Ebios Risk Manager in collaborative mode

23. April 2020

During the past years, we all developed certain work habits and they can differ from one organisation to another. Some people prefer making use of emails to exchange information or answer questions of colleagues while others prefer a formal face-to-face meeting.

The current crisis forced us to change some of these work habits. The first one is remote working. Next to that, there is a clear rise in the usage of collaborative tools like Teams, Slack, Skype and Zoom. However, these tools didn’t suddenly appear but have existed for several years.

This crisis will surely break barriers against remote working, allowing us to work from home more than once a week, for example.

What about Ebios Risk Manager?

In one of my previous articles, I went into detail about Ebios Risk Manager, giving you some tips and tricks on conducting a full risk analyses cycle in order to obtain great results.

In today’s article, I would like to share a more personal experience with conducting a risk analyses using the Ebios Risk Manager method in this special period of crisis and confinement.

A small reminder

The Ebios Risk Manager method adopts an iterative approach, a strategic vs operational cycle, that revolves around five workshops. If you forgot the details you can freshen up your knowledge with this article, which was based on the fact that:

  • Everyone is working on-site, so every stakeholder is invited to the meetings. You will brainstorm, discuss together and directly see who doesn’t actively follow the workshop
  • You work with Microsoft Excel/Visio
  • You use the method’s recommended timeframe: 2 or 3 workshops of 4 hours each

Three out of the five workshops can be very tricky to conduct. If you don’t pay attention to potential traps, especially during this period of crisis, you won’t obtain great and accurate results. Moreover, you’ll need to spend much more time than expected which will be frustrating.

The three most tricky workshops are:

  • Workshop 1:
    • Scope the business process
    • Identify business values
    • List associated assets, e.g. applications
    • Identify feared events
    • Evaluate potential impact and level of gravity for each feared event
  • Workshop 3:
    • Build strategic (high level) scenarios
  • Workshop 4:
    • Build operational scenarios, the ‘cookbook’
    • Evaluate probability of each scenario

Why these workshops can be tricky

Depending on your organisation and the context, you could run or be asked to run the analysis in five workshops of four hours each to minimise everyone’s workload.

  • Workshop 1:

If you don’t document the business process, including the input, treatment, output and associated assets, you won’t be able to identify business values, feared events and associated impacts. You will need to draw it on a dashboard and therefore spend some (valuable) time on it

  • Workshop 3:

You are supposed to build strategic scenarios. Usually, you start to draw them on a dashboard which takes some time as well, especially if you start on a new page

  • Workshop 4:

You are also supposed to build operational scenarios. Just like during workshop 3, this also takes time

Collaboration mode

As mentioned before, the year 2020 has impacted a lot of things, like our work habits. So, now the question is how to deal with the workshops you need to conduct and the ‘enforced’ remote work.

Let’s discuss a first example: in a perfect world, your organisation has already identified and listed all its assets, stored in the CMDB. The business processes are well documented, therefore you have a perfect cartography of the business process you want to analyse. So, you easily jump into the first workshop and start to identify the business values, feared events and associated impacts.

You can prepare in advance the third and fourth workshop by drawing scenarios in Microsoft Visio. You should be able to do it if you collected all needed information previously. The preparation could require some time, but this will depend on the fact if you have built some referential.

So, regardless if you’re working on site or remotely, you can conduct the workshop as expected.

Let’s look at another example: in the real world, imagine your organisation has no list of its assets and business processes are well known but undocumented.

The trick in the first workshop is to correctly identify the business values. Thus, if you are on site, start your meeting by drawing the business process you will study on a dashboard. From there, you identify the business values and feared events.

Let’s say you and all participants of the meeting are working remotely using Teams or another collaborative tool to meet virtually. You start to have a problem because you are unable to draw the business process. You will need to possess a dashboard at home. Do you?

Perhaps you’re convinced that there is no need to draw something, start the discussion and get the information you need. Well, you can but you will surely miss something during the analysis, which could be important. And don’t forget your timeframe. Sometimes brainstorming and having discussions take a lot of time so you could need additional workshops to complete the picture.

There are solutions, however. Make use of tablets like an iPad Pro or Microsoft Surface. You can install Teams, or another tool you want to use, connect to the meeting, share your screen and start to draw in live.

Maybe you don’t want to use Excel and Visio files. Therefore, you will need to buy a risk management tool, for example labelled ‘Ebios Risk Manager’. Some other tools will obtain the certification in the near future.

Those tools are built especially for collaborations, allowing you to import your own referential and to build the strategic/operational scenarios within the tool itself. I will further explain this in a future article.

Be prepared

From my experience, I assure you it is possible to conduct a full risk analysis cycle using Ebios Risk Manager in the expected timeframe and using excel files, even if everyone is working remotely. It is important to remember that you need to be well prepared, meaning:

  • Know what information you already possess
  • Know which part you automated
  • Define what referential you have built to ease discussion during workshops
  • Find out what collaborative and technological tools your IT department allows you to use

Devoteam can help you with your risk assessment. Feel free to contact Raphael Dropsy via E-MAIL or PHONE.

devoteam

Contact

Raphaël Dropsy

Senior Consultant

IT Risk & Security

Devoteam Belgium