03/06/2015

1

Presented by

Anne Lalonde Consulting

� Introduction

� Learning Outcomes

� Definitions

� About Justice Canada’s Risk Profile of Information Resources Guideline

� Risk Statements & Examples

� Examples from other GoC Departments and Agencies

� Workshop Activities 1, 2, 3 (in groups)

� Monitor and Manage Risks

� Wrap-up and Evaluation

� At the end of this workshop, you will be able to identify risks to information resources, elaborate mitigation strategies, and monitor and manage these risks.

KNOW YOUR RISKS!KNOW YOUR RISKS!KNOW YOUR RISKS!KNOW YOUR RISKS!

Risk Profile of

Information

Resources

A document that presents all the legal, regulatory, access to information, security of

information, and protection of personal information risks, response protocols and

mitigations strategies as they relate to an organization’s information resources.

Versus

Corporate

Risk Profile

A Corporate Risk Profile enables an organization to obtain an overview of its key risks including

an understanding of the organization's operational context and objectives with respect

to managing risk.

� Initiated in 2011-12-02 by A. Jolicoeur and revised by numerous stakeholders, e.g. LAC

� Approach: Review Key Documents & Conduct Interviews w/ Program Managers◦ MAF results AoM 12 (IM) and AoM 8 (Security)◦ Corporate Risk Profile, Security Plan, Audits, Report on

Plans and Priorities◦ IM Plans and RKAT◦ Review Additional Resources� Report from ATIP Tracking System

� Business Continuity Plan

� Interviews w/ Program Managers to confirm results and elicite other risks

03/06/2015

2

� Review MAF AoM 12 and AoM 8

� Review IM Evaluation and Performance Management Results

� Review Existing Risk Assessment Tools

� Evaluate Overall IM Environment

� Define Areas of IM Risks

� Risk Mitigation Assessment

� Apply Risk Level

� Complete Risk Profile Summary Report and Next Steps

What is a Risk Statement? What is a Risk Statement? What is a Risk Statement? What is a Risk Statement?

It is the expression of the likelihood and impactof an event with the potential to affect theachievement of an organization’s objectives.(Source: TBS Guide to Risk Statements)

RiskRiskRiskRisk statementstatementstatementstatement (threat)(threat)(threat)(threat):::: IfIfIfIf (event)(event)(event)(event) occurs,occurs,occurs,occurs, thethethetheconsequencesconsequencesconsequencesconsequences couldcouldcouldcould resultresultresultresult inininin (negative(negative(negative(negative impact)impact)impact)impact)....

RiskRiskRiskRisk statementstatementstatementstatement (opportunity)(opportunity)(opportunity)(opportunity):::: IfIfIfIf (event)(event)(event)(event) occurs,occurs,occurs,occurs, thethethetheconsequencesconsequencesconsequencesconsequences couldcouldcouldcould resultresultresultresult inininin (positive(positive(positive(positive impact)impact)impact)impact)....

Significant delays in retrieving records due to current tools for data storage and retrieval practices may leave the department unable to adequately respond to Access to Information requests and e–discovery exercises.

Improving records management processes and tools through investing in new technologies and liaising with organizations identified as having best practices may lead to more effective management and response to official requests.

The security of departmental networks and records could be seriously compromised if new standards are not implemented.

1 2 3

03/06/2015

3

� Using documents provided, identify 3 risks and debate these risks within your group.

� Using the “Risk and Mitigation WorksheetRisk and Mitigation WorksheetRisk and Mitigation WorksheetRisk and Mitigation Worksheet”, elaborate risk statements, risk drivers, potential consequences and mitigation strategies.

A.A.A.A. Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)Risk Description (review documents and identify risks)

B.B.B.B. Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)Risk Drivers (describe the influencers of the risk)

C.C.C.C. Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk Potential Consequences (describe consequences if the risk

is not addressed)is not addressed)is not addressed)is not addressed)

D.D.D.D. Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to Current Mitigation Strategies (describe strategies to

minimize the risk)minimize the risk)minimize the risk)minimize the risk)

Risk and Mit igation Risk and Mit igation Risk and Mit igation Risk and Mit igation WorksheetWorksheetWorksheetWorksheet

� Using the “Risk Assessment GridRisk Assessment GridRisk Assessment GridRisk Assessment Grid” provided, calculate “Impact”, “Likelihood” and “Residual Risk”.

� Categorize each risk according to “Risk AreasRisk AreasRisk AreasRisk Areas” provided and prioritize risks.

6Medium

Management attention and regular rigorous monitoring required

8 High

Must manage and monitor risk rigorously

9 High

Extensive and immediate management attention

required 3

LowMay accept risk with

monitoring and annual review

5Medium

Management effort worthwhile

7High

Management effort required

1Low

Accept risk

2Low

Accept risk but monitor

4Medium

Manage and monitor risk

Major

Minor

Moderate

ModerateUnlikely Likely

Impa ct

Likelihood

Integrated Risk Management

Risk Assessment Grid

Imp

act

Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment

Legislation & Legislation & Legislation & Legislation &

RegulationsRegulationsRegulationsRegulations

Access to Access to Access to Access to

InformationInformationInformationInformation

Security of Security of Security of Security of

InformationInformationInformationInformation

Protection of Protection of Protection of Protection of

Personal Personal Personal Personal

InformationInformationInformationInformation

• Control tools• Access Rights• Security Designation• Transport/Transmittal• Cyber Threats

• PIA’s• Control tools• Security Designation• Handling• Transport/Transmittal

• Search/Retrieval• ATIP Requests• Transitory Collections• Retention Schedules• Disposition Authorities

• Reporting• Performance Metrics• Non compliance

Risks AreasRisks AreasRisks AreasRisks Areas

03/06/2015

4

� Write a generic questionnaire with open-ended questions for face-to-face interviews with Program Managers with the purpose of validating existing and eliciting new risks to information resources.

� Conduct an interview with a member of your team to test the questionnaire and make any necessary adjustments.

Examples:

� Are the proper controls in place to protect personal information?

� Are there issues with searching and finding information in response to ATIP requests?

� Are there any risks in completing planned activities as part of the IM & Recordkeeping Plan?

� What are the issues you face with managing information resources?

� Set-up a review schedule

� Ensure mitigation strategies have been included in the IM and Recordkeeping Plan, Security Plan, Corporate Risk Profile, Plans and Priorities

� Ensure awareness provisions are set in the IM and Recordkeeping and the Departmental Security Plans

� Present and share this report with Strategic Planning, Audit and Ethics, Security divisions and businessunits who have a stake in the report

� Note: See Justice’s Monitoring Report

03/06/2015

5

RiskRiskRiskRisk is the potential of losing something of value.

(Wikipedia)