CEP Plant Timisoara

Risk Management - Introducere

Overview

› What is Risk management

› Principles for a Risk Management process
› Risk management process steps
› Identification of risks
› Cluster the risks / value assignment
› Risk assessment
› Risk mitigation and monitoring

2 25 May 2018
Bogdan Dragota, © Continental AG
1. What is Risk management

› Risk: is the “effect of uncertainty on objectives”

› Risk management: is the identification, assessment, and prioritization of risks (defined in

ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and
economical application of resources to minimize, monitor, and control the probability and/or
impact of unfortunate events or, to maximize the realization of opportunities.
› Risk management’s objective is to assure uncertainty does
not deflect the endeavor from the business goals.

3 25 May 2018
Bogdan Dragota, © Continental AG
2. Principles of risk management

› ISO ISO 31000:2009 recommends the following target areas, or principles, that should be
part of the overall risk management process:
› The process should create value for the organization.
› It should be an integral part of the overall organizational process.
› It should factor into the company's overall decision-making process.
› It must explicitly address any uncertainty.
› It should be systematic and structured.
› It should be based on the best available information.
› It should be tailored to the project.
› It must take into account human factors, including potential errors.
› It should be transparent and all-inclusive.
› It should be adaptable to change.
› It should be continuously monitored and improved upon.

4 25 May 2018
Bogdan Dragota, © Continental AG
3. Risk Management process

› A big question that companies have to deal with is:

› "What is enough security?"
› or "What is our acceptable risk level?"
› These two questions have an inverse relationship. You can't know what constitutes enough
security unless you know your necessary baseline risk level.
› To set an enterprise-wide acceptable risk level for a company, a few things need to be
investigated and understood as:
› company federal and state legal requirements,
› its regulatory requirements,
› its business drivers and objectives,
› and it must carry out a risk and threat analysis.
› The result of these findings is then used to define the company's acceptable risk level,
which is then outlined in security policies, standards, guidelines and procedures.

5 25 May 2018
Bogdan Dragota, © Continental AG
3. Risk Management process

› Although there are different methodologies for enterprise risk management, the core
components of any risk analysis is made up of the following:
› Identify company assets
› Assign a value to each asset
› Identify each asset's vulnerabilities and associated threats
› Calculate the risk for the identified assets
› Once these steps are finished, then the risk analysis
team can identify the necessary countermeasures
to mitigate the calculated risks,
carry out cost/benefit analysis for
These countermeasures and report to
senior management their findings.

6 25 May 2018
Bogdan Dragota, © Continental AG
Risk Mitigation

7 25 May 2018
Bogdan Dragota, © Continental AG