1.

RISK MANAGEMENT
1.1.
PROCESS AREAS COVERED
1.1.1. IDENTIFICATION AND VALUATION OF SERVICES / SERVICE
COMPONENTS
a)

b)

Identify all services and service component (assets) within the scope which includes:i.

Services provided by identified units

ii.

Service components and Information assets;

Paper documents: guidelines, user manual, etc.

Software assets: application software, system software.

Physical assets: computer and communication equipment, power supplies.

People: personnel, subscriber.

Identify values of the assets using a simple valuation scale in terms of Confidentiality,
Integrity and Availability.

c) Identify their owners and locations.

1.1.2. APPROACH TAKEN FOR RISK MANAGEMENT

a) 5 by 5 Risk Prioritization Diagram

The x axis represents the estimated probability of occurrence and is divided into 5 ranges

from Rare (20% and less) to Almost Certain (100%).

The y axis represents the potential exposure ranges from RM0 to RM10 Million.
Each cell is assigned with a number for identification and color code of green (low), yellow
(moderate) and red (high). The cells color coded with red indicate the critical risk area that
requires management utmost attention.

Once the service owner has filled up these two columns with the data the priority column
will be automatically filled with numbers from 1 to 25.

The color of the cell will also appear green (low), or yellow/amber (medium/moderate) and
or red (high) to indicate the criticality of the risk.

Risk Profile
RM 10Mil

Potential Impact

RM 5Mil

RM 2Mil

RM 1Mil

10

15

20

25

12

16

20

12

15

10

RM 500K

RM 0
0%

20%

40%

60%

(Rare)
(Unlikely)for New(Moderate)
b)
Risk Parameters
Risk Register

(Likely)

80%
100%
(Almost Certain)

Probability

Probability of Occurrence / Frequency Rating x axis

0% to 20%

21% to 40%

41% to 60%

61% to 80%

81% to 100%

Rare

Unlikely,
Low probability

Moderate,
Possible

Likely,
High Probability

Almost Certain

Potential Impact Rating y axis

RM 0
to
RM 500K

RM 500K
to
RM 1Mil

RM 1Mil
to
RM 2Mil

RM 2Mil
to
RM 5Mil

RM 5Mil
to
RM 10Mil

Insignificant

Minor

Moderate

Major

Catastrophic

Tolerable financial loss, loss of

reputation with or without minor /
medium regulatory non-compliance and
legal liability

Note:

Major
financial
loss,
regulatory
non-compliance,
moderate loss of
reputation,
moderate
legal
liability

Huge financial loss (i.e out of business),

total loss or reputation and trust ,
significant legal and regulatory liability

Any potential impact of more than RM10 Million will be considered under RM10 Million.
c) Risk Probability of Occurrence

Risk Probability of Occurrence

Level

Description

Risk Description

Rare

The event may occur only in exceptional circumstances, i.e. 20% and below
chance of occurring in the next 12 months.

Unlikely/ Low
Probability

The event could occur at some time i.e. 40% and below chance of occurring in
the next12 months.

Moderate/ Possible

The event might occur at some time, i.e. 60% and below chance of occurring in
the next12 months.

Likely / High
Probability

The event wills probability to occur in most circumstances, i.e. 80% and below
chance of occurring in the next12 months.

Almost Certain

The event is expected to occur in most circumstances, i.e. more than 80% and
below chance of occurring in the next12 months.

The likelihood or probability of each risk occurring is examined according to whether the risk
event is considered to be single or continuous in nature. Single event are those that are not
currently on -going but may impact the company as one-off event in the future. Continuous
events are those that are occurring on a daily basis.

To derive an overall likelihood rating that indicates the probability that a potential vulnerability
may be exercised within the construct of the associated threat environment the following
governing factors must be considered.

i.

Threat-source motivation and capability (threat-source is defined as any circumstance

or event with the potential to cause harm to an IT system. The common threat source
can be natural, human or environmental )

ii.

Nature of the vulnerability

iii.

Existence and effectiveness of current controls

d) Risk Probability and Impact Matrix

Catastrophic

Moderate

Moderate

High

High

High

Major

Moderate

Moderate

Moderate

High

High

Moderate

Low

Moderate

Moderate

Moderate

High

Minor

Low

Low

Moderate

Moderate

Moderate

Insignificant

Low

Low

Low

Moderate

Moderate

Impact

Unlikely /
Probability

Rare

Likely /
Moderate / Possible

Low Probability

Almost Certain
High Probability

The following table describes Risk Level Matrix

Probability
Impact
Catastrophic
(5)

Rare
(1)
Moderate
5X1=5

Unlikely / Low
Probability
(2)
Moderate
5 X 2 = 10

Moderate /
Possible
(3)
High
5 X 5 = 25

Likely / High
Probability
(4)
High
5 X 4 = 20

Almost
Certain
(5)
High
5 X 5 = 25

Major
(4)

Moderate
4X1=4

Moderate
4X2=8

Moderate
4 X 3 = 12

High
4 X 4 = 16

High
4 X 5 = 20

Moderate
(3)

Low
3X1=1

Moderate
3X2=6

Moderate
3X3=9

Moderate
3 X 4 = 12

High
3 X 5 = 15

Minor
(2)

Low
2X1=2

Low
2X2=4

Moderate
2X3=6

Moderate
2X4=8

Moderate
2 X 5 = 10

Insignificant
(1)

Low
1X1=1

Low
1X2=2

Low
1X3=3

Moderate
1X4=4

Moderate
1X5=5

The following are identified as risk to the implementation / maintaining of the Service Management
System in Prodata: Table below describes risk during implementation / maintaining of SMS.

DATE

INCIDENT

IDENTIFIED
1 June 2012

RISK LEVEL

MITIGATION ACTIVITY

H/M/L
Lack of modules in Landesk for
Service Reporting (only cope
certain processes)

Report generated by Landesk will be verified by

the service / process owner.

Mitigation plan will be put in place for each of the risks identified and will be monitored closely
throughout the implementation / maintaining of Service Management System.

Table below describes summary of risk to services and mitigation.

SERVICE
OWNER

NO.

RISK TO SERVICES

VULNERABILITIES

1.

ERP

SKB system not available

(down) or compromise

Felda group business operation

interrupted

2.

Network

Communication breakdown
due to lease line down

Hardware failure

3.

Managed
Enterprise &
Desktop Services

Desktop malfunction due to

hard disk failure

1. PC not properly shutdown

MITIGATION
1.

To have in place a real time online

disaster recovery plan.

2.

Business Continuity Annual Test

1. Signed with Telekom on May

2011
2. Lease line upgraded to 6MB

2.Old Hardware

1. Propose file server for data

backup
2. Install UPS at critical PC.
3. Execute preventive maintenance

4.

Business
Application

1.2.

Lack of security controls

Potential business damage.

Introduce ISMS framework to

Business Application.

CRITERIA FOR ACCEPTING THE RISK

Below describe the criteria for accepting the risk;

CRITERIA OF RISK

ACCEPTANCE OF RISK

High

Treat

Moderate

Treat

Low

Accept

The management has to be responsible to decide and review the suitability of the acceptable level of
risk from time to time. As for the above matrix, the management will have to draw the line between
acceptable and non-acceptable risk. Whereby, risk that falls into non-acceptable, need to be treated
appropriately. Possible action of treatments includes:
i.
ii.
iii.
iv.

applying appropriate controls

knowingly and objectively accept the risk
avoid the risk by not engaging to activities that causing the risk, e.g. not connecting to internet
transferring the risk to other parties, e.g. insurers, suppliers\

Risk Treatment Plan is produced to extract out non-acceptable risk identified where treatments are
required. The subsequent column should be filled as part of the treatment process. Implementation of
the plan should be monitored and reviewed periodically.