1.8 IT Risk Scenarios
1.8 IT Risk Scenarios
A risk scenario is a visualization of a possible event that can have some adverse impact on the business objective.
Organizations use the risk scenario to imagine what could go wrong and create hurdles in achievement of business objectives.
Risk scenario should be based on an identified risk. Risk scenario is developed on the basis of potential threats to the business assets. A risk practitioner can identify potential threats from the risk register.
Risk scenarios may be based on risk scenarios such as system failure, natural calamities, network unavailability or any other event that can impact the business operations.
Risk scenarios are considered as the most effective technique to assess the business risk.
Risk scenario helps to estimate the frequency and impact of the risk.
Risk Scenario Development Tools and Techniques
Risk scenarios should be based on real and relevant risk events.
Though past incidents can serve as the basis of creating a risk scenario, risk practitioners should also look for new and emerging risks.
Imagination of risk scenarios requires creativity, thought, consultation and questioning.
Risk scenarios can be either developed from a top-down perspective or a bottom up perspective.
In a top-down approach, risk events are identified from a senior management perspective.
In top-down approach, risk scenario development is performed by identifying business objectives. Risk scenarios are developed for risk events that can directly impact the business goals and objectives.
Involvement of senior management in designing the risk scenario is of utmost important.
Top-down approach looks at both IT & non IT risk events and hence can be referred to as general risk management.
As top down approach deals with senior management goals, a risk practitioner can easily buy in for a risk management program.
In a bottom-up approach, risk events are identified from the process owner/employee's perspective.
Risk scenarios are identified by employees performing the job functions in specific processes.
An organization should make use of both the top-down approach and bottom up approach for developing risk scenarios. They are complementary to each other and should be used simultaneously.
In a top-down approach, major risks to business objectives are addressed where as in bottom up approach process level risks are addressed.
Benefits of Using Risk Scenarios
Risk scenario is the easiest and most effective way to explain risk to business process owners and other stakeholders.
As the risk scenario requires involvement of all the process owners, information gathering becomes more relevant and realistic.
Risk scenario helps to identify the risks that are aligned with business objectives.
Developing IT Risk Scenarios
A risk scenario includes following components:
Key aspects from CRISC exam perspective