WEBVTT

00:00:00.950 --> 00:00:02.710
What are we going to do about risk?

00:00:03.070 --> 00:00:07.380
This is where you should look at the risk treatment or risk response options.

00:00:08.710 --> 00:00:11.690
Risk response can be risk acceptance,

00:00:11.940 --> 00:00:15.140
and risk acceptance quite simply says if it happens,

00:00:15.150 --> 00:00:16.920
it happens, we'll pay for it.

00:00:17.640 --> 00:00:22.950
Risk avoidance says we're not going to participate in that risk‑laden activity.

00:00:23.670 --> 00:00:28.520
Risk transference means we'll buy insurance or try to share the risk or,

00:00:28.660 --> 00:00:32.000
in some way, pass the risk off to a third‑party.

00:00:32.740 --> 00:00:37.580
And risk mitigation or reduction is where we'll use some types of

00:00:37.580 --> 00:00:40.770
controls to reduce the amount of risk we face.

00:00:41.470 --> 00:00:44.530
The important thing is that risk must be owned.

00:00:45.080 --> 00:00:50.340
We come back to that old saying, if it's nobody's job, nobody does it.

00:00:50.960 --> 00:00:56.690
And so the problem we have is that, in many cases with risk ownership,

00:00:56.750 --> 00:01:01.720
we have to have someone accept that they are responsible for the risk.

00:01:02.680 --> 00:01:05.740
Each risk should be communicated to management,

00:01:06.080 --> 00:01:10.400
and a risk owner identified who determines what is the

00:01:10.400 --> 00:01:14.510
appropriate response to that risk, whether to accept,

00:01:14.520 --> 00:01:17.360
avoid, transfer, or reduce the risk.

00:01:18.020 --> 00:01:23.190
Risk acceptance is really defined as the level of risk that senior management,

00:01:23.430 --> 00:01:27.050
representing the risk owner, is willing to tolerate.

00:01:27.820 --> 00:01:29.950
We can see here, for example,

00:01:30.060 --> 00:01:34.440
management says we will set a risk acceptance level of $100,000.

00:01:35.130 --> 00:01:39.290
Any risk which is less than that, such as risk A and C,

00:01:39.570 --> 00:01:43.620
would be quite fine, and even risk D is only at that level,

00:01:43.700 --> 00:01:45.840
so it's an acceptable level of risk.

00:01:46.360 --> 00:01:52.270
But risks B and E exceed what is the acceptable level of risk.

00:01:52.450 --> 00:01:54.700
Now we need to do something about those.

00:01:55.620 --> 00:01:59.600
So we accept the ones that are at or below the risk

00:01:59.600 --> 00:02:02.860
acceptance level, but when it comes to B,

00:02:02.870 --> 00:02:08.840
maybe we actually have to say it's not cost effective to actually try

00:02:08.840 --> 00:02:12.190
to reduce that risk down to risk acceptance level,

00:02:12.560 --> 00:02:14.700
so maybe we'll just tolerate that.

00:02:14.880 --> 00:02:20.170
A toleration or a tolerance of the risk is where we say yes,

00:02:20.180 --> 00:02:24.150
it exceeds what is my desired risk acceptance level,

00:02:24.160 --> 00:02:26.580
but I will allow that deviation.

00:02:27.840 --> 00:02:32.560
In the case of risk E, maybe we need to reduce that risk.

00:02:33.160 --> 00:02:37.820
In that case, we could do that through new and enhanced controls.

00:02:38.100 --> 00:02:41.610
New and enhanced controls can reduce the risk from what was the

00:02:41.610 --> 00:02:45.050
original risk level down we can see considerably,

00:02:45.530 --> 00:02:48.800
but there is still a level of residual risk which

00:02:48.800 --> 00:02:50.820
exceeds the risk acceptance level.

00:02:51.680 --> 00:02:55.970
Residual risk is defined as the level of risk that remains

00:02:56.300 --> 00:02:59.230
after the implementation of controls.

00:02:59.860 --> 00:03:05.550
The goal of all of our work here in risk management is to ensure that that level

00:03:05.550 --> 00:03:11.060
of residual risk is less than or equal to risk acceptance.

00:03:11.680 --> 00:03:14.160
We saw that in the case, for example,

00:03:14.160 --> 00:03:18.150
of Risk E. Even after putting in some controls,

00:03:18.160 --> 00:03:23.510
we are unable to reduce the risk down to an acceptable level.

00:03:24.000 --> 00:03:27.540
So the question comes, maybe that's a risk we should avoid.

00:03:28.110 --> 00:03:32.420
Maybe we should stop manufacturing that product or investing in that

00:03:32.420 --> 00:03:36.890
technology or close that office in a dangerous part of the world,

00:03:36.910 --> 00:03:40.280
and that is what we would call then risk avoidance.

00:03:41.590 --> 00:03:45.740
Risk transference is to transfer some of the risk to another party,

00:03:45.740 --> 00:03:50.660
such as we buy insurance or we share the risk through maybe a joint

00:03:50.660 --> 00:03:53.440
venture where several companies work together.

00:03:54.560 --> 00:03:57.090
We often see this in financial investment.

00:03:57.450 --> 00:04:00.230
Instead of one bank taking all the risk,

00:04:00.240 --> 00:04:03.460
they'll share that risk with a number of other banks as well.

00:04:04.470 --> 00:04:07.050
But then we need to monitor the risk.

00:04:07.490 --> 00:04:11.690
We look at the logs and so we can see what's happening on the systems.

00:04:11.880 --> 00:04:13.410
This is where we can use a tool,

00:04:13.410 --> 00:04:16.790
such as a security information and event management,

00:04:16.790 --> 00:04:18.120
or a SIEM tool,

00:04:18.790 --> 00:04:22.510
and that will gather information from many logs and allow

00:04:22.510 --> 00:04:25.170
us to see what's actually going on.

00:04:25.660 --> 00:04:28.980
We can look at various threat intelligence feeds,

00:04:29.150 --> 00:04:32.600
many of these are commercially available and some even for free.

00:04:33.370 --> 00:04:38.250
We do risk assessments through being able to do a vulnerability

00:04:38.250 --> 00:04:41.870
assessment and see whether or not our level has changed,

00:04:42.290 --> 00:04:44.860
and we can do things like a penetration test,

00:04:45.050 --> 00:04:46.360
try to break in,

00:04:46.520 --> 00:04:50.330
act as if we were a hacker and see whether or not there are

00:04:50.330 --> 00:04:52.660
vulnerabilities we are able to exploit.

00:04:53.650 --> 00:04:58.120
We also monitor for various types of alerts or alarms that

00:04:58.120 --> 00:05:00.670
could indicate some type of a problem.

00:05:02.440 --> 00:05:03.770
The key points review.

00:05:04.520 --> 00:05:08.940
The level of risk acceptance sets out the baseline for

00:05:08.940 --> 00:05:11.420
what is the appropriate level of risk.

00:05:12.370 --> 00:05:18.480
The goal of risk management is to ensure that residual risk is less than or

00:05:18.490 --> 00:05:22.710
equal to the risk acceptance level set by the risk owner.