Risk managers are always seeking to address the risks that matter most to their organizations. But you can’t analyze and prioritize what you don’t identify. While we can never be certain that we’ve thought of every bad thing that could happen that would result in loss, we must make efforts to identify as many probable risk scenarios as we can. No matter how you tackle risk identification — through risk workshops, risk and control self-assessments, informal surveys, etc. — there are some key questions that should be a part of every risk identification effort, especially when quantitative analysis is new to an organization.
1. Where are we experiencing loss today?
Risk management is focused on limiting loss to the organization, not just losses from hard-to-predict future events. Risk analysis and evaluation efforts should be focused on the most probable risk scenarios -- and what could be more probable than a loss that’s happening in the present?
How much is the company paying in refunds to clients for problems that could be solved with better internal process design? How much are we paying vendors who don’t meet our expectations because we never built robust performance monitoring against contractual service level agreements?
Many organizations lack solid loss event tracking, which includes processes for reporting losses, a centralized repository for cataloging and categorizing them, and a process to analyze their root causes. Without robust loss event tracking, many losses fly under the radar because, while they may happen frequently, they aren't that costly on an individual basis. Losses like this can nickel-and-dime a big hole in an organization's wallet unless someone with a high level of awareness points out the larger problem.
A well-executed quantitative analysis that shows leadership how much money could be saved over a given year just by solving currently-existing problems can be an immediate catalyst for risk mitigation and help your risk management program demonstrate value early on.
2. What keeps you up at night?
Asking business leaders to identify the scenarios that give them goosebumps is a great way to learn about potential risk scenarios. But proceed with caution — this can result in the identification of highly improbable perfect-storm scenarios and overlook more likely business process failures, application outages, compliance concerns, etc.
It can be helpful to quickly follow this question with ones that sound less hyperbolic, for instance: “It seems like you’re concerned about the order fulfillment process not completing successfully — what are some of the more likely ways that could happen?” Helping leaders focus their attention on more probable scenarios will allow you to analyze the scenarios that are more likely to occur before you get to their nightmarish worst-case concoctions.
3. What are our most valuable assets, and what could happen to them that would lead to loss for our organization?
If you want to identify scenarios for which analysis would be valuable, starting with the assets involved in the most damaging potential losses is advisable.
What business process accounts for the largest amount of the organization’s revenue? Dive deep into the individual steps involved in that process and ask how each step could go wrong in a way that would result in loss to the organization from the process not completing successfully.
What applications or databases store the largest amounts of data valuable to the organization? What are the most probable ways that data could be compromised from an availability, integrity, or confidentiality perspective?
These lines of questioning will allow you to build what is hopefully a comprehensive list of the probable ways your organization’s most valuable assets could be impacted resulting in loss, all of which are fodder for high-value risk analyses.
Keep in mind that you won't be able to use FAIR to analyze the concerns identified by asking these three questions until you properly scope them, clearly defining the threat, asset, effect, and loss event involved in the scenario.
Without a properly scoped scenario you can't make estimates of loss event frequency or loss magnitude. Translating the concerns of business leaders into well-scoped scenarios ready for FAIR analysis is a vital task all risk analysts should be able to perform.
By asking these questions and employing your detective skills to hunt down probable risk scenarios you’ll quickly build a library of high-value analyses to complete and maintain, ultimately allowing your organization to identify the scenarios that matter most and properly allocate resources to mitigate them. The faster you can achieve this goal the faster your organization’s risk profile will fall within tolerances and the more value your risk management program will provide.
Become a member of the FAIR Institute to join an exclusive community of information risk officers, cyber security leaders and business executives who share their experience and knowledge on the growing discipline of information risk management.