Risk Management Methods and Frameworks Part III

The Risk Management as a continuous process


Risk management is a continuous process. That is, identifying risks only once during a project is insufficient. The idea of "crossing off" a particular stage once it has been executed and never doing those activities again is incorrect. Though the five stages are represented in a particular serial order, they may need to be applied over and over again throughout a project, and their particular ordering may be interleaved in many different ways.

Risk management should be a continuous and developing process which runs throughout the organization’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organization’s activities past, present and in particular, future.

It must be integrated into the culture of the organization with an effective policy and a program led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organization with each manager and employee responsible for the management of risk as part of their job description. It supports accountability, performance measurement and reward, thus promoting operational efficiency at all levels.

The Risk Management Frameworks

Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge. Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:

  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
  • Factor Analysis of Information Risk (FAIR)
  • The National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)
  • Threat Agent Risk Assessment (TARA)
  • ISO/IEC 27005
  • CCTA Risk Analysis Management & Methodology (CRAMM)
Here's a look at these key frameworks and some of their strengths and weaknesses, with emphasis on input from those who have used them in real-world settings. The information in clearly indicative and does not suggest that these frameworks are the only and best ones. In many cases people have also used hybrid of two and sometimes three of these frameworks to manage their risks. What makes that a valuable technique is the simultaneous use of qualitative and quantitative frameworks to leverage results to the best possible outcome.

Risk Management Methods and Frameworks Part II (continued)

3. Analyze risks
Identify the controls (currently in place) that deal with the identified risks and assess their effectiveness. Based on this assessment, analyse the risks in terms of likelihood and consequence.  Refer to the Risk Matrix to assist you in determining the level of likelihood and consequence, and the current risk level (a combination of likelihood and consequence). Large numbers of risks will be apparent in almost any given system. Identifying these risks is important, but it is the prioritization of these risks that leads directly to creation of value. Synthesis and prioritization should be driven to answer questions such as "What shall we do first given the current risk situation?" and "What is the best allocation of resources, especially in terms of risk mitigation activities?" Clearly, the prioritization process must take into account which business goals are the most important to the organization, which goals are immediately threatened, and how likely technical risks are to manifest themselves in such a way as to impact the business. This stage creates as its output a list of all the risks and their appropriate priority for resolution. Typical risk metrics include, but are not limited to, risk likelihood, risk impact, risk severity, and number of risks emerging and mitigated over time.

The analysis stage assigns each risk a significance rating taking into account any existing factors which will operate to control the risk. For simple risk statements, where the risk can be expressed as an uncertain event, this can be accomplished with qualitative impact and likelihood scales and a matrix defining the significance of various combinations of these. Where risks are complex in themselves, possibly involving several related events and influences, some form of modelling may be necessary. No matter how risks are described in detail, the outcome of this stage is an initial view of the significance of the identified risks. It is recognised that, particularly with simple scoring schemes, risks can be honestly assigned too high or too low a significance on the first pass. The next stage is designed to review this assignment and adjust it where necessary.

  4. Evaluate risks

This stage of the risk assessment process determines whether the risks are acceptable or unacceptable.  This decision is made by the person with the appropriate authority.  A risk that is determined as acceptable should be monitored and periodically reviewed to ensure it remains acceptable.  A risk deemed unacceptable should be treated.  In all cases the reasons for the assessment should be documented to provide a record of the thinking that led to the decisions.  Such documentation will provide a useful context for future risk assessment. Where there are only a few risks at work, the evaluation stage might be relatively light weight.  However, in complex situations and where there are many risks to consider, it is a crucial step towards achieving an agreed view of the relative importance of the identified risks. Evaluation takes the initial analysis and reviews it against the organisation’s known priorities and requirements. Any risks which have been accorded too high or too low a significance are adjusted, with a record of the fact being retained for tracing purposes. It is common to find a large number of minor risks being identified, and during evaluation these can be removed from the process, after due consideration. This screening avoids the process being bogged down by the sheer volume of information it can generate.

5. Determine the treatments for the risks

Treatment strategies will be directed towards:

a) Avoiding the risk by discontinuing the activity that  generates it,  (rarely an option when providing services to the public),
b) Reducing the likelihood of the occurrence,
c) Reducing the consequences of the occurrence,
d) Transferring the risk, and
e) Retaining the risk.

Potential treatment options are developed according to the selected treatment strategy.  The selection of the preferred treatment options takes into account factors such as the costs and effectiveness. The determination of the preferred treatments also includes the documentation of implementation details (eg responsibilities, a timetable for implementation and monitoring requirements). The intention of these risk treatments is to reduce the risk level of unacceptable risks to an acceptable level (ie: the target risk level).  Use the Risk Matrix to determine the expected reduction in level of risk (expected consequence, likelihood and Target risk level) resulting from the successful implementation of the treatment. Given a set of risks and their priorities from stage three, the next stage is to create a coherent strategy for mitigating the risks in a cost effective manner. Any suggested mitigation activities must take into account cost, time to implement, likelihood of success, completeness, and impact over the entire corpus of risks. A risk mitigation strategy must be constrained by the business context and should consider what the organization can afford, integrate, and understand.

Risk treatment consists of determining what will be done in response to the identified risks. Any  plans which were in place before the risk management process began, are augmented with measures to deal with risks before they arise and contingency plans with which to recover if a risk comes to pass. In addition to these supplementary plans, treatment might also include alteration of the base plans of an organisation. Occasionally the best way to treat a risk might be to adopt an alternative strategy all together, to avoid a risk or make the organisation less vulnerable to its consequences. There is a final step in the risk management process that is not identified in the actual process but it is more of continues process joining and maintaining step. Some methodologies though suggest it is a formal step of the whole process. 

  Monitoring and review

There are two levels of the monitoring and review step of the process. The outputs of the other five steps should be monitored and reviewed as times progresses. The original assessment might be out of date if variables of the environment change. However, there is not necessary to run the whole process over and over again just only the steps that are required to update the changes made. The second part of the process is the monitoring step, which is the monitoring of the output of the other five steps. The execution of the risk management process absorbs resources and must be managed to ensure it is cost effective.