In order to make risk analysis a sound, repeatable process, you need to have a series of steps or phases you follow time and time again. I’ve realized that many new to risk quantification, and even those with “mature” risk programs lack a structured approach to risk analysis.
With that, I thought it would be helpful to outline the high-level process we use at RiskLens, sprinkling in some helpful tips I’ve learned along the way.
We always start with scoping, otherwise known as diagnosing and understanding the problem. I cannot understate how important this step is, and how I’ve seen it be the folly of many organizations when it comes to a shaky result at the end. As I’ve outlined in my post on scoping, a solid scope is comprised of understanding the following:
Myself, along with some of our more sophisticated customers, will take this step up a notch by understanding how the scenario maps to the FAIR model. I’ve outlined a mapping approach in another post, but I’ve frequently seen it performed on whiteboards, pieces of paper, or just in passionate discussion/debate.
After we have a good grasp of the problem, and how the scenario maps to the FAIR model, we need to gather the data. We do this in the following ways:
So, after doing an excellent job of scoping the analysis, understanding the problem, gathering all of the data, the most exciting part of the risk analysis process, bar none, is hitting the run button on the RiskLens application.
Yet, what makes an analysis ready for the next step, i.e. reporting, is the quality assurance, or refinement of the results. A good risk analyst will review the results with a critical eye ensuring they accurately reflect the problem under analysis, along with all of the information received along the way. It’s at this step that an analyst knows whether or not he or she can stand behind the results and get in front of the proverbial firing squad with the analysis.
When it comes to reporting, having a good understanding of your audience is key. Many decision makers have a pre-formatted template, or standard approach to getting their information. Some like seeing things in the red, yellow, green color spectrum of heat maps, while others are more comfortable seeing numbers.
My approach when it comes to reporting is to give decision makers what they want, and how they like seeing it, along with a little bit of what they should see. Remember, the goal at the end of a risk analysis is to provide insight that decision makers can use to make better, more well informed decisions. How you frame and relay the results plays a big role into how they use the information.
There you have it, the risk analysis process in four high level steps. We hope you found this helpful.