Going Through The Risk Management Process
1. Define the rules on how you are going to perform the risk management and whether you want qualitative or quantitative risk assessment, which scales you will use for qualitative assessment, what will be the acceptable level of risk, etc.
2. Create a SWAT analysis listing all your assets, then threats and vulnerabilities related to those assets, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.
3. Focus on the ‘unacceptable risks’. You have 4 options to choose from to mitigate each unacceptable risk:
- Design a new business process with adequate built-in risk control and containment measures from the start
- Transfer the risk to another party
- Avoid the risk by stopping an activity that is too risky
- Accept the risk
4. Document everything that you have done so far in a Risk Assessment Report; think of this as a lessons learned report and as the saying goes if it is not written down it never happened. Remember - Risk learning formalizes the lessons learned and uses tools to capture, categorize, and index that knowledge in a reusable form that can be shared with others.
5. Statement of Applicability – this document is based on the results from the previous document and lists all the risk controls that have implemented, why you have implemented them and how. It should also include initiating change control requests when changes in risk status or risk plans could affect the availability of the service or service level agreement (SLA).
6. Risk Treatment Plan defines exactly who is going to implement each control, in which timeframe, with which budget, etc. It is crucial to get executive approval because it will take considerable time and effort (and money) to implement all the controls that you have planned here.