�ݺ�ߣ

Risk Assessment

Clause 4.1.2 Requirements
Of BS25999-2:2007

Executive Summary

This document attempts to The standard does not prescribe
provide an understanding of the any specific method of doing the
Risk Management process risk assessment
The British Standard, BS25999- This document provides an
2:2007 requires Risk example method of doing risk
Assessment to be done as a assessment which borrows
part of the ‘Understanding the heavily from Failure Modes and
organisation’ Effects Analysis (FMEA)
A flow chart illustrates the flow Using the concepts from FMEA
of the RM process per Clause helps in a couple of ways:
FMEA has been in use for quite some time
4.1.1 of the standard and also now and the writer assumes that the
deals with ‘Determining choices’ knowledge of using FMEA is prevalent
It provides numerical values for easy
– 4.1.3 prioritisation and action.

02/08/2010 Dipankar Ghosh 2

Section 4.1.1 Of BS25999-2:2007
4.1.2 Risk Assessment
4.1.2.1 There shall be defined, documented and appropriate
method of risk assessment that will enable the organisation
to understand the threats to and vulnerabilities of its critical
activities and supporting resources, including those provided
by suppliers and outsource partners
4.1.2.2 The organisation shall understand the impact that would
arise if an identified threat became an incident and caused a
business disruption


Risk Management Flow Chart


Risk Assessment Model
RMS After Actions
Taken

11

Identified Potential Potential Severity Likelihood of Current Mitigation Risk Recommended Responsibility S L M R
Vulnerabili- Threats Damages Of Occurrence Mitigation Score Magnitude Actions and Target Date M
ties Damages Score (1-5) Measures (1-5) Score (1-125) S
Score [
(1-5) S
X
[S] [L] [M] L
[RMS=SxLxM] X
M
]
1 2 3 4 5 6 7 8 9 10

1. Identified Vulnerabilities – These are weaknesses that has been identified which can result in a potential damaging impact on the
business. (e.g. Fuel storage near electrical substation). Vulnerabilities are ‘internal’ to the ‘system’.
2. Potential Threats – These are ‘external’ causes which can exploit vulnerabilities to cause damage. (e.g. electrical short circuits and
sparks can ignite the fuel nearby resulting in a fire)
3. Potential Damages – These are the effects or damages that are inflicted on the business and its assets. (e.g. loss of life due to fire,
loss of building, equipment etc. due to fire). Note that risk exists only if an external threat exploits an internal vulnerability to cause
damage or loss to your asset. You may have an empty house (no asset to be damaged/lost) with an unlocked door (vulnerability) and
a thief lurking around (threat). But you face no risk!


4. Severity Of Effects Score – This is a score on a scale of 1-5 which reflects the assessment of the seriousness of the damages listed
in 3. This is based on the Severity Score Criteria listed in the table below. Higher the severity higher is the score. Note that the criteria
in this and the following tables are not sacrosanct and are for example purposes. Practitioners may want to adapt these according to
their experience.

Severity Of Effects Severity Score Criteria Score

Hazardous or Catastrophic 1. May cause loss of lives, buildings or sites 5
2. The duration of recovery is very long

Very high 1. May cause severe injuries 4
2. May lead to severe damage to buildings,
equipment and goods
3. May cause severe hardships to customers,
employees and suppliers and may lead to severe
financial losses for all of them and the company
4. The duration of recovery is long
High 1. May cause major injuries 3
2. May lead to major damage to buildings,
equipments and goods
3. May cause hardships to customers, employees
and suppliers and may lead to financial losses for
all of them and the company
4. The duration of recovery is quite long
Moderate 1. May cause minor injuries 2
2. May lead to moderate damage to buildings,
equipments and goods
3. May cause moderate hardships to customers,
employees and suppliers and may lead to some
4. The duration of recovery is moderate
None or Minor 1. No injuries caused 1
2. None or minor damage to buildings, equipments
and goods
3. Insignificant hardships caused to customers,
employees and suppliers and may lead to minor
4. The duration of recovery is short


5. Likelihood Of Occurrence Score – This score measures on a scale of 1-5 the likelihood of occurrence of the identified risk event
arising from the potential cause based on the guideline provided in the table below. More the likelihood more is the score.

Likelihood of Occurrence Probability Score Criteria Score

>90% chance of happening Almost Certain 5

70%-90% chance of happening Likely 4

50%-70% chance of happening Possible 3

30%-50% chance of happening Unlikely 2

0%-30% chance of happening Rare 1

6. Current Mitigation Measures – Risk mitigation is a three-pronged weapon to alleviate the effects of risks.
Firstly, there need to be Prevention measures in place so that the risk event is prevented from occurring. (e.g. in the case of
fire because of short circuit there could be prevention measure of having adequate air gaps between conductors, the best
class of insulators may be provided etc.)
Next, there need to exist Detection measures, in case the risk event occurs, or better still if the possible occurrence of the
event can be detected even before the event occurs. (e.g. in the case of fire, fire and smoke detectors may be installed for
early detection)
And finally, there needs to be a Response mechanism in place, in case the event does occur. (e.g. availability of fire fighting
equipment, trained personnel who know how to handle fires, ready availability of fire tenders nearby and above all a well
documented and tested plan to handle the situation). A well tested business continuity plan is also a part of the response
mechanism.

7. Mitigation Score – This score measures on a scale of 1-5 the assessment of availability of mitigation measures for the identified risk
event based on an evaluation criteria provided by the table below. Weaker the current measures in place higher is the score.

Current Mitigation Mitigation Score Criteria Score
Measures
Highly Ineffective 1. Prevention is impossible or prevention measures are not in place 5
2. No known detection method is available or even if available it has
not been implemented
3. No response mechanism, in case of the event occurring, has
been put in place
Ineffective 1. Prevention is possible but prevention measures are not in place, 4
or even if in place they are not effective
2. Known detection method(s) is/are available but it/they have not
been implemented, or even if implemented they do not work
effectively or work only sporadically.
3. Response mechanism is in place but is not effective
Moderately Effective 1. Prevention measures in place and are somewhat effective 3
2. Detection methods have been implemented and are somewhat
effective
3. Response mechanism is in place and is somewhat effective
Effective 1. Prevention measures in place and are quite effective 2
2. Detection methods have been implemented and are quite
effective
3. Response mechanism is in place and is quite effective
Very Effective 1. Prevention measures in place and are very effective 1
2. Detection methods have been implemented and are very effective
3. Response mechanism is in place and is very effective



8. Risk Magnitude Score (RMS) – This is the score obtained by multiplying the three scores – Severity (S), Likelihood (L) and
Mitigation(M). That is: RMS = S X L X M

The RMS value can range from 1 to 125 and helps rank the identified risk events and the causes in order of priority. Higher scores
will generally require higher priority in terms of actions to be taken.

9. Recommended Actions – This column specifies the actions that are recommended to be taken to bring down the RMS of the
identified risk event. These actions should be directed towards reducing the severity of effects, towards reducing the likelihood of
occurrence and also towards bringing in mitigation measures of prevention, detection and response.

10. Responsibility and Target Date – This column contains the names of persons charged with the responsibility of completing the
recommended actions and the target date of completion.

11. RMS After Actions Taken – Once the actions have been taken a re-assessment of the risk is done and the new RMS score is
obtained. Needless to say, if the actions taken have been effective then the score would come down.


Criteria For Risk Treatment

It may be noted that not all Risks will require mitigating measures to be adopted. Based on the RMS score a risk may be:
Tolerated or Accepted – in case of low risk
Transferred (e.g. to insurance companies) – in case of medium to high risk, especially if it makes financial sense to transfer
rather than mitigate from the return of investment point of view
Mitigated (using controls for prevention, detection and response as discussed earlier) – in case of medium to high risk
Take urgent corrective actions – in case of very high risks

The table below provides the evaluation criteria which may be used to decided if a risk will be tolerated/accepted, transferred or
mitigated. Please note that this is only indicative and practitioners must apply their own judgment when creating their own criteria table.

RMS Score Treatment RMS
Score
90-125 Take urgent actions 90-125

27-90 Mitigate or Transfer 27-90

0-27 Tolerate/Accept 0-27


�ݺ�ߣ

Risk Assessment Clause 4

More Related Content

Risk Assessment Clause 4