Unlikely
• Consequencess
Can be Rank and classified Into one of the five categories based on how Severe the damage.
Insignificant
Marginal
Moderate
Critical
Catastrophic
. Using the assessment matrix
1 extream – denoted with “E” (red color) Are rist that is most critical and should adressed to a high
priority basis.
2 high risk – denoted with “H” with pink background also call for immediate action of risk
Management
Medium – Risk falls on the orage cell denoted
as “M” best to take some reasonable steps and
develop Risk management strategies Intime.
Low Risk – Risk fall on the green cell denoted
as “L” can be ignored as they usually do not
Post any Significant problem.
 3) Risk Reduction And mitigation

Risk Reduction – Is identifying ways to Eliminate risk and includes The possibility that
you avoid an activity because its too risky while
Risk Mitigation – is identifying ways to execute Strategy to less risk and implies that
you are proceeding with an activity but want to find ways To make it less risky.

Risk reduction and mitication Strategies includes

.contingency planning Risk transfer
.Hazard prevention Risk spreading
.likelihood prevention Risk acceptance
.risk avoidance
 Risk reduction and mitigation components

• Threat asessments
- it utilizes A number of different data sources to asess real, perceived and conceptual
Threats.
.Vulnerability assessments
- The fundamental method in assessing vulnerabilities is The security survey which is a
tool for collecting information about the facility.
.Crime prevention Through environmental design (CPTED)
- Strategies used in support in this concept Include natural surveilance, Natural acess
control and natural territorial reinforcements.
4)Risk Monitoring and Control

• It keeps tract of the identofied risk including the watch list, it

monitors triggers Condition for contingencies and monitor residual
risk And identify new risk arrising Durimg project execution, it also
updates the organizational Process assets.
Purpose of Risk Monitoring

• To determine if risk response

a) Risk responses have been implemented as planned
b) Risk Response action are as effective as expected Or if new
reponses should be developed
c) Project assumption are still valid
d) A risk triggered has occurred
e) Proper policies and procedure Are followed
f) New risk have occurred that were not previously identified
Imputs to Risk Monitoring and control

1.Risk Management Plan

2.Risk register Contains outputs Of the other processes; identified
risk and owners risk responses triggers and warning signs
3.Approve chance Request – This may require new analysis to
consider impact on existing plan and identifying new risk and
corresponding responses
4.Work performance information – project status and performance
report are necessary for risk monitoring and control of risk.
 Outputs Of risk monitoring Control
1. Risk Register updates
- Should be update to include; a) Outcom of rist reasessments Audits and Risk reviews;
b) actual outcome of risk and of risk responses that become part of the project file To
be utilize in future projects.
2. Corrective Action
- Consist of performing the contingency plan on workaround.
- Workarounds must be properly documented and incorporated into the project plan
and risk response plan.
3. Recommended Preventive Action
-used to direct project Towards compliance with the Project management plan
4.Project Change request – implementing Contingency plan Or workarounds frequently
results in a requirement To change the project.
5. Organizational project updates
- Information gained Through the risk management Process are
collected And kept for used By future projects. Includes Templates
for risk management plan, probability impact matrix, rist register,
and lesson learned.
6. Project Management Plan updates
- Updates to the project management plan As a result of Aprroval
request Changes.
 Risk monitoring tools and Technique

1. Risk reassessment
- Project Risk reviews Of all team meatings and major reviews at major milestone. Changes
may require Additional Qualitative and Quantitative Risk Analysis.
2.Risk Audits
- Examine nd document the effectiveness of risk response planning nd controlling risk and the
effectiveness of the risk owner.
3. Variance and trend analysis
- Significant deviations indicate that updated Risk identification and analysis should be
performed.
4.Researved Analysis
- Compares available researve With amount of Risk remaining at the And determines wether
reserved are sufficient.
5. Status meetings
- Risk management can be adressed regularly By including the
subject in project meetings.
- -----+-++++++++++++++++++++-+-+++-++++++-+++-++++-++++++--
- SECURITY RISK EDUCATION
- Is conducted to develop security awareness Among emlyees Of the
company, it should Cover all employees Regardless of rank or
position.
 Objectives of Security Risk Education

1.Guidance for all supervisory and executive levels of the organization.

2.A mandatory indoctrinization On security For all new personnel Before their
assignment to their Respective jobs
3.Development of a high degree Of security Consciusness among the selected Supervisors
and other key Personnels in a program that should be continuing And supported by top
management.
4. A down-the-line security program aimed at instilling consciousness And dedication
through Various method of Imstruction such Through demonstration, lectures, motivation
and instruction.
5.To let employee force Informed That they all belong To the organization and That non
awareness To the security program is tentamount to disloyalty.
6. That the program is also develop Decipline, loyalty And belongingness.
PHASES of RISK EDUCATION

1.) Initial Interview

- It is in this stage Where the interviewer May start Providing the
necessary As to the Overview of the company Security policies And at
the same time On the employee accountability and corresponding
Penalties that could result from violation therfrom.\

2.) Orientation and Training

- It is in this stage where new emplyees Received detailed Presentation Of
personnel security policy. Usually handouts Or employees manual are
being distributed For referrence.
3.) Refresher Conferrence
- It is designed to Remind employees Of the company about Their
responsibilities, review the Guidelines and policies also New upcoming
new regulations.
4.) Secueity Reminders.
- Aphase that employs An indirect approach Of educating the employees
Such as posting Security posters And distributing fliers.
5) Security Promotions
- An act emphasizing The role of Security achieving The company Goal
and objectives. It involves seccuring employee Cooperation and support.
SECURITY SURVEY AND INSPECTION

- It may include investigation of Alleged or suspected Security

violations. Physical security is concerned with Forces Entrances and
exit guards, traffic control and with such other Physical measures
Which if properly Established and maintained Will deny access To
unathorized person
PURPOSE of SECURITY INSPECTION

- Inspections may be announce or not announce the security officer

Shall inspect facilities and programs under the Security officers
Cognizance As often as necessary To ensure the compliance With
the provision Of the applicable standard. The inspecrion should
result In written inspection Reports.
SECURITY SURVEY VS SECURITY INSPECTION

• SECURITY SURVEY • SECURITY INSPECTION

- Is defined as Counterintelligence - Is a counterintelligence service
Service to assist heads Of office in
determinning The security - Performed to determine
measures Required to protect key Compliance With established
Installation From possible security policies And
sabotage, Espionage, subversion procedures.
And unathorize disclosure Or
access to clasified information
therein.
 Stages of security Inspection

1.) EVALUATION – The evaluative or fact finding inspection is Generally positive in tone
and promotes Liason and security Awareness while takin a broad General outlook of a
facility Or program.
2.) Compliance – the full compliance inspection Generally is conducted For enforcement
purposes. It focuses on compliance With established Standard or regulation.
3.) Follow-Up – Conducted to ensure The facility officials Have complied With
reccommendation From earlier inspection.
4.) After-hours Room Check – A form of compliance inspection Involving areas Where
national security Information is Processed or stored.
5) Self Inspection – Aside from self inspection,additionally Required by each top-secret
Control officer And special Security officer To evaluate all Security procedures
Applicable to their operation.
6. CloseOut – During closeout operation all areas and containers authorized For
the storage of Clasified materials Has been removed.

Basic steps in conducting security inspection

a.)Plan an inspection by determinning The scope, type and method.
b.) Upon arrival at the site and before departure The inspector should meet
With the senior manager To discuss the inspection.
c.) After sufficient data is collected The inspector should analyze all findings
and compare them With applicable security Regulations.
d.) The inspection report should Be produced within 10 working days Of all
completion Inspection standard
 Consideration for Security Inspection
• Preliminary Planning
- The first action be taken by the agent is To prepare for and conduct Those preliminary
Courses of action That precede the actual Conduct of the survey.
- A very important consideration During the preliminary planning is the checklist.
. Initial briefing
- After the Completion of the preliminary stage the especialist is prepared to visit the Office.
. Escort Personnel
- It is often desirable for both the Especilist and office That an escort accompanies The
especialist During the survey.
. Interior and Exterior check
-As soon as possible after the initial briefing the especilist conduct a tour Of the are
surrounding the office.
• History of the Unit to be Inspected
-When the survey especialist complete his check Of the surrounding area ; he is ready
to commence The analysis of the office’s security program
.Analyzing Existing security Measures
-having completed The preliminaries and determined the Level of required Security,
the specialist Must no ascertain The existing level Of the security Of the installation.
. FINAL BRIEFING
-The final conferrence Is an oral report To the chief Wherein the specialist Determines
wether His tentative Recommendation Can be Reallistically implemented.
SECURITY INSPECTION REPORT

• A security inspection Is a service performed To determine

compliance With established security policies and procedures and
is conducted in recurring Schedule Or a follow-up To a security
survey
ROLE OF SECURITY OFFICER IN OFFICES

• With the EXCEPTION of the office head The security officer Is

more interested in the survey That any other Individual in the
offices.
• The knowledge enable him To recognize The present or Hazard in
the area.
 AUTHORITY IN CONDUCTING SECURITY
SURVEY OR INSPECTION
• The unit head may request A Survey of his entire Office or Of Specific function Of a
unit Within the office.
• It must be rememberred That a security survey Is not conducted solely For the
purpose Of establishing A security program Of an office.
Some of the Situation under Which a security Survey May be requested Or directed;
1.) Activation Of an organization or office
2.) Reactivation Of an organization or office
3.) A substantial change to a mission, number of personnel, structure or realstate of
the office
4) Indication of laxity in the Security program Which would indicate The need for A
complete reevaluation Of the security system
5)When no records exist of a prior survey having been conducted
 Security Briefing
1.) Orientation briefing
-verbal orientation briefing Preferrably supplemented With audio visuals And handout
with be effective.
2.) Special briefing
-As conducted as may Briefing Necessary As when there are Special occasions Or
incidents
3.) National Security briefing
-This our information security Briefing that Apply to individual Who handled Clasiffied
information.
4)Special access briefing – These are briefing related To the various special Acess
programs Such as those administered By the higher Management Or national office
Members of the reporting group

• Mark G. Saguibo