The importance and need to measure risks can’t be understated. Whether it is performed in the initial Basis of Estimate (BOE) or kickoff meeting, risk identification is one of the first items a project team plans at the beginning of a project. During the BOE or kickoff meeting, the project team will collaborate to identify a threat or multiple threats that could exploit a vulnerability, and in turn, determine its likelihood of delaying a project. If that vulnerability becomes a reality, the next step is to determine the severity of the impact. Risk is the probability of an event happening and multiplying by the damage that can occur. Two key concepts involved in risk management include quantitative and qualitative risk analysis.
How do you Measure Risks?
Fortunately, there are two ways risk can be measured: quantitative and qualitative. Quantitative risk management utilizes a numerical system to establish the cost (Annual Loss Expectancy (ALE)) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)) of an asset failure. Qualitative risk management utilizes subjective judgment to determine probability and impact results. This can be utilized into categories as Low (1), Medium (2), and High (3). Either one of those risk measurements can be used in risk management.
For Example, let’s say a data center is going to have a scheduled power outage. There is a certainly a potential in a data center outage. Can engineers access the data center? What is the probability that a server or router does not reboot properly? What is the cost if a hard drive fails on a server? How will this impact a user and/or the organization? In quantitative risk analysis, the cost of a server hard drive is $1,000 and it happens once per year. Therefore, if you calculate the SLE ($1,000) x ARO (1 time /year) = ALE ($1000). Analyzing from a quantitative risk perspective, we could say the impact is low because there is necessary power and system redundancy. While these risk measurements are essential, there are also risk management methods that can be followed.
What are Some Methods in Handling Risks?
Coupled with the risk measurement, risk management methods determine what can be done to handle a risk. Each situation might be different, but applying those risk methods will pay dividends in the end if they are practiced accordingly. Some of the methods include risk avoidance, defined as no effort would be made to handle an activity like the one discussed above. Risk transference is a method to outsource the risk to another company to handle. Risk acceptance is when an organization makes the decision they will accept risk simply they are not aware of the risks or feel there is no reason they will be able to mitigate a risk. The most popular risk management method is risk mitigation. Risk mitigation will execute a control or a series of controls to reduce likelihood of a vulnerability or threat impact. In the example discussed earlier, the redundancy of systems and power has mitigated the risk of problems once the power comes back up.
It is critical for everyone on a project management team to be involved in risk management. Utilizing critical skills to measure risks and subsequently handle risks will also determine the likelihood and impact of an occurrence being positive or negative.
About the Guest Author
Paul Brickman is a Senior Project Manager at Northrop Grumman Corporation. He has earned his CompTIA Security+ certification.