WEBVTT

1
00:00:00.000 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:03.570
we will learn about risk assessment.

3
00:00:03.570 --> 00:00:06.360
Risk assessment identifies, analyzes,

4
00:00:06.360 --> 00:00:09.540
and evaluates the potential impact of risks

5
00:00:09.540 --> 00:00:12.990
and guides the implementation of mitigation strategies.

6
00:00:12.990 --> 00:00:16.710
Risk assessment concepts include quantitative analysis,

7
00:00:16.710 --> 00:00:21.710
qualitative analysis, risk prioritization, risk appetite,

8
00:00:21.750 --> 00:00:23.730
and risk tolerance.

9
00:00:23.730 --> 00:00:26.850
In order to fully understand each of these concepts,

10
00:00:26.850 --> 00:00:30.570
we first need to understand the risk management lifecycle.

11
00:00:30.570 --> 00:00:33.090
The risk management lifecycle is how we deal

12
00:00:33.090 --> 00:00:36.120
with risk every day in the real world.

13
00:00:36.120 --> 00:00:39.150
Steps in the risk management lifecycle include,

14
00:00:39.150 --> 00:00:42.450
identification, assessment, control,

15
00:00:42.450 --> 00:00:44.280
and the review of risks.

16
00:00:44.280 --> 00:00:47.280
So what exactly is risk management

17
00:00:47.280 --> 00:00:49.860
and why is it adopted by organizations?

18
00:00:49.860 --> 00:00:53.640
Well, quite simply put, risk management helps us see all

19
00:00:53.640 --> 00:00:55.890
of the different risks that are out there,

20
00:00:55.890 --> 00:00:59.250
and then put controls in place to help bring down the level

21
00:00:59.250 --> 00:01:01.410
of risks to an acceptable level.

22
00:01:01.410 --> 00:01:04.860
As an organization, we adopt risk management to ensure

23
00:01:04.860 --> 00:01:08.760
that our confidential data stays, well, confidential,

24
00:01:08.760 --> 00:01:11.460
and we want to make sure that all of our customer data

25
00:01:11.460 --> 00:01:14.460
and all of our corporate data doesn't get into the hands

26
00:01:14.460 --> 00:01:16.230
of unauthorized parties.

27
00:01:16.230 --> 00:01:19.230
We do this by identifying total risk

28
00:01:19.230 --> 00:01:21.900
and then putting risk mitigations in place.

29
00:01:21.900 --> 00:01:25.470
But mitigating risk is not the only choice we have.

30
00:01:25.470 --> 00:01:28.290
We might choose to do nothing with the risk at all.

31
00:01:28.290 --> 00:01:30.930
Maybe it's just too expensive to do so,

32
00:01:30.930 --> 00:01:33.420
but we can't stop doing that risk of behavior,

33
00:01:33.420 --> 00:01:35.610
it's just too critical to our business.

34
00:01:35.610 --> 00:01:37.740
This is called risk acceptance.

35
00:01:37.740 --> 00:01:39.030
It's important to remember

36
00:01:39.030 --> 00:01:42.690
that risk acceptance is not risk ignorance, in other words,

37
00:01:42.690 --> 00:01:45.150
just because we accept the risk doesn't mean

38
00:01:45.150 --> 00:01:48.420
that we are never going to think about it again, we will.

39
00:01:48.420 --> 00:01:50.910
Actually, we will continue to monitor the risk

40
00:01:50.910 --> 00:01:53.640
after we have accepted it to see if the risk increases

41
00:01:53.640 --> 00:01:56.400
to the point that it is no longer acceptable.

42
00:01:56.400 --> 00:01:58.530
On the other hand, we might decide

43
00:01:58.530 --> 00:02:01.110
that the risk is just too much to work with.

44
00:02:01.110 --> 00:02:04.530
In this case, we might avoid that risk altogether.

45
00:02:04.530 --> 00:02:07.170
Risk avoidance is identifying risk,

46
00:02:07.170 --> 00:02:09.090
deciding it is just too much,

47
00:02:09.090 --> 00:02:12.060
and then stopping whatever that risky activity is.

48
00:02:12.060 --> 00:02:14.880
For example, maybe I decide that driving

49
00:02:14.880 --> 00:02:17.850
to work is just too risky of an activity for me.

50
00:02:17.850 --> 00:02:20.790
I still need to work, I just can't drive there.

51
00:02:20.790 --> 00:02:23.370
So I avoid the driving risk by not driving

52
00:02:23.370 --> 00:02:26.460
and looking for alternatives such as remote work

53
00:02:26.460 --> 00:02:28.590
or working near home where I can walk to

54
00:02:28.590 --> 00:02:30.060
and from the office,

55
00:02:30.060 --> 00:02:32.670
or I might decide that there are some mitigations

56
00:02:32.670 --> 00:02:35.340
that I can put in place to reduce the risk of driving

57
00:02:35.340 --> 00:02:36.750
to an acceptable level.

58
00:02:36.750 --> 00:02:38.760
These might include, getting training

59
00:02:38.760 --> 00:02:40.110
and my driver's license,

60
00:02:40.110 --> 00:02:42.420
being well rested and wearing a seatbelt.

61
00:02:42.420 --> 00:02:45.660
With these risk mitigations in place, I can feel comfortable

62
00:02:45.660 --> 00:02:47.580
with the risk of driving to work.

63
00:02:47.580 --> 00:02:49.560
However, I know that even

64
00:02:49.560 --> 00:02:52.050
after I take all the precautions I can,

65
00:02:52.050 --> 00:02:54.420
there is still some risk in driving,

66
00:02:54.420 --> 00:02:56.430
this is residual risk.

67
00:02:56.430 --> 00:03:00.480
After identifying risk, analyzing helps us decide exactly

68
00:03:00.480 --> 00:03:02.310
how we are going to handle it.

69
00:03:02.310 --> 00:03:06.300
Analyzing risk requires a measurement of the risk itself,

70
00:03:06.300 --> 00:03:09.480
and there are two different ways we can measure risk,

71
00:03:09.480 --> 00:03:12.360
qualitatively or quantitatively.

72
00:03:12.360 --> 00:03:16.140
Qualitative risk analysis uses intuition, experience,

73
00:03:16.140 --> 00:03:20.220
and other best practices to assign non-numeric values

74
00:03:20.220 --> 00:03:21.630
to a given risk.

75
00:03:21.630 --> 00:03:26.130
These non-numeric values could be low, medium, high,

76
00:03:26.130 --> 00:03:29.700
and critical, or you could use another categorization system

77
00:03:29.700 --> 00:03:30.690
if you want.

78
00:03:30.690 --> 00:03:34.260
Best practices for assigning qualitative risk values include

79
00:03:34.260 --> 00:03:38.430
brainstorming sessions, focus groups, surveys, interviews,

80
00:03:38.430 --> 00:03:42.750
or an estimation of the likelihood an event will occur using

81
00:03:42.750 --> 00:03:44.250
the Delphi method.

82
00:03:44.250 --> 00:03:46.560
The Delphi method involves asking a group

83
00:03:46.560 --> 00:03:49.860
of experts multiple questions through multiple rounds

84
00:03:49.860 --> 00:03:51.570
to reach a consensus.

85
00:03:51.570 --> 00:03:53.280
In a qualitative assessment,

86
00:03:53.280 --> 00:03:55.140
things are measured based on a feeling

87
00:03:55.140 --> 00:03:58.590
or an opinion about how risky something really is.

88
00:03:58.590 --> 00:04:00.630
In the case of qualitative methods,

89
00:04:00.630 --> 00:04:03.900
we aren't looking for an exact dollar amount or metric.

90
00:04:03.900 --> 00:04:06.540
Instead, we are trying to get an understanding

91
00:04:06.540 --> 00:04:10.110
of how risky something is in relation to other things.

92
00:04:10.110 --> 00:04:14.670
For example, we could use words like critical, high, medium,

93
00:04:14.670 --> 00:04:16.980
or low to describe the risk.

94
00:04:16.980 --> 00:04:20.040
Experience and expertise are heavily relied on

95
00:04:20.040 --> 00:04:22.170
in qualitative risk assessments.

96
00:04:22.170 --> 00:04:26.160
The biggest downside to using qualitative risk analysis is

97
00:04:26.160 --> 00:04:28.650
that dollar values are not provided,

98
00:04:28.650 --> 00:04:31.500
and this hinders our cost benefit analysis

99
00:04:31.500 --> 00:04:33.450
and future budget forecasting.

100
00:04:33.450 --> 00:04:34.860
Now, on the other hand,

101
00:04:34.860 --> 00:04:37.301
we could use quantitative risk analysis.

102
00:04:37.301 --> 00:04:40.410
This uses numeric and monetary values

103
00:04:40.410 --> 00:04:42.870
for all parts of the risk analysis.

104
00:04:42.870 --> 00:04:45.990
It includes assigning numerical values to the value

105
00:04:45.990 --> 00:04:49.590
of assets, threat frequency, severity of vulnerabilities,

106
00:04:49.590 --> 00:04:53.160
and the impact of the realization of a given threat.

107
00:04:53.160 --> 00:04:56.730
Quantitative risk analysis removes a lot of the estimation

108
00:04:56.730 --> 00:04:59.310
and guesswork from the risk analysis

109
00:04:59.310 --> 00:05:01.860
because it basically turns a risk assessment

110
00:05:01.860 --> 00:05:03.420
into a big math problem.

111
00:05:03.420 --> 00:05:06.180
We have equations that we use to determine the total

112
00:05:06.180 --> 00:05:07.560
and residual risk.

113
00:05:07.560 --> 00:05:09.870
Quantitative risk analysis can provide us

114
00:05:09.870 --> 00:05:13.650
with a cost directly associated with each of those risks,

115
00:05:13.650 --> 00:05:15.510
which the accountants really love.

116
00:05:15.510 --> 00:05:17.880
In the real world, most determinations

117
00:05:17.880 --> 00:05:20.880
and risk analysis are going to include both quantitative

118
00:05:20.880 --> 00:05:22.740
and qualitative analysis.

119
00:05:22.740 --> 00:05:24.930
This is called a hybrid approach.

120
00:05:24.930 --> 00:05:26.610
A hybrid approach is used

121
00:05:26.610 --> 00:05:28.980
because there's often not enough data

122
00:05:28.980 --> 00:05:32.490
to accurately use only a quantitative method.

123
00:05:32.490 --> 00:05:35.340
The quantitative evaluation has to be combined

124
00:05:35.340 --> 00:05:37.470
with some qualitative analysis.

125
00:05:37.470 --> 00:05:38.820
There's always some level

126
00:05:38.820 --> 00:05:40.650
of subjectivity in the data,

127
00:05:40.650 --> 00:05:44.280
making most analysis a combination of both quantitative

128
00:05:44.280 --> 00:05:45.990
and qualitative measurement.

129
00:05:45.990 --> 00:05:48.030
But in the end, both quantitative

130
00:05:48.030 --> 00:05:51.720
and qualitative risk analysis provide an end result

131
00:05:51.720 --> 00:05:55.112
that helps prioritize a risk against other risks.

132
00:05:55.112 --> 00:05:57.420
Risk prioritization is used

133
00:05:57.420 --> 00:05:59.910
to rank risks based on their likelihood

134
00:05:59.910 --> 00:06:03.300
and the impact they could have on an organization.

135
00:06:03.300 --> 00:06:06.270
Quantitative analysis results are numbers.

136
00:06:06.270 --> 00:06:08.580
This risk will cost me this much money.

137
00:06:08.580 --> 00:06:11.430
In qualitative analysis, I get a feeling,

138
00:06:11.430 --> 00:06:15.180
this feels like higher risk or medium or low risk.

139
00:06:15.180 --> 00:06:18.450
From there, risk prioritization is about understanding

140
00:06:18.450 --> 00:06:20.820
which risks pose the greatest threat

141
00:06:20.820 --> 00:06:22.980
and require immediate attention,

142
00:06:22.980 --> 00:06:26.460
and which ones are less critical and can be handled later,

143
00:06:26.460 --> 00:06:28.530
or managed with less urgency.

144
00:06:28.530 --> 00:06:30.600
Think of it like creating a to-do list

145
00:06:30.600 --> 00:06:32.130
for dealing with problems.

146
00:06:32.130 --> 00:06:34.740
The issues that are both very likely to happen

147
00:06:34.740 --> 00:06:37.380
and would have severe consequences are placed

148
00:06:37.380 --> 00:06:38.880
at the top of the list.

149
00:06:38.880 --> 00:06:42.030
On the other hand, if something is unlikely to occur

150
00:06:42.030 --> 00:06:44.610
or wouldn't cause much damage, if it did,

151
00:06:44.610 --> 00:06:46.650
it goes lower on the list.

152
00:06:46.650 --> 00:06:50.850
In this way, prioritizing risks helps organizations allocate

153
00:06:50.850 --> 00:06:53.220
their resources effectively, ensuring

154
00:06:53.220 --> 00:06:55.860
that the most serious threats are addressed first,

155
00:06:55.860 --> 00:06:59.370
while not wasting effort on lower priority issues.

156
00:06:59.370 --> 00:07:01.170
It's a balancing act that allows

157
00:07:01.170 --> 00:07:04.800
for a more strategic efficient approach to risk management.

158
00:07:04.800 --> 00:07:06.000
But the amount of risk

159
00:07:06.000 --> 00:07:08.190
that one person might find unacceptable

160
00:07:08.190 --> 00:07:10.830
might be totally acceptable to another person.

161
00:07:10.830 --> 00:07:12.240
So we must also understand

162
00:07:12.240 --> 00:07:14.580
our own risk appetite and tolerance.

163
00:07:14.580 --> 00:07:16.320
Risk appetite and risk tolerance

164
00:07:16.320 --> 00:07:17.970
are closely related concepts

165
00:07:17.970 --> 00:07:19.680
that help organizations determine

166
00:07:19.680 --> 00:07:22.410
how much risk they're willing to accept.

167
00:07:22.410 --> 00:07:24.720
Risk appetite is the overall amount

168
00:07:24.720 --> 00:07:27.540
of risk an organization is comfortable taking

169
00:07:27.540 --> 00:07:28.890
to achieve its goals.

170
00:07:28.890 --> 00:07:30.420
It's like setting a boundary

171
00:07:30.420 --> 00:07:32.760
for how adventurous a company is willing to be

172
00:07:32.760 --> 00:07:34.770
in pursuit of opportunities.

173
00:07:34.770 --> 00:07:37.890
On the other hand, risk tolerance is more specific

174
00:07:37.890 --> 00:07:39.000
and relates to the level

175
00:07:39.000 --> 00:07:41.580
of variation an organization is willing

176
00:07:41.580 --> 00:07:43.560
to handle within that boundary.

177
00:07:43.560 --> 00:07:45.905
It refers to how much risk needs to change

178
00:07:45.905 --> 00:07:49.110
before corrective action is necessary.

179
00:07:49.110 --> 00:07:52.170
Essentially, risk appetite is the big picture of

180
00:07:52.170 --> 00:07:55.380
how much risk an organization is willing to take on,

181
00:07:55.380 --> 00:07:58.470
while risk tolerance measures the risk fluctuations

182
00:07:58.470 --> 00:08:02.220
at a day-to-day level, if the fluctuations become too much,

183
00:08:02.220 --> 00:08:04.140
then action will need to be taken.

184
00:08:04.140 --> 00:08:06.720
It's like deciding how far off course you're willing

185
00:08:06.720 --> 00:08:07.980
to let things drift

186
00:08:07.980 --> 00:08:10.620
before stepping in to correct the situation.

187
00:08:10.620 --> 00:08:15.540
So remember, risk assessment is a process used to identify,

188
00:08:15.540 --> 00:08:19.380
evaluate, and manage potential threats to an organization.

189
00:08:19.380 --> 00:08:21.270
It involves both quantitative

190
00:08:21.270 --> 00:08:24.390
and qualitative analysis to assess risks

191
00:08:24.390 --> 00:08:27.570
and determine their likelihood and potential impact.

192
00:08:27.570 --> 00:08:30.360
Through this process, risks are prioritized,

193
00:08:30.360 --> 00:08:33.930
allowing organizations to allocate resources effectively

194
00:08:33.930 --> 00:08:36.750
and focus on the most critical threats first.

195
00:08:36.750 --> 00:08:39.510
Understanding an organization's risk appetite

196
00:08:39.510 --> 00:08:43.590
and risk tolerance is also important as they help define

197
00:08:43.590 --> 00:08:47.430
how much risk that organization is willing to accept

198
00:08:47.430 --> 00:08:49.503
while pursuing its goals.