3.1.1 Risk Assessment
Risk assessment “is the process activity that includes risk identification, risk analysis and risk evaluation” 61. The process of risk assessment is “the process of determining which risks should be addressed and how they should be addressed” 73. By identifying specific threats to business operations and measuring each one’s probability of occurrence, specific methodologies can be applied to justify the budget to find avoidance controls 4. Both business risk and information technology-specific risk must be addressed using the same methodology, only the details will differ. We can use the following equation to define risk as well:
Risk = Threat + (Likelihood + Vulnerability) + Impact
As per the 62 risk can be assessed at an organizational level, at a departmental level, for projects, individuals, activities or specific risks. Different tools and techniques may be appropriate in different contexts. While assessing risks, it is important to consider all critical elements affecting an organization. Such factors as determining critical information systems , establishing recovery priorities and identifying target recovery times for each application need to be taken into account 74 16 75. Risk assessment provides an understanding of risks, their causes, consequences and their probabilities. This providers input to decisions about:
1. Where an activity should be undertaken
2. How to maximize opportunities
3. Whether risks need to be treated,
4. Choosing between options with different risks.
5. Prioritizing risk treatment options
6. The most appropriate selection of risk treatment strategies that will bring adverse risks to tolerable level.
Risk assessment typically focuses on potential business exposure 76. The ultimate objective of the risk assessment phase is to provide management with necessary information to further evaluate – or analyze – each identified threat 67. Risk assessment must be conducted within the first phases of the implementation cycle to systematically assess the potential impacts of all unexpected events to the organization 54.
3.1.2 Risk identification
Risks can be classified in a number of ways. Whatever typology is used to categories risks it is important to start with an exhaustive list 43, 77. Risks can be broadly separated into those which are naturally occurring and those which are the result of artificial, man-made events. Naturally occurring risks can in turn be divided into those which are generated by meteorological or geophysical conditions and those which are generated by organic entities. Artificial risks can be divided into those which are generated accidentally and those which are the result of an intentional and generally malicious act. The enterprise should create a risk register and any assessments and mitigation strategies associated with them. This will help to ensure a consistency of approach across projects within the programmed as well as saving time and effort in arriving at credible measurements of risk. 36, argue that to identify sources of risks, the goal is to develop a comprehensive list of material risks they might impact the achievements of objectives. These risks could relate to events that might create or prevent an objectives, enhance or degrade that objectives, or accelerate or delay achieving the objectives. It is important not to limit risks to those under the control of the organization.
It is also important that the list be sufficiently comprehensive to have reasonable confidence that all key risks are included, while identified risks can be deleted at future steps in the process if not deemed significant, they cannot be considered if not first identified in this step. In considering risks, it is essential to consider those coming from both inside and outside the organization, it may be helpful to consider the following in identifying potential sources of risks: mission, stakeholders, products or services, strategic, operational, financial and interested parties 36. For 70, suggest a systems thinking approach for risk identification that includes assessment on the organizational value chain, the relationship among its components in the business model and a taxonomy category to analyze those relationships 70.
The recearscher concludes that a risk identification systems thinking approach can aim organization accomplish their objectives by providing a holistic perspective for event identification and by creating a framework for event identification based on a model that emphasize interaction among the components of a value system.
On the other hand, 78 proposes a temporal hierarchy for risk identification that considers how risk emerges, materializes and evolve as business activities progress over time. A hierarchical view of emerging risk provides a framework for identifying the conditions under secondary risks can evolve. While risk categorization helps decision makers to agree on a common language, the researcher considers that risk categorization reinforce placing risks on silos thus hindering co-operation between business areas. A hierarchy approach to risk identification breaks down risk causes and risk effects and derives from a general perspective into a more detailed description of identified risks. This method explores risk identification process based on risk relationships, evolution of risk and the movement of risk experienced overtime 78.
3.1.3 Risk analysis
Risk analysis is the second step in risk assessment, in which an understanding of the risk is developed. Analysis includes understanding the causes of the risks, possible positive and negative consequences should the risk turn into an event, and the likelihood of the risk actually transitioning into an event, and the likelihood of the risk actually into an event with positive or negative impacts 36. 79 Describe risk analysis “the combination of knowledge about risk-related phenomena, processes, events, etc. and the application of concepts, theories, frameworks, approaches, principles, methods, and models to understand, assess, characterize, communicate, and manage risk”.
On a global scale, risk analysis gathers data and synthesize information to develop an understanding of each identified risk and the activities associated with them. It involves making a decision about how to assess each risk, how to rank risks and how to promote consensus within the different organizational actors 80. For 62, “defines that risk analysis is about developing an understanding of the risk”. It provides an input to risk assessment and to decision about whether risks need to be treated and about the most appropriate treatment strategies and methods.
Risk analysis consist of determining the consequences and their probabilities for identified risk events, taking into account the presence (or not) and the effectiveness of any existing controls. The consequences and their probabilities are then combined to determine a level of risk.
Risk analysis involves consideration of the causes and sources of risk, their consequences and the probability that those consequences can occur. Factors that affect consequences and probability should be identified. An event can have multiple consequences and can affect multiple objectives.
Risk analysis normally includes an estimation of the range of potential consequences that might arise from an event, situation or circumstance, and their associated probabilities, in order to measure the level of risk. However in some instances, such as where the consequences are likely to be insignificant, or the probability is expected to be extremely low, a single parameter estimate may be sufficient for a decision to be made. In some circumstances, a consequence can occur as a result of a range of different events or conditions, or where the specific event is not identified. In this case, the focus of risk -assessment is on analyzing the importance and vulnerability of components of the system with a view to defining treatments which relate to levels of protection or recovery strategies. Methods used in analyzing risks can be qualitative, semi-quantitative or quantitative. The degree of detail required will depend upon the particular application, the availability of reliable data and the decision-making needs of the organization. Some methods and the degree of detail of the analysis may be prescribed by legislation.
Risk analysis and risk evaluation can be qualitative, quantitative or a combination of both depending on the enterprise approach to risk management 80.
Qualitative assessment in 62
defines consequence, probability and level of risk by significance levels such as “high”, “medium” and “low”, may combine consequence and probability, and evaluates the resultant level of risk against qualitative criteria. Semi-quantitative methods use numerical rating scales for consequence and probability and combine them to produce a level of risk using a formula. Scales may be linear or logarithmic, or have some other relationship; formulae used can also vary.