IT RISK IDENTIFICATION AND ASSESSMENT METHODOLOGY

Abstract

There are numerous methods for risk identification and risk assessment phases. Which for risk identification includes historical and systematic approach and inductive or theoretical analysis. One of the main reasons why risk identification is very helpful is that it provides justification in many cases for any large IT investment and other large undertakings. Without it organization probably wouldn’t be able to come to conclusion. Also in this phase business recognize the threats, vulnerabilities, and assets associated with its IT systems. Together with risk assessment phase risk management specialist is responsible for determining asset value, what's the value of the asset business is protecting, and risk acceptance level.
 Risk assessment on the other hand examines impact or consequence, as well as examines and evaluates the likelihood or probability of that adverse event happening. Risk assessment includes methods like Bayesian analysis, Bow Tie Analysis, brainstorming or structured interviews, business impact analysis, cause and consequence, cause-and-effect analysis, Delphi method, event tree analysis, fault tree analysis, hazard analysis, hazard and operational studies, and finally structured what if technique or SWIFT process. Risk assessment has two distinctive assessment types- quantitative and qualitative assessment. Quantitative assessment tries to put a monetary value on all risks. Qualitative assessment on the other hand rather look at it from a range of values like low, medium, high. The results of these phases are going to be documented in the risk assessment report and reported to senior management.