Topic: RISK ANALYSIS PROCESS

Message

RISK ANALYSIS PROCESS:

Regardless of the prevention techniques employed, possible threats that could arise inside or outside the organization need to be assessed. Although the exact nature of potential disasters or their resulting consequences are difficult to determine, it is beneficial to perform a comprehensive risk assessment of all threats that can realistically occur to the organization. Regardless of the type of threat, the goals of business recovery planning are to ensure the safety of customers, employees and other personnel during and following a disaster.

The relative probability of a disaster occurring should be determined. Items to consider in determining the probability of a specific disaster should include, but not be limited to: geographic location, topography of the area, proximity to major sources of power, bodies of water and airports, degree of accessibility to facilities within the organization, history of local utility companies in providing uninterrupted services, history of the area’s susceptibility to natural threats, proximity to major highways which transport hazardous waste and combustible products.

Potential exposures may be classified as natural, technical, or human threats. Examples include:

Natural Threats: internal flooding, external flooding, internal fire, external fire, seismic activity, high winds, snow and ice storms, volcanic eruption, tornado, hurricane, epidemic, tidal wave, typhoon.
Technical Threats: power failure/fluctuation, heating, ventilation or air conditioning failure, malfunction or failure of CPU, failure of system software, failure of application software, telecommunications failure, gas leaks, communications failure, nuclear fallout.

Human Threats: robbery, bomb threats, embezzlement, extortion, burglary, vandalism, terrorism, civil disorder, chemical spill, sabotage, explosion, war, biological contamination, radiation contamination, hazardous waste, vehicle crash, airport proximity, work stoppage (Internal/External), computer crime.

All locations and facilities should be included in the risk analysis. Rather than attempting to determine exact probabilities of each disaster, a general relational rating system of high, medium and low can be used initially to identify the probability of the threat occurring.
The risk analysis also should determine the impact of each type of potential threat on various functions or departments within the organization. A Risk Analysis Form, found Here(PDF Format), can facilitate the process. The functions or departments will vary by type of organization.

The planning process should identify and measure the likelihood of all potential risks and the impact on the organization if that threat occurred. To do this, each department should be analyzed separately. Although the main computer system may be the single greatest risk, it is not the only important concern. Even in the most automated organizations, some departments may not be computerized or automated at all. In fully automated departments, important records remain outside the system, such as legal files, PC data, software stored on diskettes, or supporting documentation for data entry.
The impact can be rated as: 0= No impact or interruption in operations, 1= Noticeable impact, interruption in operations for up to 8 hours, 2= Damage to equipment and/or facilities, interruption in operations for 8 - 48 hours, 3= Major damage to the equipment and/or facilities, interruption in operations for more than 48 hours. All main office and/or computer center functions must be relocated.
Certain assumptions may be necessary to uniformly apply ratings to each potential threat. Following are typical assumptions that can be used during the risk assessment process:

1. Although impact ratings could range between 1 and 3 for any facility given a specific set of circumstances, ratings applied should reflect anticipated, likely or expected impact on each area.

2. Each potential threat should be assumed to be “localized” to the facility being rated.

3. Although one potential threat could lead to another potential threat (e.g., a hurricane could spawn tornados), no domino effect should be assumed.

4. If the result of the threat would not warrant movement to an alternate site(s), the impact should be rated no higher than a “2.”

5. The risk assessment should be performed by facility.
To measure the potential risks, a weighted point rating system can be used. Each level of probability can be assigned points as follows:

Probability Points
High 10
Medium 5
Low 1

To obtain a weighted risk rating, probability points should be multiplied by the highest impact rating for each facility. For example, if the probability of hurricanes is high (10 points) and the impact rating to a facility is “3” (indicating that a move to alternate facilities would be required), then the weighted risk factor is 30 (10 x 3). Based on this rating method, threats that pose the greatest risk (e.g., 15 points and above) can be identified.

Considerations in analyzing risk include:

1. Investigating the frequency of particular types of disasters (often versus seldom).

2. Determining the degree of predictability of the disaster.

3. Analyzing the speed of onset of the disaster (sudden versus gradual).

4. Determining the amount of forewarning associated with the disaster.

5. Estimating the duration of the disaster.

6. Considering the impact of a disaster based on two scenarios;
a. Vital records are destroyed
b. Vital records are not destroyed.

7. Identifying the consequences of a disaster, such as;
a. Personnel availability
b. Personal injuries
c. Loss of operating capability
d. Loss of assets
e. Facility damage.

8. Determining the existing and required redundancy levels throughout the organization to accommodate critical systems and functions, including;

a. Hardware
b. Information
c. Communication
d. Personnel
e. Services.

9. Estimating potential dollar loss;
a. Increased operating costs
b. Loss of business opportunities
c. Loss of financial management capa- bility
d. Loss of assets
e. Negative media coverage
f. Loss of stockholder confidence
g. Loss of goodwill
h. Loss of income
i. Loss of competitive edge
j. Legal actions.

10. Estimating potential losses for each business function based on the financial and service impact, and the length of time the organization can operate without this business function. The impact of a disaster related to a business function depends on the type of outage that occurs and the time that elapses before normal operations can be resumed.

11. Determining the cost of contingency planning.

Edited by Anjana - 09May2007 at 4:49am

Author	Message
Anjana Newbie Joined: 03May2007 Online Status: Offline Posts: 1	Topic: RISK ANALYSIS PROCESS Posted: 09May2007 at 4:21am
	RISK ANALYSIS PROCESS: Regardless of the prevention techniques employed, possible threats that could arise inside or outside the organization need to be assessed. Although the exact nature of potential disasters or their resulting consequences are difficult to determine, it is beneficial to perform a comprehensive risk assessment of all threats that can realistically occur to the organization. Regardless of the type of threat, the goals of business recovery planning are to ensure the safety of customers, employees and other personnel during and following a disaster. The relative probability of a disaster occurring should be determined. Items to consider in determining the probability of a specific disaster should include, but not be limited to: geographic location, topography of the area, proximity to major sources of power, bodies of water and airports, degree of accessibility to facilities within the organization, history of local utility companies in providing uninterrupted services, history of the area’s susceptibility to natural threats, proximity to major highways which transport hazardous waste and combustible products. Potential exposures may be classified as natural, technical, or human threats. Examples include: Natural Threats: internal flooding, external flooding, internal fire, external fire, seismic activity, high winds, snow and ice storms, volcanic eruption, tornado, hurricane, epidemic, tidal wave, typhoon. Technical Threats: power failure/fluctuation, heating, ventilation or air conditioning failure, malfunction or failure of CPU, failure of system software, failure of application software, telecommunications failure, gas leaks, communications failure, nuclear fallout. Human Threats: robbery, bomb threats, embezzlement, extortion, burglary, vandalism, terrorism, civil disorder, chemical spill, sabotage, explosion, war, biological contamination, radiation contamination, hazardous waste, vehicle crash, airport proximity, work stoppage (Internal/External), computer crime. All locations and facilities should be included in the risk analysis. Rather than attempting to determine exact probabilities of each disaster, a general relational rating system of high, medium and low can be used initially to identify the probability of the threat occurring. The risk analysis also should determine the impact of each type of potential threat on various functions or departments within the organization. A Risk Analysis Form, found Here(PDF Format), can facilitate the process. The functions or departments will vary by type of organization. The planning process should identify and measure the likelihood of all potential risks and the impact on the organization if that threat occurred. To do this, each department should be analyzed separately. Although the main computer system may be the single greatest risk, it is not the only important concern. Even in the most automated organizations, some departments may not be computerized or automated at all. In fully automated departments, important records remain outside the system, such as legal files, PC data, software stored on diskettes, or supporting documentation for data entry. The impact can be rated as: 0= No impact or interruption in operations, 1= Noticeable impact, interruption in operations for up to 8 hours, 2= Damage to equipment and/or facilities, interruption in operations for 8 - 48 hours, 3= Major damage to the equipment and/or facilities, interruption in operations for more than 48 hours. All main office and/or computer center functions must be relocated. Certain assumptions may be necessary to uniformly apply ratings to each potential threat. Following are typical assumptions that can be used during the risk assessment process: 1. Although impact ratings could range between 1 and 3 for any facility given a specific set of circumstances, ratings applied should reflect anticipated, likely or expected impact on each area. 2. Each potential threat should be assumed to be “localized” to the facility being rated. 3. Although one potential threat could lead to another potential threat (e.g., a hurricane could spawn tornados), no domino effect should be assumed. 4. If the result of the threat would not warrant movement to an alternate site(s), the impact should be rated no higher than a “2.” 5. The risk assessment should be performed by facility. To measure the potential risks, a weighted point rating system can be used. Each level of probability can be assigned points as follows: Probability Points High 10 Medium 5 Low 1 To obtain a weighted risk rating, probability points should be multiplied by the highest impact rating for each facility. For example, if the probability of hurricanes is high (10 points) and the impact rating to a facility is “3” (indicating that a move to alternate facilities would be required), then the weighted risk factor is 30 (10 x 3). Based on this rating method, threats that pose the greatest risk (e.g., 15 points and above) can be identified. Considerations in analyzing risk include: 1. Investigating the frequency of particular types of disasters (often versus seldom). 2. Determining the degree of predictability of the disaster. 3. Analyzing the speed of onset of the disaster (sudden versus gradual). 4. Determining the amount of forewarning associated with the disaster. 5. Estimating the duration of the disaster. 6. Considering the impact of a disaster based on two scenarios; a. Vital records are destroyed b. Vital records are not destroyed. 7. Identifying the consequences of a disaster, such as; a. Personnel availability b. Personal injuries c. Loss of operating capability d. Loss of assets e. Facility damage. 8. Determining the existing and required redundancy levels throughout the organization to accommodate critical systems and functions, including; a. Hardware b. Information c. Communication d. Personnel e. Services. 9. Estimating potential dollar loss; a. Increased operating costs b. Loss of business opportunities c. Loss of financial management capa- bility d. Loss of assets e. Negative media coverage f. Loss of stockholder confidence g. Loss of goodwill h. Loss of income i. Loss of competitive edge j. Legal actions. 10. Estimating potential losses for each business function based on the financial and service impact, and the length of time the organization can operate without this business function. The impact of a disaster related to a business function depends on the type of outage that occurs and the time that elapses before normal operations can be resumed. 11. Determining the cost of contingency planning. Edited by Anjana - 09May2007 at 4:49am Post Resume: Click here to Upload your Resume & Apply for Jobs

	IP Logged


One Stop Testing Forum : Software Testing @ OneStopTesting : Beginners @ OneStopTesting