Metodyka zarządzania ryzykiem organizacyjnym przez jednostki administracji publicznej

• Autorzy: Serewa M.

Warianty tytułu

EN

Risk management methodology for the public administration units

• Języki publikacji: PL

Abstrakty

EN

The article deals with problems encountered during first year of risk management process implementation in the public administration in Poland, and points at the lack of appropriate implementation guides as the main reason. A short review, discussing pros and cons of a few available reference documents, leads to the conclusion that (although widely recognized in Poland) COSO's ERM - Integrated Framework doesn't fit the needs of public administration. The main claims are: strong bias towards problems typical for an international corporation, difficult language, and small but important terminology differences with ISO/IEC Guide 73. Instead, the author proposes much simpler methodology, based on the Joint Australian/New Zealand Standard AS/NZS 4360:2004 - Risk Management, with its excellent Companion AS/NZS HB 436:2004 - Risk Management Guidelines, and European Risk Management Standard issued by FERMA as complementary references. After some discussion concerning organizational matters and critical role of top management, the main part of the article deals with the details of risk analysis and assessment. Before anything else, all main activities of an (usually highly hierarchical) organization must be described in a process-oriented fashion. The importance of each process for achieving organization goal's is then evaluated using a 10 points scale. Within each process a list of critical assets is prepared, and importance of each asset is evaluated in a similar way. The products of scores for each process/asset pair form the preliminary vulnerability assessment. The weakest points selected in that way become the subject of detailed risk analysis using AS/NZS 4360 methodology. Possible risk scenarios are identified, and then consequences and likelihood of each scenario are evaluated using semi-quantitative approach. Probable incident frequency is used for likelihood evaluation rather then probability. The consequences are considered in four areas (human health and safety, financial loss, business continuity, image and reputation) and the total score is given using the "high water mark" rule. At the end overall risk level is calculated as a product of consequences and likelihood scores, and then compared with risk acceptance criteria, to decide on further risk treatment methods. Sample scales for consequences and likelihood evaluation, resultant risk matrix, risk acceptance criteria and risk treatment preferences tables are included. The author believes that publication of the risk management handbook, similar to AS/NZS HB 436, but dedicated to the specific needs of polish public administration would be the best solution to current implementation problems. Hopefully, the methodology proposed in this article may become the basis for such publication.

Słowa kluczowe

PL

metodyka; zarządzanie ryzykiem; administracja publiczna

EN

risk management; public administration; methodology

• Wydawca: Polskie Towarzystwo Zarządzania Produkcją
• Czasopismo: Zarządzanie Przedsiębiorstwem
• Rocznik: 2007
• Tom: Vol. 10, nr 2
• Strony: 46--58
• Opis fizyczny: Bibliogr. 23 poz.

Twórcy

autor

Serewa M.

• Urząd Rejestracji Produktów Leczniczych, Wyrobów Medycznych i Produktów Biobójczych (Wydział Informatyki) ul. Ząbkowska 41, 03-736 Warszawa tel. (+48 22) 4921153,

Bibliografia

• [1] ACSI 33,Australian Government Information and Communications Technology Security Manual, Australian Government Department of Defence, September 2006, dostępny w Internecie: http://www.dsd.gov.au/_lib/ pdf_doc/acsi33/acsi3 3_u.pdf.
• [2] AS/NZS 4360:2004, Risk Management, Standards Australia, Sydney, Standards New Zealand, Welling-ton, 2004.
• [3] AS/NZS HB 231:2004, Information security risk management guidelines, Second edition, Standards Australia, Sydney, Standards New Zealand, Welling-ton, 2004.
• [4] AS/NZS HB 436:2004, Risk Management Guidelines - Companion to AS/NZS 4360:2004, Standards Australia, Sydney, Standards New Zealand, Wellington, 2004.
• [5] Australian/New Zealand Risk Management Standard, Risk Management Reports, November 2004, Vol. 31, No. 11, dostępny w Internecie: http://www.riskinfo.com/ rmr/rmrnov04.htm).
• [6] Congestion versus Clarity, Risk Management Reports, October 2003, Vol. 30, No. 10, dostępny w Internecie: http://www.riskinfo.corn/rmr/rmroct03.htm.
• [7] COSO Enterprise Risk Management Framework 2004, Risk Management Reports, December 2004, Vol. 31, No. 12, dostępny w Internecie: http:// www.riskinfo.com/rmr/rmrdec04.htm.
• [8] Enterprise Risk Management - Integrated Framework: Vol. 1 - Executive Summary Vol.2 -Application Techniques, COSO/PricewaterhouseCoopers LLP, September 2004.
• [9] Guidelines for Managing Risk in the Western Australian Public Sector, The Government of Western Australia, 1999, dostępny w Internecie: http://www.dpc.wa.gov.au/ psmd/pubs/psrd/governance/risk.pdf.
• [10] Information Security Guidelines for NSW Government Agencies Part 1: Information Security Risk Management, NSW Government Department of Commerce, Office of Information and Communications Technology, June 2003, dostępny w Internecie: http://www.oit.nsw.gov.au/docs/ISl.pdf.
• [11] Information Security Guidelines for NSW Government Agencies - Part 2: Examples of Threats and Vulnerabilities, NSW Government Department of Commerce, Office of Information and Communications Technology, June 2003, dostępny w Internecie: http://www.oit.nsw.gov.au/docs/IS2.pdf.
• [12] ISO/IEC FCD 27005, Information technology - Security techniques - Information security risk management.
• [13] ISO/IEC Guide 73:2002 Risk management- Vocabulary - Guidelines for use in standards.
• [14] Komunikat Ministra Finansów nr 13 z dnia 30 czerwca 2006 r. w sprawie standardów kontroli finansowej w jednostkach sektora finansów publicznych (Dz.U. Ministra Finansów nr 7 z dnia 30 czerwca 2006 r. poz. 58).
• [15] Landoll D. J.: The Security Risk Assessment Handbook. A Complete Guide for Performing Security Risk Assessment. Boca Raton - New York: Auerbach Publications - Taylor & Francis Group, 2006.
• [16] PN-ISO/IEC 17799:2007, Technika informatyczna -Techniki bezpieczeństwa - Praktyczne zasady zarządzania bezpieczeństwem informacji.
• [17] PN-ISO/IEC 27001:2007, Technika informatyczna -Techniki bezpieczeństwa - Systemy zarządzania bezpieczeństwem informacji - Wymagania.
• [18] Rozporządzenie Prezesa Rady Ministrów z dnia 25 sierpnia 2005 r. w sprawie podstawowych wymagań bezpieczeństwa teleinformatycznego (Dz.U. z 2005 r. nr 171 poz. 1433).
• [19] Rozporządzenie Rady Ministrów z dnia 11 października 2005 r. w sprawie minimalnych wymagań dla systemów teleinformatycznych (Dz.U. z 2005 r. nr 212 poz. 1766).
• [20] Standard zarządzania ryzykiem, FERMA (Federation of European Risk Management Associations), Bruksela 2002, polska wersja językowa 2003, dostępny w Internecie: http://theirm.org/publications/documents/ rm_standard_polish_l 5_1 l_04.pdf).
• [21] Ustawa z dnia 17 lutego 2005 r. o informatyzacji działalności podmiotów realizujących zadania publiczne (Dz.U. z 2005 r. nr 64 poz. 565 z późn. zmianami).
• [22] Ustawa z dnia 30 czerwca 2005 r. o finansach publicznych (Dz.U. z 2005 r. nr 249, poz.2104 i nr 169, poz. 1420 z późn. zmianami).
• [23] Zarządzanie ryzykiem korporacyjnym -zintegrowana struktura ramowa, (polskie wydanie COSO ERM), tł. Magdalena Dziadosz, Warszawa: WEMA Wydawnictwo-Poligrafia Sp. z o.o., 2007.