Risk Assessment and Treatment Process
ISO20000 Toolkit: Version 10 ©CertiKit
Risk Assessment and Treatment Process
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document The Risk Assessment and Treatment Process documents how risk assessments will be carried out and the resulting risks treated.
Areas of the standard addressed The following areas of the ISO/IEC 20000:2018 standard are addressed by this document: • •
6. Planning o 6.1 Actions to address risks and opportunities 8. Operation of the service management system o 8.7 Service assurance ▪ 8.7.1 Service availability management ▪ 8.7.2 Service continuity management ▪ 8.7.3 Information security management • 8.7.3.2 Information security controls
General guidance The intention of this document is to provide a process that can be used for risk assessments that cover the wider SMS as well as the specific service management areas of service availability, service continuity and information security. The risk assessment process underpins much of the ISO/IEC 20000 standard and it is worth spending some time to understand its main points. If you have a corporate risk assessment process within your organization then you should either adopt that or ensure that this process is in harmony with it. There is an international standard for risk management which may be worth obtaining – ISO 31000. This is not required for ISO/IEC 20000 but gives the “official” view of how risk management should be carried out. The important aspects are that you identify, assess and treat the risks, implementing appropriate controls which can be referenced back to the risk(s) they address.
Version 1
Page 2 of 20
[Insert date]
Risk Assessment and Treatment Process
Review frequency We would recommend that this document is reviewed annually.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
Version 1
Page 3 of 20
[Insert date]
Risk Assessment and Treatment Process
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 20
[Insert date]
Risk Assessment and Treatment Process
Risk Assessment and Treatment Process
Version 1
DOCUMENT REF
SMS-DOC-06-2
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 20
[Insert date]
Risk Assessment and Treatment Process
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 20
DATE
[Insert date]
Risk Assessment and Treatment Process
Contents 1
Introduction ............................................................................................................... 8
2
Risk assessment and treatment process ..................................................................... 9 2.1
Criteria for performing risk assessments ....................................................................... 9
2.2
Risk acceptance criteria ................................................................................................ 9
2.3
Establish the context .................................................................................................. 10
2.4
Process diagram......................................................................................................... 11
2.5
Identification of risks ................................................................................................. 12
2.5.1 2.5.2 2.5.3
2.6
Identify risk scenarios ................................................................................................................ 12 Assess the likelihood ................................................................................................................. 12 Assess the impact ...................................................................................................................... 13
Risk analysis and evaluation ....................................................................................... 14
2.6.1 2.6.2
2.7
Numerical classification ............................................................................................................. 14 Risk assessment report .............................................................................................................. 15
Risk treatment ........................................................................................................... 16
2.7.1 2.7.1 2.7.2
Risk treatment options .............................................................................................................. 16 Selection of controls .................................................................................................................. 16 Risk treatment plan ................................................................................................................... 17
2.8
Management approval ............................................................................................... 17
2.9
Risk monitoring and reporting .................................................................................... 17
2.10
Regular review ........................................................................................................... 18
2.11
Roles and responsibilities ........................................................................................... 18
2.11.1
RACI chart ............................................................................................................................. 18
3
Conclusion................................................................................................................ 19
4
Appendix A: List of typical threats ............................................................................ 20
Figures Figure 1: Risk assessment and treatment process ........................................................................ 11 Figure 2: Risk classification matrix .............................................................................................. 15
Tables Table 1: Risk or opportunity likelihood guidance ......................................................................... 13 Table 2: Risk impact guidance..................................................................................................... 14 Table 1: RACI matrix ................................................................................................................... 18 Table 2: Typical threats .............................................................................................................. 20
Version 1
Page 7 of 20
[Insert date]
Risk Assessment and Treatment Process
1 Introduction The effective management of risks to the services it provides has always been a priority for [Organization Name] in order to protect its business and safeguard its reputation in the marketplace. However, there is still much to be gained by [Organization Name] in introducing industrystandard good practice processes, not the least of which is the ability to become more proactive in our approach to risk and to gain and maintain a better understanding of our customers’ needs and plans. Risk is the happening of an unwanted event, or the non-happening of a wanted event, which affects a business in an adverse way. Risk is realised when: • • • • •
The objectives of the business are not achieved The assets of the business are not safeguarded from loss There is non-compliance with organization policies and procedures or external legislation and regulation The resources of the business are not utilised in an efficient and effective manner The confidentiality, integrity and availability of information is not reliable
It is important that [Organization Name] has an effective risk assessment and treatment process in place to ensure that potential impacts do not become real, or if they do, that contingencies are in place to deal with them. It is important also that the process is sufficiently clear so that successive assessments produce consistent, valid and comparable results, even when carried out by different people.
Version 1
Page 8 of 20
[Insert date]
Risk Assessment and Treatment Process
2 Risk assessment and treatment process 2.1 Criteria for performing risk assessments There are a number of circumstances in which a risk assessment should be carried out and these will vary in scope. In general, these are as follows: • • • • • •
A comprehensive risk assessment covering all services as part of the initial implementation of the Service Management System (SMS) Updates to the general risk assessment as part of the management review process – this should identify changes to services, threats and vulnerabilities and therefore risk levels As part of the management of the availability, continuity and information security of new, existing and soon to be decommissioned services As part of projects that involve significant change to the organization, the SMS or its information services As part of the change management process when assessing whether proposed changes should be approved On major external change affecting the organization which may invalidate the conclusions from previous risk assessments e.g. changes to relevant legislation
If there is uncertainty regarding whether a risk assessment is appropriate, the organization should err on the side of caution and carry one out.
2.2 Risk acceptance criteria One of the options when evaluating risks is to do nothing, i.e. to accept the risk. This is a valid approach but must be used with caution. The circumstances under which risks may be accepted must be fully agreed and understood. Criteria for accepting risks will vary according to certain factors, which may change over time. These include the organization’s general or cultural attitude to risk, the prevailing financial climate, legal and regulatory requirements, the current view of top management and the sensitivity of the specific services or business areas within scope. Before carrying out a risk assessment the criteria for accepting risks should be discussed by appropriate people with knowledge of the subject area and, if necessary, top management. This discussion should establish guidelines for the circumstances in which risks will be accepted, i.e. not subjected to further actions. These criteria may be expressed in a number of different ways, depending on the scope of the risk assessment, and may include situations where: • •
The cost of an appropriate action is judged to be more than the potential impact Known changes will soon mean that the risk is reduced or disappears completely
Version 1
Page 9 of 20
[Insert date]
Risk Assessment and Treatment Process • •
The risk is at or lower than a defined threshold, expressed either as a level, e.g. low, or as a quantified amount, e.g. a financial sum An area is known to be high risk but also high potential reward, i.e. it is a calculated risk
These acceptance criteria should be documented.
2.3 Establish the context The overall environment in which the risk assessment is carried out should be described and the reasons for it explained. This should include a description of the internal and external context and any recent changes that affect the likelihood and impact of risks in general. The internal context may include: • • • • • • •
Governance, organizational structure, roles and accountabilities Service management policies, objectives and the strategies that are in place to achieve them Resources and knowledge available (e.g. capital, time, people, processes, systems and technologies) Relationships with, and perceptions and values of, internal stakeholders The organization's culture Standards, guidelines and models adopted by the organization Form and extent of contractual relationships
The external context may include: • • •
The cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local Key drivers and trends having an impact on the service management objectives of the organization Relationships with, and perceptions and values of, external stakeholders
The scope of the assessment should also be defined. This may be expressed in terms of factors such as: • • • •
Geographical location, e.g. countries, offices, data centres Organizational units, e.g. specific departments Business processes or activities Specific services or groups of services
Version 1
Page 10 of 20
[Insert date]
Risk Assessment and Treatment Process
2.4 Process diagram The process of risk assessment and treatment is shown in the following diagram:
Figure 1: Risk assessment and treatment process
Each step in this process is described in more detail in the rest of this document. The process makes use of the Risk Assessment and Treatment Tool which is designed to record the results of the risk assessment.
Version 1
Page 11 of 20
[Insert date]
Risk Assessment and Treatment Process
2.5 Identification of risks The process of identifying risks will consist of the following steps in line with the requirements of ISO/IEC 20000. The starting point for the risk assessment is consideration of the areas within the scope; it may be useful to review the service catalogue which sets out the services provided and other useful information such as service dependencies.
2.5.1 Identify risk scenarios The identification of risks (whether it is to the SMS, the organization, specific services or some other area within scope) will be performed by a combination of group discussion and interview with the interested parties. Such interested parties will normally include (where possible and depending on the nature of the risk assessment): • • • • • • • • •
Top management Service management process owners and managers Manager(s) responsible for the service (service owner) Representatives of the people that normally carry out each aspect of the service Providers of the inputs to the service Recipients of the outputs of the service Appropriate third parties with relevant knowledge Representatives of those providing supporting services and resources to the service Any other party that is felt to provide useful input to the risk identification process
Identified risks will be recorded with as full a description as possible.
2.5.2 Assess the likelihood An estimate of the likelihood of a risk occurring must be made. This should consider whether it has happened before, either to this organization or similar organizations in the same industry or location and, for risks, whether there exists sufficient motive, opportunity and capability for a threat to be realized. The likelihood of each risk or opportunity should be graded on a numerical scale of 1 (low) to 5 (high). General guidance for the meaning of each grade is given in Table 1. When assessing the likelihood of a risk, existing precautions that are in place should be considered. This may require an assessment to be made as to the effectiveness of existing controls. More detailed guidance may be decided for each grade of likelihood, depending on the subject of the risk assessment.
Version 1
Page 12 of 20
[Insert date]
Risk Assessment and Treatment Process
GRADE
DESCRIPTION
SUMMARY
1
Improbable
Has never happened before and there is no reason to think it is any more likely now
2
Unlikely
There is a possibility that it could happen, but it probably will not
3
Likely
On balance, the risk or opportunity is more likely to happen than not
4
Very Likely
It would be a surprise if the risk or opportunity did not occur, either based on past frequency or current circumstances
5
Almost certain
Either already happens regularly, or there is some reason to believe it is virtually imminent
Table 1: Risk or opportunity likelihood guidance
The rationale for allocating the grade given should be recorded to aid understanding and allow repeatability in future assessments.
2.5.3 Assess the impact An estimate of the impact that the risk being realized could have on the organization should be given. This should consider existing controls that lessen the impact, as long as these controls are seen to be effective. Consideration should be given to the previous analysis of impact that may have been completed as part of one or more business impact assessments. In addition, impact should be considered in the following areas: • • • • •
Service quality Finance Health and safety Reputation Legal, contractual or organizational obligations
[Note: additional or different impact areas may be considered depending on requirements] The impact of each risk should be graded on a numerical scale of 1 (low) to 5 (high). General guidance for the meaning of each grade for risks is given in Table 2. More detailed guidance may be defined for each grade of impact, depending on the subject of the risk assessment. The rationale for allocating the grade given should be recorded to aid understanding and allow repeatability in future assessments.
Version 1
Page 13 of 20
[Insert date]
Risk Assessment and Treatment Process
GRADE
DESCRIPTION
IMPACT: SERVICE QUALITY
IMPACT: FINANCIAL VIABILITY
IMPACT: STAFF/ PUBLIC WELLBEING
DAMAGE TO REPUTATION
IMPACT OF BREACHING COMPLIANCE OBLIGATIONS
1
Insignificant
No effect
Very little or none
Very small additional risk
No adverse comment
No implications
2
minor
Some local disturbance to normal business operations
Some
Within acceptable limits
Localised discontent
Small risk of not meeting compliance
3
Significant
Can still deliver product/service with some difficulty
Unwelcome but could be borne
Elevated risk requiring immediate attention
Some internal and external criticism
In definite danger of operating illegally
4
Major
Business is crippled in key areas
Severe effect on income and/or profit
Significant danger to life
A severe test of customer loyalty
Operating illegally in some areas
5
Severe
Out of business; no service to customers
Crippling: organizatio n will go out of business
Real or strong potential loss of life
Trust in organization is irreparably damaged
Severe fines and possible imprisonment of staff
Table 2: Risk impact guidance
2.6 Risk analysis and evaluation 2.6.1 Numerical classification The risk classification used will be the score obtained from multiplying the likelihood that the risk will occur and the impact it is likely to have. Both scales range from 1 to 5, so the minimum score will be 1 and the maximum score will be 25 as shown in the matrix above. Each risk will be allocated a classification based on its score as follows: • • •
HIGH: 12 or more MEDIUM: Five to ten inclusive LOW: One to four inclusive
Version 1
Page 14 of 20
[Insert date]
Risk Assessment and Treatment Process
RISK LIKELIHOOD: What are the chances of the risk event happening?
RISK IMPACT: How severe could the consequences be if the risk event happened?
INSIGNIFICANT 1
MINOR 2
SIGNIFICANT 3
MAJOR 4
SEVERE 5
ALMOST CERTAIN 5
MEDIUM 5
MEDIUM 10
HIGH 15
HIGH 20
HIGH 25
LIKELY 4
LOW 4
MEDIUM 8
HIGH 12
HIGH 16
HIGH 20
MODERATE 3
LOW 3
MEDIUM 6
MEDIUM 9
HIGH 12
HIGH 15
UNLIKELY 2
LOW 2
LOW 4
MEDIUM 6
MEDIUM 8
MEDIUM 10
RARE 1
LOW 1
LOW 2
LOW 3
LOW 4
MEDIUM 5
Figure 2: Risk classification matrix
[Note – you may decide to change the definition of high, medium and low classifications based on your general risk appetite. E.g. you may decide that only risks with a score of 16 or more will be classified as high.] The purpose of risk evaluation is to decide which risks can be accepted and which risks need to have some action taken relating to them. This should consider the risk acceptance criteria established for this specific risk assessment (see Risk Acceptance Criteria, above). The matrix in Figure 2 shows the classifications of risk, where green indicates that the risk is below the acceptable threshold. The orange and red areas generally indicate that a risk does not meet the acceptance criteria and so is a candidate for treatment. Risks will be prioritized for action according to their score and classification so that very high scoring ones are recommended to be addressed before those with lower levels of exposure for the organization.
2.6.2 Risk assessment report The output from the risk analysis and evaluation stage is the risk assessment report. This shows the following information: Version 1
Page 15 of 20
[Insert date]
Risk Assessment and Treatment Process • • • • • • • •
Risk scenario descriptions Controls currently implemented Likelihood (including rationale) Impact (including rationale) Score Classification Risk Owner Whether the risk is accepted or needs treatment
This report is input to the risk treatment stage of the process and must be signed off by top management before continuing.
2.7 Risk treatment For those risks that are judged to be above the threshold for acceptance by [Organization Name], the options for treatment will then be explored.
2.7.1 Risk treatment options The following options may be applied to the treatment of the identified unacceptable risks: • • •
Apply appropriate controls to lessen the likelihood and/or impact of the risk Avoid the risk by taking action that means it no longer applies Transfer the risk to another party e.g. insurer or supplier
Judgement will be used in the decision as to which course of action to follow, based on a sound knowledge of the circumstances surrounding the risk e.g. • • • •
Business strategy Regulatory and legislative considerations Technical issues Commercial and contractual issues
The Risk Manager will ensure that all parties who have an interest or bearing on the treatment of the risk are consulted.
2.7.1 Selection of controls The intention of the application of controls is to reduce the likelihood or impact (or both) of a risk. These controls may be technical, physical or administrative. Annex A of the ISO/IEC 27001:2013 information security standard or similar best practice documentation may be used as the starting point for the identification of appropriate controls to address the Version 1
Page 16 of 20
[Insert date]
Risk Assessment and Treatment Process
availability, continuity and information security risk treatment requirements identified as part of the risk assessment exercise.
2.7.2 Risk treatment plan The evaluation of the treatment options will result in the production of the risk treatment plan which will detail: • • • •
Risks above the acceptance threshold Services affected (if applicable) Recommended treatment option Control Requirements
This document will be input to the next stage in the process where controls will be selected to meet the identified requirements.
2.8 Management approval At each stage of the risk assessment process management will be kept informed of progress and decisions made, including formal signoff of the proposed residual risks. Management will approve the following documents: • •
Risk Assessment Report Risk Treatment Plan
Signoff will be indicated according to [Organization Name] documentation standards. In addition to overall management approval, each treatment should be signed off by the relevant risk owner.
2.9 Risk monitoring and reporting As part of the implementation of new controls and the maintenance of existing ones, key performance indicators will be identified which will allow the measurement of the success of the controls in addressing the relevant risks. These indicators will be reported on a regular basis and trend information produced so that exception situations can be identified and dealt with by management.
Version 1
Page 17 of 20
[Insert date]
Risk Assessment and Treatment Process
2.10Regular review In addition to a full annual review, risk assessments will be evaluated on a regular basis to ensure that they remain current and the applied controls valid. The relevant risk assessments will also be reviewed upon major changes to the business such as office moves, mergers and acquisitions or introduction or new or changed IT services.
2.11 Roles and responsibilities Within the process of risk assessment there are a number of key roles that play a part in ensuring that all risks are identified, addressed and managed. These roles are shown in the RACI table below, together with their relative responsibilities at each stage of the process.
2.11.1 RACI chart The table below clarifies the responsibilities at each step using the RACI model, i.e.: • • • •
R: Responsible A: Accountable C: Consulted I: Informed
STEP Identify the risks
RISK MANAGER
BUSINESS MANAGEMENT
OPERATIONAL STAFF
A/R
C
C
C
A/R
C
Analyse and Evaluate the risks
A/R
C
C
Identify and Evaluate Options for Treatment
A/R
C
C
Select Control Objectives and Controls
A/R
C
C
A
R
C
Monitor and Report
A/R
I
C
Regular Review
A/R
C
C
Risk Acceptance Criteria
Obtain Management Approval for Residual Risks
Table 3: RACI matrix
Further roles and responsibilities may be added to the above table as the risk assessment and treatment process matures within [Organization Name].
Version 1
Page 18 of 20
[Insert date]
Risk Assessment and Treatment Process
3 Conclusion The process of risk assessment and treatment is fundamental to the implementation of a successful Service Management System (SMS) and forms a significant part of the ISO/IEC 20000 standard. By following this process [Organization Name] will go some way to ensuring that the risks that it faces in the day to day operation of its business are effectively managed and controlled.
Version 1
Page 19 of 20
[Insert date]
Risk Assessment and Treatment Process
4 Appendix A: List of typical threats The following list may be used as a starting point for creating a relevant list of threats to service availability, continuity and security which may apply to the information services identified in the service catalogue.
THREAT CATEGORY
THREAT
EXAMPLE
Human
Malicious outsider
Someone launches a denial of service attack on your ecommerce website
Malicious insider
An employee or trusted third party accesses information in an unauthorised manner from inside your network
Loss of key personnel
One or more people with key skills or knowledge are unavailable perhaps due to extended sickness
Human error
An employee accidentally deletes the customer database
Accidental loss
A manager loses a memory stick with customer bank details on it
Fire
Your main office burns down due to an electrical fault
Flood
The nearby river breaks its banks, and your main office is severely flooded
Severe weather
No-one can get into the office due to the weather
Earthquake
The area of your main office is affected by an earth tremor that damages all your servers
Lightning
All your servers are fried by a lightning strike on the data centre building
Hardware failure
A key server has a processor failure
Software failure
Your financial system processes invoices incorrectly due to a bug
Virus/Malicious code
A virus spreads throughout your network preventing access to your data
Sabotage
A disgruntled ex-employee takes an axe to your server room
Theft
You come in on Monday morning to find all of your PCs have been stolen
Arson
Someone with a grudge against your organization starts a fire during the night
Hazardous waste
A lorry carrying hazardous waste has an accident outside your office
Power failure
The sub-station supplying your area has a meltdown
Gas supply failure
There is a suspected leak, and all supplies are turned off
Process error
Your new data transfer procedure does not cater for unexpected circumstances and data is lost or sent to the wrong destination
Crime scene
A crime happens in or near your office and the area is sealed off by police
Natural
Technical
Physical
Environmental
Operational
Table 4: Typical threats
Version 1
Page 20 of 20
[Insert date]