One part of my profession is risk management for an internet company in germany in an IT operation department. I process risk management now for more than five years and the most unsystematic part was the assessment of the risks. It had something of a Turkish bazaar when I brought the necessary experts together and we start bargaining about probabilities and finacial impact of the risks. Therefore I asked around my risk management collegues if any of them knew a more systematic way to assess risks. But no methodology was known to them.
As a consequence me and my collegues tried to develop such a methodology I want to describe within this blog to share it and improve it further.
The methodology we developed has the working title “risk machine” and this designation will be used in the following parts of this risk management blog.
The risk machine is at present in a prototype state and has been designed only for the use of technical IT operational risks. It has been tested on several new risks within our organization and seems to work fine for us. The risk machine methodology has been implemented in Excel for the moment.
So let’s start with the basic thoughts about the risk machine. If a risk occurs a “loss-incurring primary event” will be responsible for it. We choose that a(n) “(IT-)System is compromised” to be this primary event. To allow two diffent further processings of this primary event we defined two “loss-incurring secondary events”: the “availability of the system is concerned” and/or the “security (integrity / confidentiality) of the system is concerned”. Both secondary events can proceed in parallel. If only one of these two secondary events occur this can be considered as the “loss-incurring primary event”. For the primary event the “probability of risk occurence” has to be evaluated according to a set of qualitative questions together with the technical specialists. They will not be asked: “What do you think the probability of the respective risk could be?”. They have to assess ten specific technical questions according to a preset selection that is connected to quantitative values. The quantitative values of each question will sum up to a total that lies within an intervall that will be related to probabilities. At the moment only four different probabilies in percent are possible according to our overall risk methodology. Of course a more differentiated model is possible. After the part “Probability of risk occurence” the part “Probability of risk treatment” will be outlined. Probably this part is new for most risk manager and could be a controversial issue. The thought behind is that several technical or organizational processes could be in place to attenuate the possible scenarios that could occur from the initial primary (or secondary) event. Therefore four questions have to be assessed together with the technical specialists for each possible secondary event. These lead to four basic scenarios for each possible secondary event that each get a defined probability. All of these scenarios have to be assessed by the business specialists according to the financial impact they could have. The financial impact has been differentiated in six categories that will sum up into a total. In the summary you will receive one probabilty and one total finacial impact resulting in an expected value [€/year] for each scenario for each secondary event. According to this methodology you get a standardized view on which risk scenario is the most probable and/or has the most impact on your organization. The following contributions will elucidate the different parts of the risk machine in more detail and also some pictures that will help you to understand the risk machine methodology much better.
sharkunicorn 