Risk Analysis Tools

Qualitative — A simplified process of identifying the major threats to which an enterprise is exposed.
For example, if one's IT enterprise is located within "tornado alley," there is an implied threat of a
tornado occurring that could subsequently cause an impact to assets or processes? Further, if the assets
or processes are located in a hardened facility, then the actual vulnerability to the threat of a tornado
could be mitigated or dramatically reduced. Basically, one must qualify which risks are worth
protecting against. This process is more intuitive and generally can be accomplished in an abbreviated
fashion by answering three basic questions:

1. What could happen?

2. How likely is it to occur?
3. What is the impact?

The first stage of a risk analysis is to identify threats facing you. Threats may be:

• Human - from individuals or organizations, illness, death, etc.

• Operational - from disruption to supplies and operations, loss of access to essential assets,
failures in distribution, etc.
• Reputational - from loss of business partner or employee confidence, or damage to
reputation in the market.
• Procedural - from failures of accountability, internal systems and controls, organization,
fraud, etc.
• Project - risks of cost over-runs, jobs taking too long, of insufficient product or service
quality, etc.
• Financial - from business failure, stock market, interest rates, unemployment, etc.
• Technical - from advances in technology, technical failure, etc.
• Natural - threats from weather, natural disaster, accident, disease, etc.
• Political - from changes in tax regimes, public opinion, government policy, foreign influence,
etc.
• Others - Porter's Five Forces analysis may help you identify other risks.
 • SWOT Analysis
• Task Analysis

Risk may be managed in a number of ways:

• By using existing assets:

Here existing resources can be used to counter risk. This may involve improvements
to existing methods and systems, changes in responsibilities, improvements to
accountability and internal controls, etc.
 • By contingency planning:
You may decide to accept a risk, but choose to develop a plan to minimize its effects
if it happens. A good contingency plan will allow you to take action immediately,
with the minimum of project control if you find yourself in a crisis management
situation. Contingency plans also form a key part of Business Continuity Planning
(BCP) or Business Continuity management (BCM).

• By investing in new resources:

Your risk analysis should give you the basis for deciding whether to bring in
additional resources to counter the risk. This can also include insuring the risk: Here
you pay someone else to carry part of the risk - this is particularly important where
the risk is so great as to threaten your or your organization's solvency.

Quantitative — Today's risk management requires a direct correlation to the value of the assets that
require protection. Organizations increasingly want to know what the cost/benefit is to protecting an
asset or process. CFOs also want to know what the return on investment (ROI) is for investing in risk
reduction/mitigation strategies. To find this information, an advanced risk analysis technique, known
as a quantitative approach, is used to provide statistical insight to risk prediction and impact. This
method requires that one establish a monetary value for the assets and processes, estimate the
probability of a threat occurring, and determine the ROI for implementing safeguards to reduce the
impact caused by that threat occurring.

Using the previous example of an enterprise's location in tornado alley, one would examine the threat
further by researching the threat frequency to determine the probability of occurrence. So
qualitatively one knows that an asset is worth US $1 million and that a tornado could occur at some
point in the future. Now quantitatively it is determined through research that tornadoes only occur
once every two years within the enterprise's proximal risk zone.1 This yields annualized frequency
expectancy (AFE) of .5. Additionally, because the asset is located in a hardened facility, the impact of
a tornado would be less than 100 percent. For this example, a 20 percent loss will be assumed.
Qualitatively and quantitatively, all the necessary data are available to produce a credible risk
assessment statement.

The results would be expressed in the following manner:

(X) Threat: (Y) Single Frequency (Z) Annual Rate of Annual Expectancy
AssetValue: Expectancy (SLE): Occurrence: Occurrence: (ALE):
US $1million Tornado 20% or US Once every two 0.5 US $100,000
$200,000 years
The calculation would look like this:
(X) $1,000,000 x (Y) 20% = $200,000 x (Z) .5 = $100,000
Process

1. Risk Identification
2. Analysis
a. SWOT
b. Porter’s Model
c. Task Analysis
d. Quantitative Risk Analysis
3. Risk Management documentation
a. Contextual Information
b. Risk Register
i. Serial Number
ii. Risk description
iii. Impact
iv. Consequence Rating
v. Likelihood Rating
vi. Level of Risk
vii. Risk Priority
viii. Treatment Options
4. Risk Treatment Process
a. Internal resources
b. External resources
c. Cleaning Procedure
d. Review

Risk management plan – part 1 (contextual information)

Introduction of an online ordering and purchase

Brief description of system into Fresh Flowers for You. It is expected
activity that the online ordering in the first 12 months will
account for 10–20% of overall income

Reason for activity or New initiative, looking to expand and grow the
task business
1. To introduce secure ordering and purchasing
online 2. To minimise exposure to fraud and other
security risks 3. To maximise customer confidence
Objectives
in the use of the system

Significance/ Medium to high – currently are unable to keep up

importance of activity with client demands
 1. Commonwealth and State legislation, including:
References required •copyright •privacy •trade practices and consumer
(e.g. regulations, protection •spam •cybercrime. 2. IT security
policies) guidelines

The information contained within the references is

Assumptions
true and correct at time accessed

Limitations 1. Budget 2. Expertise available

Risk management plan – part 2 (risk register)

Risk dimension:
Risk dimension: security Risk dimension: financial
legal/compliance
Serial no. 1 2 3
Risk description Cybercrime, including Costs associated with Breach of regulations within e-
virus damage, identity online transactions business legislation
theft, spyware, general outweigh benefits
fraud associated with initiative

Impact Direct financial loss, Direct financial loss due to Possible fine and/or legal
reputation damage, increased fees Customer prosecution
equipment damage, loss due to increased
system unavailability costs

Consequence Significant Moderate Moderate

Likelihood Likely Likely Possible
Level of risk Extreme High Moderate
Risk priority 1 2 3
Treatment options 1. Update anti-virus Develop business case to 1. Review all legislation 2.
software and check identify impact of Consult solicitor to seek advice
firewall viability 2. Review increased fees 3. Develop and test
requirements to ensure compliance policies and
secure online banking 3. procedures
Develop and test security
policies 4. Develop
disaster recovery plan
Risk management plan – part 3 (risk treatment plan)
Serial no. 1 2
Treatment strategy 1. Update anti-virus
software and check
firewall viability 2. Review
requirements to ensure
secure online banking 3.
Develop and test security
policies 4. Develop
disaster recovery plan
3
Develop business case to 1. Review all legislation 2.
identify impact of Consult solicitor to seek advice
increased fees 3. Develop and test
compliance policies and
procedures

Resources required 3 days allocated to 5 days allocated to complete

Security guidelines 5 days complete
allocated to complete

Priority rating 1 2 3

Person responsible Business owner Business owner Business owner

Deadline <date> <date> <date>

Strategy for review Test security policies Survey customers Review Consult solicitor to review
Engage an IT security impact against weekly policies and procedures
specialist to review income every week for Implement a review of
systems three months legislation every three months

RMP compiled by: Business owner

Structured brainstorming with staff; discussion with software developer; consultation with
Risk methodology:
previous users
Risk analysis tool: Risk matrix developed for the context
Signature:
Annual Business Risk Profile

Brief description of business

Vision and mission of business

Context

External context Internal context Risk management context

Determine: •key external influences on your business, e.g. political, social, legal •key internal
influences, e.g. organisational objectives • risk management context, e.g. risk management
requirements, objectives, timeframes.

Stakeholders

Internal stakeholders External stakeholders

Risk categories Risk criteria

1. Identify the categories of risk for your business 1. For each risk category, document what is
an acceptable risk level for the activity and
what is unacceptable
2. 2.

3. 3.

4. 4.

5. 5.

Key objectives Major risks / opportunities Level of risk

1.

2.

3.