Beruflich Dokumente
Kultur Dokumente
RISK MANAGEMENT
1.1.
PROCESS AREAS COVERED
1.1.1. IDENTIFICATION AND VALUATION OF SERVICES / SERVICE
COMPONENTS
a)
b)
Identify all services and service component (assets) within the scope which includes:i.
ii.
Identify values of the assets using a simple valuation scale in terms of Confidentiality,
Integrity and Availability.
The x axis represents the estimated probability of occurrence and is divided into 5 ranges
Once the service owner has filled up these two columns with the data the priority column
will be automatically filled with numbers from 1 to 25.
The color of the cell will also appear green (low), or yellow/amber (medium/moderate) and
or red (high) to indicate the criticality of the risk.
Risk Profile
RM 10Mil
Potential Impact
RM 5Mil
RM 2Mil
RM 1Mil
10
15
20
25
12
16
20
12
15
10
RM 500K
RM 0
0%
20%
40%
60%
(Rare)
(Unlikely)for New(Moderate)
b)
Risk Parameters
Risk Register
(Likely)
80%
100%
(Almost Certain)
Probability
21% to 40%
41% to 60%
61% to 80%
81% to 100%
Rare
Unlikely,
Low probability
Moderate,
Possible
Likely,
High Probability
Almost Certain
RM 500K
to
RM 1Mil
RM 1Mil
to
RM 2Mil
RM 2Mil
to
RM 5Mil
RM 5Mil
to
RM 10Mil
Insignificant
Minor
Moderate
Major
Catastrophic
Note:
Major
financial
loss,
regulatory
non-compliance,
moderate loss of
reputation,
moderate
legal
liability
Any potential impact of more than RM10 Million will be considered under RM10 Million.
c) Risk Probability of Occurrence
Description
Risk Description
Rare
The event may occur only in exceptional circumstances, i.e. 20% and below
chance of occurring in the next 12 months.
Unlikely/ Low
Probability
The event could occur at some time i.e. 40% and below chance of occurring in
the next12 months.
Moderate/ Possible
The event might occur at some time, i.e. 60% and below chance of occurring in
the next12 months.
Likely / High
Probability
The event wills probability to occur in most circumstances, i.e. 80% and below
chance of occurring in the next12 months.
Almost Certain
The event is expected to occur in most circumstances, i.e. more than 80% and
below chance of occurring in the next12 months.
The likelihood or probability of each risk occurring is examined according to whether the risk
event is considered to be single or continuous in nature. Single event are those that are not
currently on -going but may impact the company as one-off event in the future. Continuous
events are those that are occurring on a daily basis.
To derive an overall likelihood rating that indicates the probability that a potential vulnerability
may be exercised within the construct of the associated threat environment the following
governing factors must be considered.
i.
ii.
iii.
Catastrophic
Moderate
Moderate
High
High
High
Major
Moderate
Moderate
Moderate
High
High
Moderate
Low
Moderate
Moderate
Moderate
High
Minor
Low
Low
Moderate
Moderate
Moderate
Insignificant
Low
Low
Low
Moderate
Moderate
Impact
Unlikely /
Probability
Rare
Likely /
Moderate / Possible
Low Probability
Almost Certain
High Probability
Probability
Impact
Catastrophic
(5)
Rare
(1)
Moderate
5X1=5
Unlikely / Low
Probability
(2)
Moderate
5 X 2 = 10
Moderate /
Possible
(3)
High
5 X 5 = 25
Likely / High
Probability
(4)
High
5 X 4 = 20
Almost
Certain
(5)
High
5 X 5 = 25
Major
(4)
Moderate
4X1=4
Moderate
4X2=8
Moderate
4 X 3 = 12
High
4 X 4 = 16
High
4 X 5 = 20
Moderate
(3)
Low
3X1=1
Moderate
3X2=6
Moderate
3X3=9
Moderate
3 X 4 = 12
High
3 X 5 = 15
Minor
(2)
Low
2X1=2
Low
2X2=4
Moderate
2X3=6
Moderate
2X4=8
Moderate
2 X 5 = 10
Insignificant
(1)
Low
1X1=1
Low
1X2=2
Low
1X3=3
Moderate
1X4=4
Moderate
1X5=5
The following are identified as risk to the implementation / maintaining of the Service Management
System in Prodata: Table below describes risk during implementation / maintaining of SMS.
DATE
INCIDENT
IDENTIFIED
1 June 2012
RISK LEVEL
MITIGATION ACTIVITY
H/M/L
Lack of modules in Landesk for
Service Reporting (only cope
certain processes)
Mitigation plan will be put in place for each of the risks identified and will be monitored closely
throughout the implementation / maintaining of Service Management System.
NO.
RISK TO SERVICES
VULNERABILITIES
1.
ERP
2.
Network
Communication breakdown
due to lease line down
Hardware failure
3.
Managed
Enterprise &
Desktop Services
MITIGATION
1.
2.
2.Old Hardware
4.
Business
Application
1.2.
ACCEPTANCE OF RISK
High
Treat
Moderate
Treat
Low
Accept
The management has to be responsible to decide and review the suitability of the acceptable level of
risk from time to time. As for the above matrix, the management will have to draw the line between
acceptable and non-acceptable risk. Whereby, risk that falls into non-acceptable, need to be treated
appropriately. Possible action of treatments includes:
i.
ii.
iii.
iv.
Risk Treatment Plan is produced to extract out non-acceptable risk identified where treatments are
required. The subsequent column should be filled as part of the treatment process. Implementation of
the plan should be monitored and reviewed periodically.