Risk Analysis

Definition

Risk Analysis
a.k.a., Risk Assessment, Risk Quantification

the ongoing risk management task of analyzing the identified risks to the endeavor

Classification

As illustrated in the preceding figure, Risk Analysis is part of the following inheritance hierarchy:

• Type: Abstract
• Superclass: Engineering Task
• Subclasses: None

Responsibilities

The typical responsibilities of Risk Analysis are to:

• Understand the identified risks.
• Analyze the identified risks
• Develop steps and techniques to:
  • Avoid each significant risk.
  • Mitigate each significant risk if it occurs.
  • Monitor each significant risk.
• Assign responsibilities and resources to perform risk avoidance, mitigation, and monitoring.

Preconditions

Risk Analysis can typically begin when the following preconditions hold:

• The endeavor is started.
• The associated teams are initially staffed.
• At least one of these teams is adequately trained in risk analysis.
• Some potential risks have been identified.

Completion Criteria

Risk Analysis is typically complete when the following postconditions hold:

• All significant risks have been analyzed.
• Steps and techniques have been determined to:
  • Control each significant risk.
  • Monitor each significant risk.
• All associated work products have been produced.

Steps

Risk analysis typically involves members of the endeavor’s teams performing the following steps in an iterative, incremental, parallel, timeboxed, and ongoing manner:

• Understand the identified risks:
  • Assets at risk.
  • Business processes at risk.
  • Threats to these assets and business processes.
  • Vulnerabilities to these threats.
• Analyze the identified risks:
  • Analyze the threats to these assets and business processes.
  • Analyze the vulnerabilities of the assets and business processes to these threats.
  • Estimate the risks’ probabilities of occurrance.
  • Estimate the potential impact of each risk to the success of the endeavor.
  • Thereby estimate the importance and priority of each risk.
  • Categorize the risks.
• Develop specific actions and techniques to:
  • Control each significant risk.
  • Monitor each significant risk.
• Assign responsibilities and resources to perform risk avoidance, mitigation, and monitoring.

Techniques

Risk Analysis can typically be performed using the following techniques:

• Categorization of risks, threats, and vulnerabilities
• Cost/Benefit Analysis to determine cost-effectiveness of risk avoidance/mitigation/and monitoring steps and techniques
• Cross Functional Teams to provide multiple viewpoints so that a comprehensive analysis of risks and their factors is performed
• Documentation Studies of risk analysis literature and previous risk management plans
• Gap Analysis to determine gap between current risk management measures and needed risk management measures
• Incremental Development of the risk analysis work product
• Interviews with stakeholders and domain experts
• Iteration of the risk analysis work product
• Joint Application Development (JAD) of the risk analyses
• Parallel Development of the risk analysis with other tasks, teams, and work products
• Pareto Analysis to determine the most important risks and risk factors
• Reuse of previously risk analyses
• Threat trees
• Threat categorization

Work Products

Risk Analysis typically results in the production of all or part of the following work products:

• Risk Analysis Report
• Updated Risk Repository
• Risk Table:
  • Risk Name
  • Risk Description
  • Asset or Business Process at risk
  • Threats to these assets and business processes.
  • Vulnerabilities to these threats (e.g., high/medium/low).
  • Estimated risk impact (a.k.a.,loss magnatude) (e.g., high/medium/low).
  • Estimated risk (i.e., loss, probability of occurrance) probability (e.g., high/medium/low).
  • Risk prioritization (e.g., high/medium/low).
• Risk avoidance actions and techniques.
• Risk mitigation actions and techniques.
• Risk monitoring actions and techniques.
• Associated responsibilities and resources.

Guidelines

• Perform this task concurrently with the riskidentification task.
• Safety risks can be analyzed by the safety team.
• Security risks can be analyzed by the security team.
• The importance of a risk equals the product of the
  (probability of the threat to the asset or business process occuring) times
  (the vulnerability of the asset or the business process to the threat) times
  (the impact of the threat if it occurs).
• Many assets are hard to value, especially in monetary units.
• Probability of occurrance is often difficult to estimated due to changing circumstances.
• It is typically better to use high/medium/low instead of strict numerical values.
• Risks should be organized appropriately (e.g., first by priority, alphabetical within priority, associated with work breakdown schedule).
• Ensure accountability by assigning responsibilities.
• Risks can be divided into the following categories:
  • Business Risks:
    • Requirements Scope Creep
    • Changing Market Pressures
    • Loss of Market Share
    • Bad Public Relations
    • Loss of Life or Property
    • Litigation
  • Financial Risks:
    • Cost Overrun
    • Inadequate Cost Estimates
  • Resource Risks:
    • Inadequate Staffing
    • Inadequately Trained Staff
    • Inadequate Staff Productivity
    • Inadequate Development Tools
  • Schedule Risks:
    • Unrealistic Schedule
    • Inadequate Schedule Estimates
    • Upgrades to COTS components and tools not available when promised (vaporware)
    • Excessive Time To Market
  • Technical Risks:
    • The application will not provide all required functionality.
    • The application’s transactions will not be auditable.
    • The application will not adequately support internationalization.
    • The application will not provide personalization.
    • The application will contain excessive defects.
    • The application’s outputs will be inadequately accurate or precise.