Risk analysis

The risk analysis process is split into three parts:

· Risk identification;

· Risk description;

· Risk estimation.

Risk identification

Risk identification sets out to identify an organisation's exposure to uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives.

Risk identification should be approached in a methodical way to ensure that all significant activities within the organisation have been identified and all the risks flowing from these activities defined.

All associated volatility related to these activities should be identified and categorised.

Whilst risk identification can be carried out by outside consultants, an in-house approach with well communicated, consistent and co-ordinated processes and tools is likely to be more effective. In-house 'ownership' of the risk management process is essential even if an external consultant is used to facilitate the process.

Risk description

The objective of risk description is to display the identified risks in a structured format, for example, by using a table. Such a table is usually called a risk register and an example of the contents of a risk register is given in Appendix C. Each organisation will have different views on the contents of a risk register and the example given is not the only example risk register that an organisation could use.

By identifying and recording all possible risks it is possible to evaluate the risks and prioritise the risks as the business requires (e.g. addressing the highest risks first). The identification of risks with the relevant area of the business and the stakeholder allows the relevant people to have an input to the process of risk assessment and risk management.

Risk estimation

Risk estimation can be either quantitative or qualitative in terms of the probability of occurrence and the possible consequence. It is also possible to mix the two to produce a hybrid approach

If a purely quantitative process is required then the most commonly used one is Annual Loss Expectancy (ALE) (see Section 5.3.7 for a worked example)

In a qualitative approach, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high, medium or low or some other scale (See Appendix D)

Differing impacts can be graded using the same process as is shown in Appendix D.

Probability may be high, medium or low but requires different definitions in respect of threats and opportunities (See Appendix E) (see Section 5.3.8 and Section 7 for further details)

Different organisations will find that different measures of consequence and probability will suit their needs best. For example many organisations find that assessing consequence and probability as high, medium or low is quite adequate for their needs and can be presented as a 3 x 3 matrix. Other organisations find that assessing consequence and probability using a 5 x 5 matrix gives them a better evaluation and yet others will use different matrix sizes.

Risk analysis methods and techniques

A range of techniques and tools can be used to analyse risks.

These can be specific to upside or downside risk or be capable of dealing with both.

There are various methods used in different industry sectors and the method or tool chosen will depend on a number of factors

Risk profile

The result of the risk analysis process can be used to produce a risk profile which gives a significance rating to each risk and provides a tool for prioritising risk treatment efforts. This ranks each identified risk so as to give a view of the relative importance. This process allows the risk to be mapped to the business area affected, describes the primary control procedures in place and indicates areas where the level of risk control investment might be increased, decreased or reapportioned.

Accountability helps to ensure that 'ownership' of the risk is recognised and the appropriate management resource allocated.

An Introduction To Information, Network and Internet Security
Risk analysis The risk analysis process is split into three parts: · Risk identification; · Risk description; · Risk estimation. Risk identification Risk identification sets out to identify an organisation's exposure to uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. Risk identification should be approached in a methodical way to ensure that all significant activities within the organisation have been identified and all the risks flowing from these activities defined. All associated volatility related to these activities should be identified and categorised. Whilst risk identification can be carried out by outside consultants, an in-house approach with well communicated, consistent and co-ordinated processes and tools is likely to be more effective. In-house 'ownership' of the risk management process is essential even if an external consultant is used to facilitate the process. Risk description The objective of risk description is to display the identified risks in a structured format, for example, by using a table. Such a table is usually called a risk register and an example of the contents of a risk register is given in Appendix C. Each organisation will have different views on the contents of a risk register and the example given is not the only example risk register that an organisation could use. By identifying and recording all possible risks it is possible to evaluate the risks and prioritise the risks as the business requires (e.g. addressing the highest risks first). The identification of risks with the relevant area of the business and the stakeholder allows the relevant people to have an input to the process of risk assessment and risk management. Risk estimation Risk estimation can be either quantitative or qualitative in terms of the probability of occurrence and the possible consequence. It is also possible to mix the two to produce a hybrid approach If a purely quantitative process is required then the most commonly used one is Annual Loss Expectancy (ALE) (see Section 5.3.7 for a worked example) In a qualitative approach, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high, medium or low or some other scale (See Appendix D) Differing impacts can be graded using the same process as is shown in Appendix D. Probability may be high, medium or low but requires different definitions in respect of threats and opportunities (See Appendix E) (see Section 5.3.8 and Section 7 for further details) Different organisations will find that different measures of consequence and probability will suit their needs best. For example many organisations find that assessing consequence and probability as high, medium or low is quite adequate for their needs and can be presented as a 3 x 3 matrix. Other organisations find that assessing consequence and probability using a 5 x 5 matrix gives them a better evaluation and yet others will use different matrix sizes. Risk analysis methods and techniques A range of techniques and tools can be used to analyse risks. These can be specific to upside or downside risk or be capable of dealing with both. There are various methods used in different industry sectors and the method or tool chosen will depend on a number of factors Risk profile The result of the risk analysis process can be used to produce a risk profile which gives a significance rating to each risk and provides a tool for prioritising risk treatment efforts. This ranks each identified risk so as to give a view of the relative importance. This process allows the risk to be mapped to the business area affected, describes the primary control procedures in place and indicates areas where the level of risk control investment might be increased, decreased or reapportioned. Accountability helps to ensure that 'ownership' of the risk is recognised and the appropriate management resource allocated.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security