The do’s and don’ts when conducting a full cycle risk analysis

04. December 2019

Raphaël Dropsy, IT Risk & Security Expert at Devoteam, wrote an article on conducting a full cycle analysis in context of the Ebios Risk Manager. This is a summary of the second article that he devoted to the method, in the first article he gave a general overview.

Before starting a risk analysis you should first ask yourself of what will you conduct the analysis?

  • A process (As-Is or To-Be)
  • An IT system (e.g. SAP, Cloud plate-form, etc.)
  • A digital project (technical solution)
  • To ensure the conformity to a regulation (e.g. NIS directive)
  • Against the transformation of your organisation (e.g. outsourcing)?

Once you’ve figured that out, the next steps consist of the following key points:

  • The level of granularity for the study: too much detail vs too superficial
  • A good idea of the object you will study: e.g. if you analyse a process, you should have a cartography and the involved assets prior to starting the study
  • A (5-scale) table of gravity
  • A (5-scale) table of probability
  • Focus on the most critical assets / the business value

The Ebios Risk Manager method adopts an iterative approach (strategic vs operational cycle) that revolves around five workshops. For each workshop, you need to consider the following:

  • The rights stakeholders: technical vs non-technical people and their expected role
  • A clear agenda: make sure all hypothetical discussions are closed before it starts
  • Take care of the timing
  • Send the invitation well in advanced

During each workshop, keep in mind to:

  • Be imaginative
  • Be pragmatic
  • Make sure all attendees are actively participating
  • Not hesitate to use own-built referential or existing taxonomy
  • Stay focussed on the objectives of the workshop (expected output) and reframe the discussion if needed
  • Not analyse all identified threats and scenarios but focus on the most relevant ones

The topics of the five workshops are:

  • Workshop 1: Scope, feared events, base of security
  • Workshop 2: Risk source and objectives
  • Workshop 3: Strategic scenarios
  • Workshop 4: Operational scenarios
  • Workshop 5: Risk treatment

This is a dynamic and agile method which will help you to focus on the most relevant intentional risk scenarios. When you follow the advice mentioned in this summary and carry out the analysis well, you’ll get great and accurate results.

Click here to read the full article.

Devoteam can help you with your risk management process. Feel free to contact Raphaël Dropsy via E-MAIL or PHONE.

 

devoteam

Contact

Raphaël Dropsy

Senior Consultant

IT Risk & Security

Devoteam Belgium