Swamped with your writing assignments? Take the weight off your shoulder!
Submit your assignment instructions
Definitions: Assessing risk and its impact entails evaluation of the probabilities as well as consequences of hazardous events occurring in an information communication technology system. Risk prioritization involves ranking the identified potential hazardous events and their impacts, from the most to the least important as well as relevant. With ranking of risks based on their importance and criticality levels, it is easy for the management of the organization to determine effective mitigation resources allocation. Allocation of the largest resources is bound to go towards mitigation of the highest impact and probability risk events.
Key terms: risk, risk assessment, risk prioritization, risk management
The organization’s system engineers’ roles and expectations: The organization’s system engineers who operate on its government project consultancy contracts need to assess risks, paying high attention to possible consequences, potentiality of occurring, any dependencies applicable, and the time-frames. System engineers of the organization also need to then rank the risks to inform prudent decision-making regarding resource allocation and mitigation actions.
Risk assessment and prioritization are among the various functions of risk management. Risk management process involves diverse functions as can be seen in the below image. The image shows the various fundamental functions of risk management.
The first step in risk management process is identification of the possible hazardous events. Once the potential risks are identified, an assessment begins. The risk assessment process evaluates probability. With probability determined, the next step is risk impact assessment. Possible impacts which have to be assessed include the resultant costs, effects on technical performance of the information technology, and the functionality consequences. Based on the criticality of the possible impact level from each risk identified, prioritization is the next step done. Prioritization entails aspects of ranking risks from the most critical to the least. Further, the prioritization process also targets identifying the relevance level of each of the identified possible risks. The final stages in the risk management process are risk tracking and mitigation. Risks ranked as the most critical based on their relevance and impact levels proceed to the mitigation stage, where preventive efforts are implemented to avert them. In the event the risk event cannot be stopped in advance, impact minimization and adaptation strategies are laid in preparation for their occurrence. The risk events ranked as least relevant and critical are moved to the tracking list for monitoring to ensure they are mitigated in advance when they graduate into highly critical possible events.
Assessing risk of an information communication technology system
As seen in the above diagram, the process of risk assessment happens in the second step of risk management. Impact of each risk event on the ICT system is assessed. Specifically, the assessment focuses on the way the events may affect the communication costs, scheduling of projects, ICT technical performance, and achievement of functional objectives. Further, the cheque is done on the possibility of the risk event adversely affecting business or project continuity. The overall economic and political effect of the risk events is also assessed.
The risk assessment process is also focused on determining the probability of an event occurring. In this case, the probability assessment is done based on techniques like subjective statistical analysis, engineering methods, simulation, and or modeling. Additionally, the risk dependencies and the interdependencies are also assessed in this second stage of risk management function. A detailed risk assessment may also seek to identify the time-frames for each possible impact. There can be analysis of the compliance risks or political impacts. For a business company, assessments may can also determine the impact on the consumer or customer views about the organization as well as the feelings of employees. Some ICT related risk events may involve adverse impact on the employer-employee relationship hence affect the smooth running of the company. Risk analysis must categorize all the relevant negative and positive impacts and weigh them to determine the criticality.
There are various guides and written material offering help on the way to conduct a risk assessment process. The subject of probability assessment is discussed in depth by Garvey, Book and Covert (2016), who also give the criterion of conducting it. The RiskNAV® tool is one the resources which can assist in carrying out a risk assessment. Other risk assessment tools relevant for risk analysts in the ICT Systems sphere are available in the article titled Risk Management Tools.
During risk assessment process, it is quite important to align the impact analysis to the decision framework of the company. For ICT system management, the potential risks are normally assessed based on technical performance, functional hitches, and cost. It is possible to make the combination of scales into one overall rating for the decision-making process of the company. The scales have the advantage of offering a consistent approach towards analyzing the risk impact status of identified possible hazardous events across the various important dimensions. In addition to using the different recommended tools, the Risk Matrix method can assist in evaluation and verification of the risks as determined by the other tools.
An analysis of risk impacts must be comprehensive and able to identify all the inherent issues related to a risk event. The management of a potential risk event cannot be successful if no root causes are determined. Applying the POET analysis (Political, Operational, Economic, and Technical), and a SWOT analysis can help in identifying the drivers of a risk event. These approaches can best be understood by reading the article Tools to Enable a Comprehensive Viewpoint.
One method by which a management engineers an ICT system is development of capability portfolios in technological projects as well as initiatives, which with synchronization, help in achieving abilities that are time-phased, and enable attainment of organizational goals and mission together with objectives. Understandably, a capability portfolio is an organizing framework that is time-dynamic and helps to attain abilities across specified dimensions. In this context, a capability refers to abilities of achieving an influence of a given standard within specified circumstances by applying a combination of diverse methods and tools to carry out defined tasks. Using the capability management construct, describing the potential risk impacts in terms of capability objectives offers risk analysts worthwhile understanding of the exact function or ability in the ICT system that is at risk. The company, thus, knows clearly which specific capability areas to focus on when mitigating against potential risks.
In risk portfolio management, assessments focus on tolerance or adaptability levels, cost of interdependencies, timing of the event, budget, and possible changes overtime. The concept of risk portfolio management is particularly relevant in the government programs. A guide on this subject is available in the article Portfolio Management. For this area, the application of risk categorization scales is essential when carrying out assessments. Risk areas in such a case include funding continuity, resource availability, technological maturity, and the chance of attaining technical performance.
In this step of the risk management process, the analysts rank the criticality of identified risk events from the most to least critical. Criticality is based on relevance, impact, and probability of occurrence. The main goal of prioritizing risks is to effectively and efficiently allocate resources. In the existing literature, there are various qualitative and quantitative methods that have been developed for risk prioritization. Notable qualitative techniques include analyzing probability of occurrence and consequences. Another method involves creating an impact and probability matrix. Other qualitative approaches are risk categorization, urgency analysis, and frequency ranking. On the other hand, the quantitative methods that are used include weighting the cardinal risk impact analysis. Others include the expected monetary loss, sensitivity assessment, probability distribution, simulation, weighting timeframe of risks, and modeling.
Risk assessment should be linked to the decision framework of the organization: The tools and techniques chosen for risk analysis should be relevant and applicable in the context of the specific organization. The risk impact analysis is supposed to inform decisions hence objectives and goals of the target decision should inform the tools and methods applied.
Documentation of the rationale, impact, and probability of a risk event is necessary: The assessment approach and probability rating rationale should be documented for future reference.
The important contribution of systems engineering: Risk assessment and prioritization are processes that involve complex and interdependent tasks, which apply the systems engineering concept. The systems engineering concept is necessary because it enables a comprehensive approach to an issue making it to be solved in a holistic manner. A deep understanding of the constituent technologies is required for the analysis to manage in carrying out an effective assessment and prioritization.
For simulations, Monte Carlo approach is effective: It has been established that simulations are part of the quantitative risk assessment methods. Monte Carlo simulations employ the probability distributions concept to analyze the possibility of specific outcomes occurring. Simulations try to ape the real business case scenario hence the assessed impact level is always a realistic one making a pragmatic resource allocation decision. In fact, simulations are the preferred in risk probability assessment because they enable early warnings and advance corrective measure implementation. Simulations are highly effective and accurate when used together with modelling. Modelling is about using the past datasets about occurred risks to predict the probability level at a given time in future.
Consider FedRAMP: Information flow is important in any system. The FedRAMP provides guidance on the way to control information flow within the ICT system of a company. An information system needs to have measures of enforcing the practice of approved authorizations for regulating the flow of information within the network, and the inter-connected digital infrastructures. The FedRAMP offers effective skills in mitigating against information system risks and effective assessment of the possible hazardous events.