Documentation - Risk analysis
It is very important to realize that during a risk analysis, knowledge about which risks an organization runs cannot arise from a tool or a method, but only from the people who are present during the risk analysis. They are the ones who know what is going on. A risk analysis is no more than a way to collect this knowledge in a structured way. The risk analysis stands or falls with the selection of the participants. So look for people who have a good idea of what is really important for the organization, but who also have sufficient insight into what is going on in the workplace. Look for people who are responsible for things that fall within the chosen scope, people who directly experience the disadvantages of problems that occur within the chosen scope. You should realize that people who are good at estimating the probability of an incident, are not necessarily the people who can also estimate the correct impact and vice versa. Often people from the business are better at estimating the impact and techies better at estimating the opportunity.
Prior to the risk analysis, an amount must be linked to the values for impact. This is not fixed in RAFIS, because this is different for every organization. A loss of €10,000 can be a large amount for a small company and an insignificant amount for a multinational. These values are best determined with someone with solid knowledge of the financial situation of the organization. It is important to realize that these values are not intended to link a claim amount to the ultimate risks, but only to be able to properly place the impact of a risk in relation to the impact of the other risks. The impact per risk therefore does not have to be demonstrated with a calculation or hard figures. A well-founded feeling is sufficient. A well-considered impact is also important in order to be able to repeat a risk analysis at a later time and to compare the results with the analysis performed earlier.
A first meeting
A good risk analysis is not something you can do in ten minutes. The time required for this is closer to half a day. The actual time required naturally depends on the chosen scope, the number of participants and their experience in performing a risk analysis. It is therefore important that the participants are well aware of what is expected of them. Discuss the process with them and give them an idea of the kind of questions that await them. Only conduct a risk assessment with people who are willing to put in this amount of time and energy, otherwise it will be a waste of effort.
Although the scope of the risk analysis can be a process or a department, you perform the risk analysis on the associated information and information systems. Because although a risk can arise from, for example, a wrongly organized or missing process, the risks with regard to information must be considered. After all, we are talking about information security here and not process security.