Professional Documents
Culture Documents
Objectives
The objective of performing risk management is to enable the organization to accomplish its missions: (1) by better securing the IT systems that store, process, or transmit organizational information;
(2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget;
(3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.
Phase 3Implementation
Risk identification: determining which risks are likely to affect a project and documenting the characteristics of each.
Risk analysis: prioritizing risks based on their probability and impact of occurrence. Risk planning: taking steps to enhance opportunities and reduce threats to meeting project objectives.
Risk monitoring and control: monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project.
Risk Identification
Risk identification is the process of understanding what potential events might hurt or enhance a particular project.
Risk identification tools and techniques include:
SWOT analysis
Contd.
Assess the likelihood and impact of identified risks to determine their magnitude and priority.
Risk quantification tools and techniques include:
Risk-Level matrixes
Risk-Level Matrix
A Risk-Level matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other
Quantitative Techniques
Sensitivity Analysis simply determines the effect on the whole project of changing one of its risk variables such as delays in design or the cost of materials .
Probabilistic Analysis specifies a probability distribution for each risk and then considers the effect of risks in combination. This is perhaps the most common method of performing a quantitative risk analysis. Influence Diagrams are a relatively new technique for risk analysis. They provide a powerful means of constructing models of the issues in a project which are subject to risk . Decision Trees are another graphical method of structuring models. They bring together the information needed to make project decisions and show the present possible courses of action and all future possible outcomes.
Risk Mitigation
Risk mitigation, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.
Risk mitigation can be achieved through any of the following risk mitigation options: Risk Assumption. Risk Avoidance. Risk Limitation. Research and Acknowledgment. Risk Transference.
In most organizations, the components change, and its software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time.
These changes mean that new risks will surface and risks previously mitigated may again become a concern. Thus, there is a need for an ongoing risk evaluation and
assessment.
In implementing recommended controls to mitigate risk, an organization should consider: Technical Management Operational security controls to maximize the effectiveness of controls for their IT systems and organization.
Failure Mode and Effects Analysis (FMEA) is a structured, proactive technique to identify the ways in which a product or process can fail and to prevent such failure.
It is a systematic technique to analyze potential failure modes and assist in mitigating them. It systematically anticipates and studies the cause and effect of failure.
The power of FMEA is four-fold. Firstly, all FMEA artifacts are dynamic, living documents. Continuous improvement and risk level reduction drive FMEA. Next, the technique identifies high-priority, vital few risks because, in real life, not all problems are equally important. Thirdly, FMEA is customer-oriented although a customer representative may not be an end-user. Fourthly, FMEA offers audit trails, i.e. a well documented record of improvements arising out of corrective action implemented.
In sum, FMEA gives one a mechanism to document and monitor all data elements required to meet business drivers.
REFERENCES
www.openseminar.org Risk Management, Author: Laurie Williams and Sarah Smith www.sei.cmu.edu The Software Engineering Institute for risk management. Effective Risk Management: Risk Analysis Using an enhanced FMEA technique - Vijaya Deepti Nimmagadda Ramanamurthy and K. Uma Balasubramania (Tata Consultancy Services) Bangalore, Karnataka India Risk Analysis Techniques - By Geoffrey H. Wold and Robert F. Shriver