BBA 4226, Risk Management 1

Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to:

1. Examine the elements of the risk management process. 1.1 Explain risk management and its benefits to an organization. 1.2 Describe the risk management process. 1.3 Explain the roles that security and capacity play within the risk management process.

3. Recommend established risk management methods, tools, and techniques in the analysis and

reporting of risk events. 3.1 Identify the purpose of a risk management methodology. 3.2 Outline the various risk management methodologies organizations use for risk assessment.

Course/Unit Learning Outcomes

Learning Activity

1.1 Chapter 1 Unit I Lesson Unit I Essay

1.2 Unit I Lesson Unit I Essay

1.3 Chapter 2 Unit I Lesson Unit I Essay

3.1 Chapter 1 Unit I Lesson Unit I Essay

3.2 Unit I Lesson Unit I Essay

Reading Assignment Chapter 1: Introduction: Why Security and Risk Management Matters Chapter 2: Security and Capacity

Unit Lesson Introduction to Risk Management Risk management is the process that encompasses the identification, analysis, mitigation planning, mitigation implementation, control, and tracking of risks. The need for risk management has increased at all levels of the spectrum. As an example, at the corporate level, risk management is critical for identification and management of corporate risks. At the individual level, risk management is essential for evaluating daily decisions and actions that might result in an undesirable outcome such as a car accident. The concept of risk management has evolved since its inception in the early 1950s. In 1955, Wayne Snider presented a lecture titled “The Risk Manager” in which he proposed the creation of a specific department that would concentrate on risk prevention within the insurance industry (Snyder, 1956). Later in 1956, Gallagher (1956) penned an article outlining the principles of risk management urging large companies to consider hiring a risk manager. Almost from the inception of risk management, the concept has been associated solely with the insurance industry with very few applications to other fields. In the 1960s, risk management found

UNIT I STUDY GUIDE

Introduction to Risk Management

BBA 4226, Risk Management 2

UNIT x STUDY GUIDE

Title

applications in the fields of economics and finance. Not until the late 1990s and early 2000s was risk management integrated into commercial and retail banking to analyze credit scoring models. Risk Management Benefits Implementing a risk management program provides many benefits to an organization. In a nutshell, risk management processes offer a strategic standing on a company’s operations framework for dealing with crises within the organization. There are many considerations for implementing a risk management program within a company. Financial: A risk management strategy makes a company more appealing to banks and insurance companies. Bankers and insurance brokers manage risk as a profession, and the presence of a risk management plan can increase credit lines and reduce insurance coverage costs. Also, a risk management program can help in providing due diligence in case there is legal action taken against the company. Resources: When a risk management process is in place—identifying and prioritizing key resources—it improves the resource utilization and the company’s opportunity to properly respond to a crisis. This can save employee hours for core business efforts and can allow response with alternatives that may impact production. Culture: A risk management program is very telling about a company’s culture. Employees feel more confident and knowledgeable about the expectations and leadership of the organization. By building and maintaining risk planning, the company establishes standards by which performance is evaluated, and demonstrates the company expects and adapts to change. Risk Management Process To reach practical and systematic approaches to risk management, organizations need to adopt a standardized risk management process. A standardized approach promotes a shared understanding of the process and risk analysis in the decision-making process. The risk management process is an iterative process or cycle to manage risks within the context of an organization. The risk management process includes the following steps:

 defining the context of decisions and related organizational objectives,

 identifying the risks associated with the organizational objectives,

 analyzing and assessing the identified risks,

 developing alternative actions to manage the risks within the context of a cost benefit analysis,

 making decisions as to the alternatives and implementing the course of action based on those decisions, and

 monitoring the implemented decision and evaluating the expected results to aid in subsequent risk management decisions.

BBA 4226, Risk Management 3

UNIT x STUDY GUIDE

Title

Risk Management Methodologies There are different methodologies used for risk assessment. According to the Department of Homeland Security (DHS) (2011), a methodology is a “logical process by which the inputs into an assessment are processed to produce the outputs that inform the decision” (p. 20). Each method needs to be contextual to the needs of the organization. Asset audit: This approach looks at the assets that are part of the organization and determines the importance and protection of each asset. Usually, an asset is labeled with an asset identification number, asset flow or life cycle, potential threat to the asset, the likelihood of threat to the asset, asset impact analysis, and the relevant safeguards to the asset. This approach is a straightforward method for risk assessment and threat exposure. Pipeline model: In this approach, risks are assessed in a pipeline, similar to a transaction. The risk pipeline assesses risk based on five mechanisms: active processes, communication processes, data processes, inquiry processes, and access control processes. Each risk pipeline is compared to the organization’s security requirements at each one of the five components. Attack trees: This approach assesses risk based on who, when, how, why, and what. The top of the chart represents the root or attack while the branches depict the various ways the attacker might attain his or her goal. This method requires that the risk analyst rely on extensive experience and knowledge to be able to identify all possible methods of the attacker. Security and Risk Management According to Newsome (2014), when no risks are present, security exists. Risk management does not mean that an organization will avoid adverse effects; however, it enables organizations to focus on those risks that are likely to bring the greatest damage (DHS, 2011). In essence, security is about managing risks, and risk management is about finding out what those risks are, where they come from, and how to mitigate the risks identified. Thus, security is about ensuring that potential threats or risks are avoided. Security can be viewed from many different levels: personal security, network security, system security, corporate security, and homeland security. Generally, security can be defined as the act of protection against threats. The implementation of security is a very important component of a business continuity plan (BCP) and a national infrastructure protection plan (NIPP) requiring a strategy to support against threats. Risk management strategies provide an organization—and a nation—with a methodology for protection and security.

Figure 1. Risk Management Process (Department of Homeland Security, 2011, p. 15)

BBA 4226, Risk Management 4

UNIT x STUDY GUIDE

Title

Security and Capacity In the context of security, capacity refers to the ability (in resources) to defend against threats. With the exponential growth of the Internet and all the potential threats introduced by social networking, rich media traffic, and communication applications, organizations must plan for capacity growth in their assets, particularly their information technology (IT) assets to guard against risks. Summary Risk management processes are used to mitigate and control risk, but not necessarily to eliminate risks. Standardized risk management principles enable organizational leaders to identify alternatives, assess capabilities, and prioritize company resources associated with potential risks (DHS, 2011). Good risk management practices enhance an organization’s overall decision-making processes by maximizing the ability to reach the company’s objectives.

References Department of Homeland Security. (2011). Risk management fundamentals: Homeland security risk

management doctrine. Retrieved from https://www.dhs.gov/xlibrary/assets/rma-risk-management- fundamentals.pdf

Gallagher, R. B. (1956). Risk management: New phase of cost control. Harvard Business Review, 34(5), pp.

75-86. Newsome, B. (2014). A practical introduction to security and risk management. Thousand Oaks, CA: Sage. Snider, H. W. (1956). The risk manager. Insurance Law Journal, 1(1), pp. 119-125.