Risk Analysis Mitigation

Home >
IT Guides >
Cisco >
CCIE Routing and Switching >
Risk Analysis Mitigation

Risk Analysis Mitigation

Certification: Cisco CCIE Routing and Switching - Cisco Certified Internetwork Expert Routing and Switching

By Sherry G. Holland

Risk is the possibility that something unpleasant or bad that could happen. Risk Analysis is the technique that is used to identify and assess the factors that could jeopardize the success or failure of achieving a goal or the success of a project. During the risk analysis investigation, components causing the risk could be found as either external or internal. Whether it is internal or external, the process of risk analysis is a component of risk management.

Risk analysis involves several steps and the first step is the identification of potential threats. These potential threats could be associated with individuals that are using the computers either inappropriately or incorrectly, therefore creating security risks. Risk can also come from projects that are not completed on a timely manner or not in the planned scope and either of which can prove to be significant in cost.

In order to study the identified risk, a quantitative and / or qualitative risk analysis. The measurement of the expected risk probability to forecast the estimated financial loss from an identified risk is from a process called quantitative risk analysis. The expected risk probability is measured by the quantitative risk analysis estimating financial losses from the identified potential risk. This process is completed by reviewing the threats, and establishing and determining risk mitigation solutions and methods. During the risk analysis a contingency plan may be used and if the risk is presented then the contingency plan can assist with minimizing the damage.

Information security professionals look at risk analysis as the process used to determine the security that is appropriate for a system or an environment. There are three risk-analysis techniques:

Sensitivity analysis will determine the sensitivity of NPV analysis so the variable assumptions changes.
Scenario analysis will take the sensitivity analysis a step further and will look at the variables probability distribution.
MonteCarlo simulation is considered the best method of a sensitivity analysis.

Risk Identification

For risk identification, there are many tools and techniques that one can use. Information gathering techniques include brainstorming, the Delphi technique, conducting interviewing and toot cause analysis. The Delphi technique will have a facilitator to distribute a questionnaire to the expert; the responses are summarized and re-circulated to the experts for additional comments. This technique is used so that a consensus from the experts and help to receive an unbiased data. This will ensure that no one individual will have any undue influence on the results. The root cause analysis will identify the problem, research to discover the cause that led to the problem and develop a plan of action to prevent this in the future.

Other techniques include a checklist analysis, an assumption analysis that might reveal an inconsistency of assumption or possibly uncover the problematic assumption. Another example is using a diagramming a technique that looks at the cause and effect diagrams, the process or system flow chart and influence diagrams that will display graphical representation of situations that will show the relationships among outcomes and variables or casual influence.

Another technique is performing a SWOT (strengths, weaknesses, opportunities and threats) analysis. The SWOT analysis looks at the strengths and weaknesses of the organization and the external threats and opportunities they are faced with to closely examine a chart displaying the strategy. The last technique is expert judgment which means individuals that have experience with something similar as the project in the past and they use their judgment through risk facilitation workshops or interviews to understand their process.

Risk Analysis

Risk analysis also has a set of tools and techniques that can be used. These tools and techniques are: risk probability and impact assessment, probability and impact matrix, risk categorization, risk urgency assessment and expert judgment.

The risk probability and impact assessment investigates and the probability of specific risk occurring and what the possible side effects can be on the objective. Examples can include scheduling risk, cost, quality or performance risk that includes the negative effect for a threat and the positive opportunity effect, defining the risk in levels, through meetings or interviews with the appropriate stakeholders and the results being documented.A impact and probability matrix will rate the risk for additional quantitative analysis using an impact and probability matrix. The organization in advance should specify the rating rules.

Risk categorization is looking at the risk that once exposed could become a major problem. Risk should be grouped by common root causes so they can assist with developing effective risk related responses. The technique of risk urgency assessment can be combined with the impact and probability matrix to give the final rating. Expert judgment includes users that have experience with similar projects and might use their judgment through risk facilitation workshops or interviews.

Techniques and Tools for Quantities Risk Analysis

One of the most important steps in the techniques and tools for quantities risk analysis is the representation and data gathering technique. During the interview process, they are trying to determine the most likely scenarios which range from optimistic or low to pessimistic or high. Probability distributions is also conducted to gather a continuous probability distribution that is used to model, simulate and represent the values of uncertainty such as duration of task or project work packages or components cost. Quantitative analysis may use these distributions. To represent uncertain events (a possible scenario or test in a decision free outcome) they can use discrete distributions.

Quantitative modeling techniques and risk analysis are normally used for event-oriented and project oriented analysis. Sensitivity analysis is used to you can determine what risk might pose the most potential impact to the project by looking at varying inputs effect of the mathematical model on the output of the model itself. The expected monetary value analysis or EMV will calculate using a statistical concept the average outcome when the future will include scenarios that may not or may happen, represented as a negative value for a risk and a positive value for an opportunity. This process is generally used with the decision tree analysis. Simulation and modeling will use a model to translate the specific detailed uncertainties in the project into the potential impact on the objectives of the project. An example of this is the Monte Carlo for an iterative situation.

Other techniques include a cost risk analysis in which the estimated cost can be used as input values. Each is chosen randomly for the iteration – based on the probability distributions of the values, and the total cost will be calculated. Another technique is the schedule risk analysis which is the duration estimate and network diagrams used as the input values. The last technique is the expert judgment and is used to identify schedule impact and potential cost, to identify weaknesses of the tools,to evaluate probabilities, for the interpretation of data, to define when a specific tool is more appropriate, identify the weaknesses and strengths of the tools, and to consider an organization structure and capabilities, just to name a few.

Risk Response Planning

Any well planned risk mitigation strategy requires proper risk response planning. For example a risk re-assessment will be needed, followed by risk audits, variance and trend analysis, technical performance measurement, reserve analysis and staff meetings. The risk re-assessment scheduled regularly will enable re-assessment of the current risk and closing of risk. Controlling and monitoring risk may identify new risk found before it becomes an incident.

Risk audits is a process the auditors perform to discover any errors or intentional problems. This process is an integral part of good corporate governance practice. Because of this, companies are under increasing scrutiny to identify any and all risks and how they are managed. Managing the risk plays an essential and central role in the maintenance of a sound system of internal controls. The responsibility for managing and identifying risk is that of management and the auditor must provide assurance that these risks are being properly managed.

Providing audits of the internal controls is a mission for governance and should be recognized as the management framework of the company.

Risk audits will also document and examine the risk response effectiveness with the identified risk and their root cause and the risk management process effectiveness. The responsibility of project managers is to ensure an audit risk is performed at the appropriate frequency they have defined in their risk management plan. The objectives and the format for the audit should also be defined before the audit is conducted.

Trend and variance analysis that uses performance information to compare the planned versus actual results is needed to monitor and control risk events and to identify any trends regarding the execution plan. Potential deviation can be forecasted with the outcome from the analysis upon completion from the scheduled targets and cost.

During the execution to the project management, they can compare technical accomplishments against the schedule from the project management plan. This requires the objectives to be defined through quantifiable measures of technical performance so they can compare targets against results.

Comparing the amount of contingency reserves, which include cost and time, against the leftover remaining risk in order to determine if the reserve is enough is part of the reserve analysis phase. An agenda item that should be added to periodic status meetings is the project risk management discussion. Sometimes it is more likely that risk will be identified and opportunities will be available to advice regarding these responses in these meetings.

Risk Analysis Mitigation

Related IT Guides