Risk Assessment – how to deal with it.

When thinking about Risk Assessment you might use following techniques:

  • bayesian method,
  • bowtie analysis, or
  • brainstorming and structured discussions,
  • cause and consequence analysis,
  • cause and effect analysis.

It´s useful to use Risk Rankings – levels of risk associated with a threat – severity, likelihood, characteristics. Risk Rankings might be presented in the form of Risk Maps. E.g. Heat Maps.

Whenever thinking about Risk Assessment we need to make sure we individually identify Risk Owner. Risk Owner who is empowered to make decision on behalf of an organization. Otherwise taking any action will be crippled.

Risk Assessment Phase should be documented for the Senior Management including:

  • risk assessment report indicating gaps,
  • advises if they are on the acceptable levels,
  • provides basis for severity assessment,
  • report should mention issues which has already been addressed as well – to give the comprehensive picture of risk landscape.

Remember that in order to provide comprehensive documentation, following sections should be included:

  • objectives of the risk assessment,
  • scope,
  • external context,
  • internal factors,
  • risk assessment methodology,
  • identification or risk, threats and vulnerabilities,
  • results of risk assessment,
  • recommendation and conclusions.

And as the say in ISACA:

The reason to conduct risk assessments in a consistent, structured manner is to provide predictable, repeatable results that support future assessments.

Key Risk Indicator

We use KRIs to provide early warning signs that risk levels are rising, allowing the organization to take proactive measures to mitigate or manage the risk.

In the Software Development scenario this would be e.g. Percentage of Projects Delivered Late.

When KRIs exceed the threshold, stakeholders should be informed. The information should result in either investigation of the cause or directly into mitigation.

Checklist of elements of Enterprise Risk Management Framework.

If you want to make sure you included and considered all of the vital elements of Enterprise Risk Management Framework just follow the checklist below.

  1. Clearly indicate Data / System / Risk Ownership.
  2. Clearly identified crucial Business Operations.
  3. Clearly documented Process & Procedure Formation.
  4. Clearly documented Risk Framework & Policy Formation.
  5. Clearly identified Compliance and Oversight mechanisms.
  6. Clearly identified Check & Challenge mechanism.
  7. Established independent assurance Board, Senior Management and Audit bodies.


Fundamental Governance and Risk Management Questions

First Governance. I try to get my head around:

  1. Are we doing the right things?
  2. Are we doing them the right way?
  3. Are we getting them done well?
  4. Do we see expected benefits?

Secondly I try to see where I am at in terms of culture:

  1. Is it a Vulnerable-kind of organization?
  2. Is it a Reactive-kind of organization?
  3. Is it a Compliant-kind of organization?
  4. Is it a Proactive-kind of organization?
  5. Is it a Resilient-kind of organization?

Then, going slightly deeper:

  1. Should we analyse Access Risks?
  2. Should we analyse Availability Risks?
  3. Should we analyse Cyber and Information Risks?
  4. Should we analyse Emerging Technology Risks?
  5. Should we analyse Infrastructure Risks?
  6. Should we analyse Integrity Risks?
  7. Should we analyse 3RD Party Risks?

And then the hard questions:

  1. Have we identified any risks in those categories?
  2. Have we already analysed, evaluated and assessed those risks?
  3. Do we have respond strategies?
  4. How do we control and report those risks?

Only then the real fun starts!