RISK MANAGEMENT CRITERIA

Revised on:
Risk Assessment
Technique

Description of Risk
Scales

Asset Value

Very High
High
Medium
Low

The Risk Assessment was based on the Industry-standard Risk Assessment methods like the
Risk Management Guide for Quality Management Sytems. The Risk Assessment was done in
following phases.
1. Facility / Equipment Model: This was done by studying the existing documentation,
interviewing the concerned people, and then drawing up a Model which shows the criticality
of the Risk based on severity, detection methods and probability of occurence ratings.
2. Reviewing Facility architecture: The mechanisms and technologies in place were
reviewed and areas of improvement were identified.
3. Understanding Supply Chain: An indepth understanding of the supply chain
mechanism of the company was understood to evaluate the risks related to the faulty
performance of the vendors based on severity, detection methods and probability of
occurence.
4. Vulnerability assessment: This exercise was carried out to identify the vulnerabilities
associated with QMS that includes facility/equipment availability, maintenance, supplier
performance, delivery of non-conforming product, availability of competant personnel etc.
5. Risk analysis: This was
done by gathering and analyzing information collected from above phases,
identifying
threat
probabilities
and
these
Risks and
vulnerability levels.
To
identify the
Current
Risk level
(Acombining
x B x C), we
havewith
to evaluate
the:
A = Risk Severity
B = Occurrence Probability
C = Duration
For mathematical evalution, numeric values are assigned to all the parameters, as follows
Very High - 4 ( For Duration Between 6 months to 1 year )
High
- 3 ( For Duration Between 3-6 months )
Medium - 2 ( For Duration Between 1-3 months )

SCALES USED
The value of the asset in terms of its criticality towards the organization's ability
to provide its services in a timely, adequate, and secure manner. The asset values
have been derived from "List of Information Assets.doc"
A compromise on the confidentiality, integrity or availability or a combination
asset would result in extermely high financial impact on the organization.
A compromise on the confidentiality, integrity or availability or a combination
asset would result in a very high financial impact on the organization.
A compromise on the confidentiality, integrity or availability or a combination
asset would result in a significant financial impact on the organization.
A compromise on the confidentiality, integrity or availability or a combination
asset would result in a low or negligible financial impact on the organization

of these of the
of these of the
of these of the
of these of the

Vulnerability
Criticality
Very High

The level of impact on the asset if an attack occurred which exploited this specific
vulnerability. The vulnerability criticality values have been derived from the
"Vulnerability
Assessment
Report.doc"
Very
High Criticality
indicates that
the attack would allow the attacker to gain complete
control of the system AND/OR lead to total degradation/stoppage of customer service. This
is an attack that allows the attacker to gain full super-user privileges o

High

High Criticality indicates that the attack would allow the attacker to gain complete control of
the system AND/OR lead to severe or substantial degradation/stoppage of customer
service. This is an attack that allows the attacker to gain full super-user p

Medium

Medium Criticality indicates that the attack would allow the attacker to gain some sort of
access to the system, AND/OR lead to some degradation of customer services. This is usually
an attack that allows the attacker to login with non-super user privileg

Low

Low Criticality indicates that the attack would only reveal some information that may then be
used to gain further access, but the attack itself would not allow any significant access to the
system. This is usually an information disclosure or banner-grab

Threat Probability
Very High
High
Medium
Low

Asset
Vulnerability
Risk Rating
Action
Ranking of Risk
Treatment
Methodology

The probability that such an attack would occur, given compensating controls,
availability of tools for the attack, and knowledge level that the attacker should
have.
Very High Likelihood of occurrence. Threat source is very highly motivated and extremely
capable. Other compensating controls do not exist, or are very weak.
High Likelihood of occurrence. Threat source is highly motivated and extremely capable.
Other compensating controls do not exist or are weak.
Medium Likelihood of occurrence. Threat source is adequately motivated and sufficiently
capable. Other commpensating controls are not strong enough.
Very Low Likelihood of occurrence. Threat source is neither motivated nor capable. Other
compensating controls are adequately strong
RISK TREATMENT PLAN
The asset that is affected by this particular vulnerability
Vulnerabilities on the mentioned assets that can be exploited
The risk calculated from the Risk Assessment Report
The brief recommendation to address the vulnerability
The status of the task - Treat, Transfer, Terminate, Tolerate
Risk Treatment is carried out for Risks which are over 16 in numerical value and fall under the
category MEDIUM. These risks are treated and proper corrective measures for the same are
initiated to ensure that the risk level remains LOW.

CRITERIA FOR RISK

Risk Score (Severity x Probability X Duration) - 1 to 15 - Low Risk - Accepted - Identify by Yellow Color
Risk Score (Severity x Probability X Duration) - 16 to 32 - Medium Risk -Not Accepted - Identify by Red Color
Risk Score (Severity x Probability X Duration) - 33 to 48 - High Risk -Not Accepted - Identify by Red Color
Risk Score (Severity x Probability X Duration) - 49 to 64 - Very High Risk -Not Accepted - Identify by Red Color

Note: Risk Management Register to be reviewed at every Month

SHREERAJ INDUSTRIES
Last Review Date:

Next Review Date

Risk Management Register

Risk

Vulnerab
ility

Detoriatio Material
n of
getting
material / damaged
product
during
storage
Material
wrong
color
code

Use of
wronge
material

Inventory Material
not
not get
maintaine easily
d

Threat

Business
Impact ( On
delivery &
Quality )

Current
Control

API Q1
Cl.no.

Detection Risk Durati Impact Over Rati

Method Severi
on
Probabi
all
ng
ty
lity
Risk
Value
Value Value

Material
shortage

Loss of time
and money

Procedure
for
preservati
on of
product

7.5.5

Requireme
nts of
products
not
fullfilled

Unsatisfied
customer

Provide
color code
on
materials

Incoming
inspection
and
periodic
checking

Delay in
Loss of time
production
and
production
planning

Inventory
control as
per
procedure

Periodic
checking
of
inventory

Periodic
surveilanc
e

Stock
Material
register
not get
not
easily
maintaine and stock
d
of
material
not
identified

Material
shortage

Delay in
delivery

Verify
physical
stock and
control
stock

Periodic
verification
of stock
assessmen
t

Stock
Stock not
assessme identified
nt was
not done
properly

Material
condition
and
material
quantity
not
identified

Delay in
delivery

Verify
stock for
quantity
and quality

Stock
assessmen
r
periodicall
y

Action

Revis Revised Resid

ed
Impact
ual
Impac Probabi Risk
t
lity
Value
Severi Value
ty
Value

Rati
ng

Next Review Date:

Risk Manag
Accec e-ment
ptAppro
able
val
(Y/N) (Y/N)