Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Mitigation Strategies<br />
The third step in the risk management model is<br />
to select a mitigation strategy. One can achieve<br />
risk reduction by applying a relevant mitigation<br />
strategy toward the unacceptable risks. <strong>Telenor</strong>’s<br />
four mitigation strategies are<br />
• Avoiding the risk altogether. If a risk is totally<br />
unacceptable and risk reduction is not possible<br />
by any other means, then it is necessary to<br />
avoid the risk, for instance by discontinuing<br />
a product or service.<br />
• Preventing the risk from materialising. This<br />
mitigation strategy corresponds to reducing<br />
the frequency or likelihood of a risk materialising.<br />
An example of this strategy is the<br />
widespread use of virus control to prevent<br />
malicious software from harming a PC.<br />
• Reducing the consequence if risk does materialise.<br />
Backup of servers is a classical example<br />
of consequence reduction. Even if malicious<br />
software does take out a server, up-to-date<br />
backups minimise harm.<br />
• Transferring the risk to a third party. Insurance,<br />
contracts and disclaimers are traditional<br />
methods of transferring risk to a third party.<br />
Usually a mix of the mitigation strategies will<br />
give the best result. The importance of the financial<br />
mitigation strategies is highlighted by the<br />
situation where it is impossible to avoid or prevent<br />
an unacceptable risk, and the decisionmaker<br />
accepts the risk. At this point, the offensive<br />
risk manager should prepare fallback strategies<br />
and suggest financial mitigation measures.<br />
Risk Financing<br />
The fourth step, risk financing, is necessary<br />
whether the mitigation costs are payable up front<br />
or they turn up when a risk materialises. Risk<br />
financing in <strong>Telenor</strong> primarily falls into one of<br />
the four main strategies:<br />
• Funding the mitigation is usually used if<br />
“something” is done to prevent, avoid or<br />
reduce a risk. The funding can be self-financing<br />
or financed by the customer. It is possible<br />
to build up reserves without having to pay<br />
taxes when the funding is unfunded or funded<br />
by way of a Captive.<br />
• Traditional insurance is commonly used. An<br />
insurance company usually accepts the costs<br />
associated with a risk materialising. Of course,<br />
they expect payment for accepting this risk.<br />
• Retention is the sum or cost the business has<br />
to carry by itself in order to get a lower insurance<br />
premium.<br />
Telektronikk 3.2000<br />
• Financial insurance is somewhat opposite to<br />
traditional insurance. With financial insurance,<br />
an insurance company charges a lump<br />
sum to cover aggregate risks. Sometimes the<br />
costs of the materialised risks are less than the<br />
lump sum. In this case, they return the difference<br />
minus a fee. However, should the costs<br />
be higher than the lump sum, then the insurance<br />
firm cannot reclaim the difference from<br />
<strong>Telenor</strong>.<br />
Financing is necessary for risk reductions and<br />
acceptable risks. If the risk is too low, it is possible<br />
to remove risk reduction controls thus lowering<br />
the cost of financing risks.<br />
As a rule it is necessary to keep the mitigation<br />
cost lower than the cost suffered if a risk materialises.<br />
The risk manager might know a lot about<br />
risk and risk mitigation, but the finance officer<br />
is the financial expert. Therefore, there are close<br />
links between risk management in <strong>Telenor</strong>, the<br />
finance officer and insurance in terms of <strong>Telenor</strong><br />
Forsikring AS, the Captive of <strong>Telenor</strong>.<br />
Monitor and Review<br />
The final step is monitoring and reviewing. Risk<br />
management is a continuous process, an ongoing<br />
cyclical activity. The background, risks<br />
discovered during the risk analysis, risk mitigation<br />
and risk financing must be monitored continuously<br />
and reviewed regularly.<br />
In addition to this, the risk manager must communicate<br />
regularly with all stakeholders and any<br />
other interested parties.<br />
Supporting Framework<br />
Risk management is heavily dependent on senior<br />
management involvement. The board of directors<br />
approved <strong>Telenor</strong>’s original risk management<br />
policy 17 March 1995. This policy is replaced<br />
by the current policy, approved by the<br />
board of directors, dated 18 September 1999 [2].<br />
An important benefit of good risk management<br />
is that one is on top of the situation. There is less<br />
uncertainty, one addresses only the unacceptable<br />
risks and there will be fewer crises and nasty<br />
surprises. However, even a good framework<br />
needs support. <strong>Telenor</strong>’s risk management<br />
framework is supported by methods, guidelines,<br />
leaflets, word lists, template files, etc. The Risk<br />
Manager Forum plays an important role as an<br />
arena where the risk managers meet and discuss<br />
topics of interest.<br />
Concluding Remarks<br />
The perception of risk management appears to<br />
be changing globally, as does the concept and<br />
definition of “risk”.<br />
67