In this class, Alejandro Orrego, CEO at Pirani, teaches us what is the risk management cycle, what are the phases of the risk cycle, what is the risk treatment, what controls and actions plans are and what they are used for.

Risk management cycle

• Context & Risk identification
  1. Identify context
  2. Identify risks
• Risk Evaluation
  - Measure Risk
• Risk Treatment
  - Risk mitigation
• Monitor & report
• Continuous improvement

Risk Evaluation

Measure Risks

• IMPACT

Impact refers to the potential consequences or effects of a risk event on an organization's objectives. The impact can be positive (an opportunity) or negative (a threat), and can affect various aspects of the organization, such as financial performance, reputation, safety, or environmental factors.

• LIKELIHOOD

Likelihood refers to the probability or chance of a risk event occurring. It is a measure of the frequency or occurrence of the risk, and can be expressed qualitatively (e.g., low, medium, high) or quantitatively (e.g., a percentage or frequency rate).

Risk Treatment

• Avoidance

This involves taking steps to eliminate the risk altogether. For example, if a company decides to avoid the risk of a certain product line, it may choose to discontinue that product line entirely.

• Mitigation

This involves taking steps to reduce the likelihood or impact of the risk. For example, if a company identifies a cybersecurity risk, it may implement additional security measures to reduce the likelihood of a cyber attack.

• Transfer

This involves transferring the risk to another party, such as an insurance company. For example, a company may purchase insurance to transfer the risk of a natural disaster or other event that could result in financial losses.

• Acceptance

This involves accepting the risk without taking any further action. This may be appropriate if the likelihood and impact of the risk are deemed to be low, or if the cost of mitigating the risk is greater than the potential impact.

CONTROLS

In the context of risk management, controls refer to the measures and actions implemented to mitigate or manage risks within an organization. Controls are put in place to minimize the likelihood or impact of potential risks and ensure the achievement of objectives.

Controls can take various forms, including policies, procedures, practices, guidelines, tools, technologies, and other mechanisms designed to identify, assess, monitor, and control risks. They act as safeguards or countermeasures against potential threats or vulnerabilities that could negatively impact an organization's operations, assets, or reputation.

Control categories

1. Preventive controls
   These are measures implemented to prevent risks from occurring or to minimize their likelihood. Examples include access restrictions, training programs, segregation of duties, and physical security measures.
2. Detective controls
   These controls are designed to identify risks or potential issues after they have occurred or are in progress. Examples include security monitoring systems, regular audits, data analysis, and incident reporting mechanisms.
3. Corrective controls
   These controls are put in place to address and rectify risks or issues that have already occurred. They focus on minimizing the impact and restoring normalcy. Examples include backup and recovery systems, incident response plans, and disaster recovery procedures.

Control Robustness level

• Strong or High: Controls classified as strong or high robustness are characterized by their effectiveness in preventing or mitigating risks. These controls are well-designed, properly implemented, and consistently monitored and tested. They exhibit a high level of reliability, accuracy, and efficiency in addressing the identified risks. Strong controls typically have well-documented processes, clear responsibilities, and a comprehensive approach to risk management.
• Moderate: Controls classified as moderate robustness are generally effective but may have some limitations or areas for improvement. They are designed and implemented adequately, but there might be minor gaps or weaknesses that could impact their overall effectiveness. These controls are still capable of providing a reasonable level of risk mitigation, but periodic evaluations and enhancements may be necessary.
• Weak or Low: Controls classified as weak or low robustness have significant weaknesses or limitations that reduce their effectiveness in managing risks. These controls may be poorly designed, inadequately implemented, or lack monitoring and testing mechanisms. They may have notable gaps or vulnerabilities that could be exploited, leading to a higher risk exposure. Organizations should prioritize improving these controls to strengthen their risk management efforts.

10 TIPS FOR GOOD CONTROLS

1. Conduct a comprehensive risk assessment: Start by identifying and assessing the risks your organization faces. Understand the potential impacts and likelihood of each risk. This information will guide the development of controls that are specifically targeted at mitigating those risks.
2. Clearly define control objectives: Clearly articulate the objectives of each control. What risks is it intended to address? What outcomes or results is it expected to achieve? Well-defined objectives help ensure that controls are focused and aligned with the organization's risk management goals.
3. Follow a risk-based approach: Prioritize controls based on the significance and likelihood of associated risks. Focus your resources on controls that address high-impact or high-probability risks. This allows you to allocate your efforts effectively and maximize the impact of your risk management efforts.
4. Involve relevant stakeholders: Engage stakeholders who have a deep understanding of the risks and the business processes involved. Seek input from subject matter experts, process owners, and employees who are directly involved in the areas being controlled. Their insights and expertise will contribute to the development of effective controls.
5. Use industry best practices: Leverage industry standards, frameworks, and guidelines for control design. These resources provide proven methodologies and best practices that can enhance the effectiveness of your controls. Examples include ISO 31000, ISO 27001, COSO ERM, and NIST SP 800-53.
6. Adopt a layered approach: Implement a combination of controls that work together to provide a layered defense against risks. Incorporate preventive, detective, and corrective controls to address risks at different stages and from different angles. This helps create a comprehensive risk management framework.
7. Ensure control feasibility: Consider the practicality and feasibility of implementing the control. Assess whether the control can be effectively executed given available resources, technology, and capabilities. Strive for controls that are realistic, achievable, and sustainable within the organization's context.
8. Regularly review and update controls: Risk landscapes evolve over time, so it's essential to review and update controls periodically. Conduct regular assessments to ensure controls remain effective, aligned with current risks, and updated based on changes in the organization or its environment.
9. Test and monitor controls: Implement mechanisms to test and monitor the effectiveness of controls. Conduct regular audits, assessments, or simulations to evaluate how well the controls are functioning. Establish key performance indicators (KPIs) or metrics to measure the control's performance and monitor deviations or exceptions.
10. Foster a culture of risk awareness: Instill a risk-aware culture throughout the organization. Educate and train employees on risk management principles, their roles in control implementation, and the importance of adhering to controls. Encourage reporting of potential risks or control deficiencies to facilitate timely action.

CONTROLS | Other sources

Information security, cybersecurity and privacy protection — Information security management systems.

ANNEX A Information security controls reference 93 controls in 2022

Action Plans

Action plans are critical in risk management because they outline specific steps to address identified risks.

When risks are identified, simply acknowledging their existence isn't sufficient; you need a clear strategy for how to mitigate or manage them effectively. Action plans provide this strategy.

Here's why action plans are important:

1. Mitigation: Action plans outline proactive measures to reduce the probability or impact of identified risks. By implementing these measures, organizations can minimize the likelihood of adverse events occurring.
2. Response: In the event that a risk materializes, an action plan provides guidance on how to respond swiftly and effectively. Having predefined steps can help mitigate the damage and facilitate a rapid recovery.
3. Accountability: Action plans assign responsibility for risk management tasks to specific individuals or teams within the organization. This ensures that everyone understands their role in managing risks and promotes accountability for implementing the necessary measures.

Action plans are specific strategies or sets of activities designed to address particular risks. They outline what needs to be done, who is responsible, when it should be done, and how it will be accomplished. Action plans are often created in response to identified risks or as part of risk treatment strategies.

Example

Objective: To reduce the impact of extreme weather events on our organization's operations and assets.

1. Risk Assessment and Monitoring:

• Conduct a thorough assessment of our vulnerability to different types of extreme weather events, considering geographical location, historical data, and climate projections.
• Establish a system for ongoing monitoring and analysis of weather patterns and forecasts to anticipate potential risks in advance.

• Identify critical infrastructure, facilities, and assets that are vulnerable to extreme weather events, such as floods, storms, or heatwaves.
• Implement protective measures, such as flood barriers, storm shutters, reinforced roofs, and landscaping strategies to minimize damage and enhance resilience.

• Develop comprehensive emergency response plans tailored to different types of extreme weather scenarios, including evacuation procedures, communication protocols, and resource allocation strategies.
• Conduct regular drills and simulations to test the effectiveness of emergency response plans and ensure that all staff are adequately trained and prepared to respond effectively during crises.

• Establish contingency plans to ensure continuity of critical operations and services during and after extreme weather events, including remote work arrangements, alternate supply chain routes, and backup power sources.
• Identify key suppliers, vendors, and partners that may be impacted by extreme weather events and develop collaborative strategies to minimize disruption to business operations.

• Engage with local communities, government agencies, and other stakeholders to share information about potential risks associated with extreme weather events and collaborate on mitigation and adaptation strategies.
• Participate in community resilience initiatives, such as neighborhood preparedness programs, climate adaptation workshops, and public awareness campaigns to build collective capacity for dealing with extreme weather challenges.

• Regularly review and update the action plan in response to changing weather patterns, emerging risks, and lessons learned from past experiences.
• Foster a culture of innovation and adaptability within the organization, encouraging employees to propose new ideas and solutions for mitigating the impacts of extreme weather events and enhancing resilience over time.

Controls

Controls are mechanisms put in place to manage, mitigate, or eliminate risks. They can include policies, procedures, processes, systems, or other measures that help prevent, detect, or correct problems. Controls can be part of an action plan, but they can also exist independently to manage ongoing risks in an organization's operations. Controls are more general and can encompass a broader range of risk management activities beyond specific action plans.