Search in ISMS Guides


Friday, June 29, 2007

Risk management activities as applied to project management

Planning how risk management will be held in the particular project. Plan should include risk management tasks, responsibilities, activities and budget.

Assigning risk officer - a team member other than a project manager who is responsible for foreseeing potential project problems. Typical characteristic of risk officer is a healthy skepticism.

Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally risk can have assigned person responsible for its resolution and date till then risk still can be resolved.

Creating anonymous risk reporting channel. Each team member should have possibility to report risk that he foresees in the project.

Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the mitigation plan is to describe how this particular risk will be handled – what, when, by who and how will be done to avoid it or minimize consequences if it becomes a liability.

Summarizing planned and faced risks, effectiveness of mitigation activities and effort spend for the risk management.

Risk and Diversification

An Introduction

With the markets moving up and down like a six flags roller coaster is there anything you can do to stomach the risk? Have you carefully considered the various risks that are associated with each investment you make?

The fact is, many people either don't want to or don't have a clue how to protect themselves from unneeded risk. This tutorial hopes to correct that. The next few pages will introduce you to risk and give you a good foundation to understand the relationship between return and risk.

What is Risk?

Whether it is investing, driving, or just walking down the street, everyone exposes themselves to risk. Your personality and lifestyle play a big deal on how much risk you are comfortably able to take on. If you invest in stocks and have trouble sleeping at nights because of your investments you are probably taking on too much risk.

The Investopedia dictionary definition says "risk is the chance that an investment's actual return will be different than expected". This includes the possibility of losing some or all of the original investment.

Those of us who work hard for every penny earned have a harder time parting with money. These type of people are considered to be more risk averse. On the other end of the spectrum, day traders feel if they aren't making dozens of trades a day there is a problem, these people are risk loving.

When investing in stocks, bonds, or any investment instrument there is a lot more risk than you'd think. Lets examine closer the different types of risk.

The Different Types of Risk

Lets take a look at the two basic types of risk:

* Systematic Risk - A risk that influences a large number of assets. An example is political events. It is virtually impossible to protect yourself against this type of risk.
* Unsystematic Risk - Sometimes referred to as "specific risk". It's risk that affects a very small number of assets. An example is news that affects a specific stock such as a sudden strike by employees.

Diversification is the only way to protect yourself from unsystematic risk. (We will discuss diversification later in this tutorial).

Now that we've determined the fundamental types of risk lets look at more specific types of risk, particularly when we talk about stocks and bonds:

* Credit or Default Risk - This is the risk that a company or individual will be unable to pay the contractual interest or principal on its debt obligations. This type of risk is of particular concern to investors who hold bond's within their portfolio. Government bonds, especially those issued by the Federal government, have the least amount of default risk and least amount of returns while corporate bonds tend to have the highest amount of default risk but also the higher interest rates. Bonds with lower chances of default are considered to be “investment grade,” and bonds with higher chances are considered to be junk bonds. Bond rating services, such as Moody's, allows investors to determine which bonds are investment-grade, and which bonds are “junk”.
* Country Risk – This refers to the risk that a country won't be able to honor its financial commitments. When a country defaults it can harm the performance of all other financial instruments in that country as well as other countries it has relations with. Country risk applies to stocks, bonds, mutual funds, options and futures that are issued within a particular country. This type of risk is most often seen in emerging markets or countries that have a severe deficit.
* Foreign Exchange Risk – When investing in foreign countries you must consider the fact that currency exchange rates can change the price of the asset as well. Foreign exchange risk applies to all financial instruments that are in a currency other than your domestic currency. As an example, if you are a resident of America and invest in some Canadian stock in Canadian dollars, even if the share value appreciates, you may lose money if the Canadian dollar depreciates in relation to the American dollar.
* Interest Rate Risk - A rise in interest rates during the term of your debt securities hurts the performance of stocks and bonds.
* Political Risk - This represents the financial risk that a country's government will suddenly change its policies. This is a major reason that second and third world countries lack foreign investment.
* Market Risk - This is the most familiar of all risks. It's the day to day fluctuations in a stocks price. Also referred to as volatility.Market risk applies mainly to stocks and options. As a whole, stocks tend to perform well during a bull market and poorly during a bear market—volatility is not so much a cause but an effect of certain market forces. Volatility is a measure of risk because it refers to the behavior, or “temperament,” of your investment rather than the reason for this behavior. Because market movement is the reason why people can make money from stocks, volatility is essential for returns, and the more unstable the investment the more chance it can go dramatically either way.

As you can see, there are several types of risk that a smart investor should consider and pay careful attention to. Deciding your potential return while respecting risk is the age old decision that investors must make.

Risk and Diversification

The Risk/Reward Tradeoff

The risk/return tradeoff could easily be called the iron stomach test. Deciding what amount of risk you can take on while allowing you to get rest at night is an investors most important decision.

The risk/return tradeoff is the balance an investor must decide on between the desire for the lowest possible risk for the highest possible returns. Remember to keep in mind that low levels of uncertainty (low risk) are associated with low potential returns and high levels of uncertainty (high risk) are associated with high potential returns.

The risk free rate of return is usually signified by the quoted yield of "U.S. Government Securities" since they very rarely default on loans. Let's say this is currently 6%. Therefore for virtually no risk we can earn 6% per year on our money. But who wants 6% when index funds are averaging 12-14.5% per year? Remember that index funds don't return 14.5% every year, instead they return -5% one year and 25% the next and so on. In other words the risk one takes on for this higher return is much higher.


With the stock markets bouncing up and down 5% every week there needs to be a safety net for individual investors. Diversification is the answer.

Diversifying your portfolio may not be the sexiest of investment topics. Still, most investment professionals agree that while it does not guarantee against a loss, diversification is the most important component to helping you reach your long-range financial goals while minimizing your risk. But, remember that no matter how much diversification you do, it can never reduce risk down to zero.

What do you need to have a well diversified portfolio? There are 3 main aspects you should have to ensure the best diversification:

1. Your portfolio should be spread among many different investment vehicles such as cash, stocks, bonds, mutual funds, and perhaps even some real estate.
2. Your securities vary in risk. You're not restricted to picking only blue chip stocks. In fact, the opposite is true. Picking different investments with different rates of return will ensure that large gains offset losses in other areas. Keep in mind that this doesn't mean invest in penny stocks!
3. Your securities should vary by industry, minimizing unsystematic risk to small groups of companies.

Another question people always ask is how many stocks they should buy to reduce the risk of their portfolio. The portfolio theory tells us that after 10-12 diversified stocks you are very close to optimal diversification. This doesn't mean buying 12 internet or tech stocks will give you optimal diversification, instead you need to buy stocks of different sizes and from various industries.

In Conclusion

Different individuals will have different tolerances for risk. Tolerance is not static, it will change as your life does. As you grow older tolerance will usually shrink as more and more obligations come up, including retirement.

There are several different types of risks involved in financial transactions. I hope we've helped shed some light on these risks. Achieving the right medium between risk and return will ensure that you achieve your financial goals while allowing you to get a good nights rest.

Take the Quiz:

Tuesday, June 19, 2007

BS7799 And ISO/IEC17799

BS7799 is a standard based on years of practical security experience in real businesses. The standard covers all the main security issues from a manager's viewpoint and goes into significant depth in explaining good practice. The standard is divided into ten main sections each of which is key to maintaining security. These are:

  1. Security Policy - explains what an information security policy is, what it should cover and why your business should have one.
  2. Organisational Security - explains how information security should be managed in a business.
  3. Asset Classification and Control - assets include the information itself, computers, software and even services. These could all be valuable and need to be managed and accounted for.
  4. Personnel Security - personnel issues such as training, responsibilities, vetting procedures, and how staff respond to security incidents.
  5. Physical and Environmental Security - physical aspects of security including protection of equipment and information from physical harm, keeping key locations secure as well as physical control of access to information and equipment.
  6. Communications and Operations Management - appropriate management and secure operation of information processing facilities during day-to-day activities. This specifically includes computer networks.
  7. Access Control - control of access to information and systems on the basis of business and security needs. Access control is concerned with controlling who can do what with your information resources.
  8. System Development and Maintenance - some businesses develop their own software. This part of the standard deals with the issues that are associated with the design and maintenance of systems so that they are secure and maintain information integrity.
  9. Business Continuity Management - addresses the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor local issues.
  10. Compliance - concerns business compliance with relevant national and international laws.