Part 5: Risk analysis based on the risk inventory
In step 4, all risks have been added to an inventory in such a way that each risk can be categorized through relevant attributes. How to deal with the multitude of risks is the subject of this blog post.
Analyze and prioritize your risks
Risks can lead to hazards. In the context of risks and their management, probabilities of occurrence and damage levels play an essential role in the classification and prioritization of risks. Risk appetite can differ depending on the company and the risk owner and must therefore be included in the risk analysis.
Definition Risk
In both ISO 31000, the ISO standard for risk management, and ISO/IEC 27001 - Information Security Management System, risk is defined as follows: Risk = Damage x Probability of Occurrence
In short, the risk is the product of the potential damage and the associated probability of occurrence. This is intuitive because risk scenarios with (a) damage with a very low probability of occurrence or (b) a very likely incident with low damage are often negligible. The challenge in determining risk is to quantify damage and probability of occurrence.
Reproducibility of the risk analysis
A risk analysis must follow a systematic structure. This is because only with a common system can the results of the risk analysis be reproduced by other people with the same know-how. Therefore, it is extremely important to define respective criteria in advance. Note they may vary from company to company. Even within one company, the risk criteria can differ. Important aspects to consider include the definition of the damage classes as well as the probability of occurrence. A possible definition of the damage classes subsumes the underlying categories (e.g. low, medium, high, very high), the financial and reputational damage, and the impact on people (employees, customers, etc.). With regard to the definition of the probability of occurrence, a look into the past (how often has the incident occurred in the past) may be helpful for quantifying the probability of occurrence for the future.
Carrying out risk analysis
SRC-conducted risk analysis allows you to evaluate your remaining residual risks and thus the hazard potential. The approaches to risk assessment and risk appetite are very individual in financial institutions. Thus customization is an important aspect to consider. Tailored to the individual needs, we at SRC consulting record the risks before the risk mitigation measures are taken and work closely with your in-house risk management to develop individual preventive measures that reduce, amongst others, the probability of a risk occurring or the level of damage. Our customized dashboards create transparency about the residual risks after the implementation of risk mitigation measures (gross vs. net view).