Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cost<br />
Figure 1 Minimising total<br />
costs<br />
Figure 2 <strong>Telenor</strong>’s risk<br />
management model<br />
66<br />
Acceptance<br />
criteria<br />
Economic loss caused<br />
by unwanted incidents<br />
Risk treatment<br />
Risk financing<br />
Funding<br />
Total costs<br />
(loss + protection)<br />
Protection level<br />
illustrated in Figure 2, the model consists of five<br />
major steps.<br />
Risk management should not be isolated from<br />
the rest of the business. An obvious drawback<br />
of the model is that it does not visualise an<br />
important risk management practise: communication.<br />
All relevant risks must be communicated<br />
to the involved stakeholders, and stakeholders<br />
must communicate their interests to the risk<br />
manager.<br />
Objectives, strategies, requirements<br />
Traditional<br />
insurance<br />
Risk analysis<br />
Acceptable<br />
risk?<br />
No<br />
Retention<br />
Follow-up and evaluation<br />
Economic cost of<br />
protection measures<br />
Yes<br />
Avoid Prevent Reduce Transfer<br />
Financial<br />
insurance<br />
Objectives, Strategies and<br />
Requirements<br />
The first step in the risk management model is to<br />
define the business objectives, strategies and<br />
requirements.<br />
Contrary to popular belief, the object of risk<br />
management is not to avoid risk at all cost. The<br />
object is to avoid or transfer unnecessary or<br />
unacceptable risks, while accepting selected<br />
risks. Taking calculated risks is an excellent<br />
business practise. Accepting risks blindly, or trying<br />
to remove all risk, is a very bad habit. Therefore,<br />
risk management cannot be effective without<br />
consciously deciding which level of risk is<br />
acceptable.<br />
The applicable goals, strategies and business<br />
requirements define the background – be they<br />
wide-ranging business goals or narrowly defined<br />
product requirements. This background is a necessary<br />
foundation for the acceptance criteria.<br />
The acceptance criteria come from the objectives,<br />
strategies and requirements, and they will<br />
be used to decide whether a risk should be<br />
accepted or not. Acceptance criteria can be<br />
described qualitatively (“we will not break any<br />
laws”) or quantitatively (“We will not accept<br />
more than n instances of abc”). Acceptance criteria<br />
can also be used to develop risk indicators<br />
and decide the trigger levels for the risk indicators.<br />
Understanding the objectives, strategies and<br />
requirements is vital for the risk management<br />
cycle. This understanding must be communicated<br />
to the next stage in the model, the risk<br />
analysis.<br />
Risk Analysis<br />
Risk analysis is the second step in the risk management<br />
model, and is an essential tool in risk<br />
management. The goal of a risk analysis is to<br />
identify and analyse risks, compare the risk<br />
exposure with the acceptance criteria and suggest<br />
loss reduction measures to the unacceptable<br />
risks. This gives the decision-maker the necessary<br />
background to make a decision on how he<br />
or she wants to treat risks. Acceptable risks<br />
should be monitored. Risk analysis is discussed<br />
in some detail in another article, and further<br />
reading is available at <strong>Telenor</strong>’s Risk management<br />
homepage [A] or <strong>Telenor</strong>’s TeleRisk<br />
homepage [B].<br />
There are different ways to do a risk analysis –<br />
qualitative or quantitative, with formal methods<br />
or without formal methods – but the idea is to<br />
have a repeatable process that gives high quality<br />
answers at a reasonable cost.<br />
Telektronikk 3.2000