Risk and Risk Analysis - Term Paper Example

Running Head: RISK AND RISK ANALYSIS Risk and Risk Analysis Vinayak Mahajan RISK AND RISK ANALYSIS “Risks” are the threats that a business may have to face due to some uncertain and unexpected events resulting in destructive impact on its financial system and overall operation. Risk Analysis is a scientific approach of identifying the possible causes that can harm a company’s assets. Assets may include people, environment, material, information or legal issues. Causes leading to a risk include natural disasters such as floods, fire, earthquake to dishonesty of the employees, mismanagement of confidential information, delay of orders, theft, robbery, sexual harassment, violence or irresponsible behavior of company’s management and all. Risks are involved in almost every sphere of life so they cannot be escaped; however systems can be prepared for the undesirable alternatives. It is not always possible to evade every risk factor but risk analysis and security surveys help us identify the possible loopholes in the organization and minimize the loss. Also they help us to determine best actions in worst scenarios (Broder, 2006). Damages do not affect the company alone but each and every individual life associated with it and the respective country’s economic growth. High rate of jeopardy involved in a business discourage people to get associated with it and hamper the overall growth. If technology has revolutionized our lives, it is the technology that has created highly sophisticated hazards which make risk management more complicated and crucial. Security industry is growing at a fast pace to cater to the growing menace. Increasing terrorist activities, advanced weapons having difficult to track activities have placed the whole world in concern. It is rather easier to tackle the external threats than the factors internal to the business which proves to be a major challenge. Risk Management According to Fischer and Janoski (2000) “A Risk management program should follow four basic steps: 1. Identification of risks ... 2. Risk Analysis(study of risks), which includes the likelihood(probability) and degree of danger(vulnerability) of an event 3. Optimization of risk management alternatives ... 4. An ongoing study of loss-prevention programs” (p.15). Every potential risk causing factor or threat (apparent or anticipated) should be considered. Prioritizing risks is a very critical step as the resources to be spent on security might be limited. Complete study of all the odds should be done; history of floods, fire, earthquake, flaws in the structural design of the building, condition and standard of the material used in the building, installed alarm or smoke detection systems, cross examination of the employees, medical tests of the employees at the time of hiring, any cases of sexual harassment or violence, any danger or envy from a competitor or (international or domestic) terrorist groups, racism issues etc.. Any past records of calamity can be very helpful. Next task is to determine the degree of danger posed by each of the peril. The importance of hazard also depends on the type of business. An issue critical to a particular type of business may not be very significant in case of another. Cost-Benefit Analysis In an event of loss there are several cost considerations including the immediate losses and long term future losses such as: 1. Value of the item lost 2. Cost of temporary replacement 3. Cost of repair, new installation 4. Cost due to non operational time 5. Loss of other market assets In some cases, the cost of repair may exceed the actual cost of loss. A scientific approach based on Cost-Benefit analysis should be followed to determine if cost of cure is more than the actual loss (Fischer and Janoski, 2000). Cost-Benefit analysis is a very simple method to decide whether a change is a blessing or a burden. It is a very widely used approach. All the negative and positive effects must be expressed in same unit and the most convenient unit is dollars. Hence it can also be called a dollar loss-gain analysis. In the most basic form Cost-Benefit analysis takes only financial aspects into account. However other advantages and disadvantages can also be considered, which in some cases may outweigh the financial side. In the simplest terms, following steps can be followed: 1. Determine the overall cost of action 2. Calculate the total benefit obtained 3. Subtract the cost of action from the benefit 4. If the result is positive, the next thing to be calculated is the time it takes for the benefit to payback. Time is also crucial as high costs today and potential benefits after 10 years may also not be affordable. Cost-Benefit analysis also suffers from certain drawbacks as financial view is given the utmost importance and the effect of the change on other factors such as environment, society gets neglected. Risk Analysis Methodologies  Risk Analysis Methodologies can be categorized as follows: Qualitative Methodologies Preliminary Risk Analysis: In preliminary risk analysis we list the accidents that can occur while performing a particular activity. Each accident is analyzed separately in detail, covering the causes of the accident and available safety measures. Recommendations of improvement are made for each risk involved. Prioritizing risks is the next step required so that we can dedicate the available limited resources to improve the hazards which are more severe in causing tragedy. Based on the frequency of accidents due to each factor, a severity list is generated and the significant measures for improvement are suggested. Hazard and Operability studies (HAZOPS): This is a very simple, easy to understand and widely used method. It is a process to list out the variations from the proposed objective. They can be sorted out as a) Primary reasons b) Secondary reasons. Primary reasons are the main factors that directly effect normal course of action. Secondary reasons evolve from primary combined with other factors to influence flow. A team of different professionals having expertise in different fields are employed to study a process using systematic approach and find out primary and secondary reasons. Then depending upon frequency of these factors action is decided. Failure Mode and Effects Analysis (FMEA / FMECA): FMEA is a process of analyzing various defects that causes failure to system and their effects. This process needs to be started as early as design stage because the earlier the defect is found, it is easier to evaluate and fix it. The observations are documented after classifying them on the basis of severity, frequency with which that occurs. Tree Based Techniques Fault tree analysis (FTA): FTA is processed by defining a logical diagram which depicts logical occurrence of a fault event by identifying all related events. Event tree analysis (ETA): ETA is processed by identifying an event to be processed and then figuring out all events that can rose out of this event. Cause-Consequence Analysis (CCA): CCA is a combination of FTA and ETA where cause analysis can be depicted as occurrence of a fault and consequence analysis defined like event tree. Management Oversight Risk Tree (MORT): MORT is used for the evaluation of safety programs along with investigation of accidents and events. This is done to define top events from management perspective. Safety Management Organization Review Technique (SMORT): SMORT is refined form of MORT where analysis is done by asking questions and evaluated using checklist. Techniques for Dynamic system Go Method: An analysis model which is used to define success path for an event using different operators. Operators may be seen as parameters to an event. Digraph / Fault Graph: Digraph method is another analysis method which uses AND or OR operator to define path of events. It defines a connectivity matrix using these operators. Markov Modeling: A modeling technique to analyze time related behavior of systems where transitions occur at discrete points in time. Dynamic Event Logic Analytical Methodology (DYLAM): DYLAM technique is used to access events on factors like treat time, process variables and system behavior. Dynamic Event Tree Analysis Method (DETAM): DETAM is used to access events on factors like time-dependent evolution, process variable, and operator states over the course of a scenario. Security Surveys A security survey is needed to find out factors or influential causes that may hinder productivity or normal flow or even cause unpredictable losses. Losses may be due to natural causes (earthquake, storm etc), industrial accidents (fire, robbery) and crime losses (terrorist attack). Natural causes and industrial accidents are usually coped by industry using some common measures and insurance. While crime losses need differential measures to be worked out. A survey helps to create, update or evaluate current evaluation plans of security. After setting up these plans system is run against these evaluation parameters to determine deficiency or any malfunctioning. After that evaluation reports are created to remove or assist any discrepancy. Depending on industry and work environment there can be numerous factors that a security survey should cover but three most significant are a follows: Protection against crime losses that may be due to internal or external factors Proper structure of access-control with backup and disaster recovery procedures Well defined procedures for hiring, staffing and release of employee, material, products and all other things that are related to industry Technique to perform security survey is referred as audit. Before performing an audit a preliminary survey or an oral survey is performed which helps to quickly analyze whether audit is really feasible taking into account environmental conditions, budget etc.. Auditing techniques can be fieldwork and planning. Almost half of the time is devoted to fieldwork and other half to planning which involves survey planning, collecting and analyzing data. There are many audit techniques that may be used during the planning and fieldwork execution processes. Among established auditing techniques are: Flowcharting: This is a process of defining logical path to various operations involved in a system by breaking down into small parts. Auditor collects data by noticing the behavior of a system by providing conditions as defined in logical steps of flowcharting. Interviewing: This is a process of gathering information from interviewee by asking effective questions. Auditor needs to be good listener and should be able to summarize the views and comments received to put forth comprehensive and useful information. Sampling: Sampling is a process of getting information from limited resources and then putting forward conclusions derived using mathematical formulas or sampling table. Sample size and formula used to get final data determines reliability of analyzed data by this method. After analyzing and summarizing results, report is prepared. A security report is a document which outlines and prioritizes the gathered information for a system. The report is the most important communicative mode in security analysis cycle. The important things to be used in good report are: A cover page which gives small description about artifacts, execution time and date and other important information that is contained in report. An index page. A summary section highlighting positive and negative feedback along with security vulnerabilities. Prioritizing findings according to vulnerabilities along with recommendations to resolve them. A security report should be documented properly, kept confidential and saved. References Broder, J.F. (2006). Risk Analysis and the Security Survey (3rd Ed.). Boston, MA: Elsevier. Fischer, R.J., & Janoski, R. (2000). Loss Prevention and Security Procedures: Practical Applications for Contemporary Problems. Boston, MA: Elsevier. Read More