I have this rather operational view on Operational Risk Assessment and Mitigation:
- Threats "use" one or more Vulnerabilities to create one or more Damages on your people, assets, information, processes, or reputation. Every such Threat-Vulnerability pair is more or less likely, i.e. is connected to a Likelihood value. Multiply with the value of the related Damages, and you have a Risk value. To be useful for analysis and mitigation, Risk should be quantified in measurable & verifiable units (when possible), i.e. do not use those low-to-high relative scales.
- You need to do these calculations from three different points of view. I recommend you to calculate the Risk connected which each individual identified Threat, Vulnerability and type of Damage. Just don’t sum up all the Risks so calculated – they are not independent. In fact, you look at the same Total Risk from three perspectives, so adding Risk over any individual of the three dimensions – Threats, Vulnerabilities or Damage types – should give the same resulting Total Risk.
- Now you will have a brilliant base for the real security work – first select the Threat, Vulnerability or Damage type giving the highest Risk value and work on with Risk Mitigation proposals down the list, Risk by Risk:
- How much may Risk be reduced by any Risk mitigating activity, e.g.:
- Eliminating or reducing Threats?
- Reducing Vulnerabilities?
- Planning for Reducing Damage (preparedness)?
- Which costs and other effects are associated with each Risk mitigating activity (investment & ongoing)?
- How profitable is each activity, i.e. how much does it reduce the total value of Damage and protection?
- Does any Risk mitigating activity reduce more than one Risk? How does that affect its profitability?
- Knowing all this, propose to your peers what combination of Risk Mitigating activities you find most profitable (within affordable limits – your purse is restricted), compared to doing nothing (nothing new, that is).
0 kommentarer:
Skicka en kommentar