SABSA Practitioner: Risk Assurance

 

 

Module PM2: SABSA Operational Risk Management - Course Description

 

Presented by David Lynas 

 

Operational Risk Management

All business, whether it be commercial, government, military or charitable, is based upon exploiting opportunities to further the goals of the enterprise. With each opportunity comes risk, and thus risk is implicit in doing business, whatever the nature of that business. To do business is to take risks.

 

Risk management is the art and science of managing business risks is such a way as to match the risk tolerance (or risk appetite) of the enterprise. This means that all risks must be identified, analysed, assessed (measured) and perhaps mitigated to ensure that they are within the risk appetite and that the overall costs and benefits associated with managing the risks are optimised.

 

There are several important concepts relating to the complexity of risk management. Firstly, risk cannot be avoided. For any planned business activity or action there is a risk associated with taking that course of action and a risk associated with not doing so. ‘Doing nothing’ does not avoid risk. Secondly, although it is convenient to organise risks into categories and groups for identification and analysis purposes, risks do not actually behave in a silo manner. Risks affect one another in a complex web of interactions, such that mitigating or reducing a given risk may well increase one or more other risks.  Thirdly, risks at the micro-level of the enterprise may or may nor be significant at the macro-level, and thus risk aggregation and scaling techniques are necessary as part of the overall risk management strategy.

 

To summarise, risk is implicit in doing business of any kind, and is the flip side of business opportunity. Thus risk management is synonymous with business management. Every business decision is a risk decision.  Hence, all organisations take risk.  The most successful are those that consistently make the best risk management decisions.  Good management decisions are dependent upon high-quality information and a superior framework within which to present that information to exercise good judgement, reach the best conclusions and provide workable solutions to new problems.  This intensive SABSA Practitioner course module and workshops empower anyone involved with managing, measuring and mitigating enterprise risk, to meet their obligations through a framework and proven techniques that enable excellence in enterprise decision making.

Course Overview

This three-day course provides participants with a practical guide on how to manage risk within their business operations. It covers general Operational Risk Management concepts with a consistent and practical focus on the specific needs for managing risk in the wider context of a SABSA-based enterprise information security architecture and risk management programme.

High-Level Learning Outcomes

After attending this course attendees will be able to:

 

  • Apply operational risk management techniques and methods in the context of information risk and the SABSA framework.
  • Develop an over-arching Enterprise Risk Management strategy to address the issues of isolated risk silos and create an integrated, holistic approach to managing information risk in the wider context of the enterprise using the SABSA framework.
  • Analyse the regulatory regimes that are raising the profile of risk management for the Board and Executive team and use this analysis to drive the priorities of the business in addressing information risk through the SABSA Business Attributes Profile.
  • Plan, implement and manage an information risk management programme that addresses the complex interactions between different types of operational risk, based upon a SABSA Business Attributes Profile that captures the wider range of business information risk drivers.
  • Develop practical methods to measure risk and apply meaningful metrics to setting performance targets for risk appetite and risk tolerance and monitoring actual performance against these targets, based upon the application of the SABSA Business Attributes Profiling method.
  • Plan, develop, implement and manage a strategic enterprise-wide operational risk management framework, methodology, tool-set and process, aligned to the SABSA framework.
  • Apply the SABSA operational risk management techniques and methods both at the enterprise-wide level and at the project level, ensuring that all projects inherit enterprise-level risk management requirements as well as focusing on project-specific risk issues.
  • Plan and conduct risk-based information security reviews and information security audits within the SABSA framework.
  • Plan, develop, implement and manage a communications strategy and a strategic information-management architecture (including customised risk dashboards) for capturing, transforming, processing and reporting risk information in support of decision making by key stakeholders in terms that ensure added business value, leading to senior management buy-in and support.

Pre-Requisite Knowledge

There are no pre-requisites for attending this course or for sitting the SABSA Institute PT2 examination on completion of the course. However, attendees will probably benefit most if they have some previous knowledge of the SABSA framework, and for those wishing to be awarded the SABSA Chartered Practitioner Certificate, they will need to complete the SABSA Chartered Foundation Certificate before the Practitioner award can be made.

Who Should Attend

  • CIO / CISO / CRO / CIRO
  • IT Strategists and Planners
  • IT Architects
  • IT Development Managers and Project Leaders
  • Software Managers and Architects
  • Computer / Information Security Managers, Advisors, Consultants and Practitioners
  • IT Line Managers
  • IT Service Delivery Managers
  • Risk Managers
  • Internal and External Auditors

What a Course Attendee will take away

  • A comprehensive knowledge of the principles and practice of operational risk management within the SABSA framework
  • A plan for implementing risk management throughout the enterprise using the unique SABSA Business Attributes Profile approach combined with the comprehensive SABSA framework for risk modelling, assessment, analysis, mitigation, management and measurement.
  • A new and more comprehensive definition of “best-practice” risk assessment methods that exceed existing standards and definitions through the application of the SABSA Business Attributes Profile as a proxy for the ‘assets’ at risk.
  • A practical SABSA-based approach to building an ever more accurate enterprise risk profile – and facilitating risk assessment of new ventures through the work already done and the lessons already learned in developing that profile.
  • A plan for implementing ongoing improvement of operational risk management through monitoring, measurement and benchmarking.

Methodology

The course consists of lectures and workshop sessions, supplemented by case studies drawn from a combination of published real life examples and/or practical experience.  In the workshops attendees will work in small groups to synthesise ideas and strategies and to apply the material in the context of case studies and simulations.  Open forum discussions will also feature where appropriate.

 

Lecture content is naturally less intense than in Foundation classes, with more emphasis on practical work.  The course focuses heavily on developing the skills and knowledge for a practitioner through hands-on workshop sessions and discussions, so as to provide the appropriate balance and emphasis on practice rather than theory.