Risk Assessment - Essay Example

Risk Assessment Course Name/Code Institution Name Department Name Insert Your Name Insert Your Number Tutor’s Name 31 March 2009 Risk Assessment Risk assessment is a term that is used to refer to the process that is used to analyze and pinpoint threats that are exposed to an organization. Thus, ensuring that the threats have been analyzed and proper measures are in place guarantees that the organization assets and employees are safe. Various threats and risks occur in different scenarios and it is important for these organizations to understand their environment so has to formulate the appropriate risk assessment policy. In most instances such as in the IT industry, there are well developed policies and guidelines that enable the players within this industry to understand risks that they are exposed to resulting in the formulation of the appropriate measures that guarantees safety of the organizational properties. Thus, the aim of this paper is to analyze risk assessment that can be utilized in any organization; however, putting some emphasis on the IT industry. Moreover, the paper focuses on the link that exists between AS4360 and systems of risk assessment. Nevertheless, the paper shows that utilization of AS4360 framework is an effective strategy towards ensuring that risks are avoided and a guideline towards risk assessment. The first part of the paper proposes two systems of risk assessment, which would be subjected to AS4360 test; this will enable choosing the most effective system. The second part of the paper argues the importance of performing risk assessment in providing a guideline in resource allocation in an organization. In Australia and New Zealand, AS4360 is a general standard that is used in assessing of risks. Organizations are supposed to follow this guideline in developing the appropriate strategy towards picking the appropriate risk assessment (Sadgrove, 2005, p. 277). Generally, the AS4360 helps organizations strategically pick the appropriate risk assessment approach. This standard (AS4360) when been developed brought into consideration stakeholders from various industries into streamlining it. Moreover, introduction of this standard as helped in the development of advisory professionals who plays an important role in organizations through assisting in the development of the appropriate risk assessment and ensuring that the appropriate approach in managerial strategy towards eliminating/reducing risks. An Analysis of Two Risk Assessment Systems Most organizations develop internal risks assessment systems, which ensures that their internal needs are meet. In most cases, historically two frameworks have been utilized in developing risk assessment. Jones & Vidalis (2005, p. 3) states that risk result from combination of capabilities, opportunities and motivations that results into crime. This common framework has been utilized by many industries over years. It utilizes the understanding of the environment in trying to pinpoint areas that are threats to the organization’s operation. Motivation is important in the way that workers operates and hence it is important for the management to understand what motivates the workers to do actions that becomes a threat to the organization, thus knowing the motivational factors ensures that the management takes the appropriate actions to counter them. Cox and Rice (1990, p. 325) give an example of security as a motivating factor. In fact, they state that those organizations that are exposed to vandalism due to poor security will tend to improve the security through utilization of surveillance devices or increasing security work force. The capability of people participating in risky activities to the organizations property should be factored in risk assessment through ensuring that internal mechanisms are above the risk threats (Tregear, 2001, p. 20). Thus, as the people plan to do harm to the organization they will have to take a lot of time strategizing by which the organization has improved internal mechanism to counter the threats. This then creates a cycle in which it ensures that organization properties are well secured in both short and long times. On the other hand, when threats are given opportunities they will adversely affect the organization, thus it is crucial for the organization to seal areas that opportunities may arise. However, the disadvantage of using this framework is the wide array of assumptions that are made by the security departments. This is because the management believe that they can understand motivation, opportunities and capabilities that encourage the individuals becoming threats to the organization. Moreover, opportunities, capabilities and motivation usually keep changing with time. Generally, utilizing this framework will give a hard time to the security personnel in estimating chances of threats that may be risk factors to the organization. AS/NZS4360:2004, a second kind of framework views risk as the chance of occurrence that will impact the organization thus it is important to investigate the consequences that results from persistent threats. This new framework is supposed to replace the earlier framework (motivation, opportunity and capability) (Sennewald & Christman, 2008, p. 558); however, its capability has not been exhaustibly tested because few organizations utilize it. This approach is better because strategies are development from understanding the consequences if attacked by threats. Thus, understanding the consequences ensures that the internal system are developed in such a way that they are not vulnerable to threats. By comparison, the first framework improves on the threats and risks that have occurred and usually concerned with the future while the AS4360 acts as a preventive measure. It is preventive measure because the management creates ploy, perceived threats, and then develop measures to counter this. For example, in the computer industry and other industries, the management employs hackers and burglars to break into their system and monitors their development. Thus, when the burglars and hackers succeed the appropriate measures are taken and at the same time the hackers and burglars advice the management on the pitfalls of the system and any perceived threats strong points. Hence, utilization of the AS/NZS4360:2004 plays an important role in risk assessment process. Moreover, it is important for the two frameworks to be blended developing a single framework that ensures that threats are kept in a distance. Such a blend will guarantee security at the time of transition; this is when the organization changes between the frameworks. Moreover, it is important that professionals are factored in the development of the system and the staff should be trained to understand the security measures resulting in the success of the organizations (Davis & Herting, 2007, p. 32). Importance of Risk Assessment in Resource Allocation It is important to assess the threats that are exposed to organizations. This is because poor understanding of threats that are exposed to the organization contributes into inadequate preparedness. Moreover, the organization should not only concentrate on countermeasures but also have to understand the extent of risks that may affect the departments or equipments. This will give the opportunity to the management to apportion resources depending on the severity of predicted risk. Thus, the more dangerous threats the better countermeasures resources allocation. Hence, this section explains the importance of assessing risk, which enables distribution of resources within an organization. Some importance of estimating the resources that are allocated to various threats are: It provides knowledge – Utilizing risk assessment gives the security department a better understanding on the severity of exposed threats and estimating costs that may be incurred. Thus, understanding the threats the managers will allocate the available resources to tackle the problem for the short time risks while preparing strong groundwork for long run risks. This will influence positively the fight against threats (Davis & Herting, 2007, p. 32). Understanding agent’s capabilities – through carrying out fake threat and testing the severity of the system, the security department will have an upper hand in understating real abilities of the perceived risks in destroying equipments or systems. Thus, the predicted severity and the likeliness of it occurring give advance knowledge for the organization to allocate the appropriate amount of resources to strengthen the system. This is, if the perceived risks impact are minimal lesser resources may be allocated while extensive impact may require proper consideration in the allocation of the resources. Hence, at the end of the day, there would be proper utilization of resources. Helps in understanding the faults that are in a system – In most instances, internal systems of the organization may rigorously put in place security measures, which are threat proof. Nevertheless, introduction of powerful threats may break this professionally built systems and cause serious damage to the entire organization. This will then give opportunity to the organization to proof whether the organization that development the risk proof system fulfilled their contractual agreements or promises. This then will guide the organization in determining the appropriate professionals that could provide system security with relevant cost if the systems may break down and the extent of the severity. Opportunity to compare historical threats and cost – Coster & Hankin (2003, p. 547) view that through understanding the risk assessment procedures, the organization will be able to understand the severity of previous threats, thus enabling the organization to understand the measures and resources that were allocated at that time. At times organizations may invest a lot in risks that are non-consequential and at the same time ignoring disastrous risks. Hence, understanding history of threats that are exposed to an organization enables the organization to develop proper structures to counter thus threats. Moreover, frequent tests on threats ensure that the security department puts in place appropriate measures to guarantee their security systems safety. It enables testing the organization preparedness – Various organizations performs unplanned fake attacks that determines to understand the preparedness of the security system and employees in countering threats. This will develop the sharpness and alertness of the security department and employees in taking measures that protects the organization system from damages when attacks occur. This is because preparedness usually is costly and requires many resources to counter the threats. Thus, risk assessment gives the opportunity to the organization to budget and draw measures that gives security departments and employees understanding when exposed to security complications. Else, the organization is exposed to risk and threats that may destroy the organization systems and equipments (Davis & Herting, 2007, p. 33). Outside professionals may assist the organization – in most instances, fake attacks are carried out by outsiders, thus giving the opportunity to the organization to receive professional help and advice regarding the severity and stability of risk and risk measures. Thus, the interactions between the professionals and security department officials help in understanding best practices that may be employed during different situations. This is because the professionals have a better understanding on risk and threats since they have operated in a wide array of industries. Hence, utilizing such wealthy knowledge ensures that the organization exploits security measures ensuring that the equipments and employees are shielded against threats and risks. Enable the organization to compare threats - carrying out tests and bringing into consideration assistance form professionals enable the organization to compare threats that affects the organization with threats that are affecting organization that are in the same industry. Moreover, financial are resource allocation between the team players may also be compared (Sennewald & Christman, 2008, p. 558). This enables to understand the approach in which other players view risks and security measures that are in place to counter these threats. Thus, the professionals who are utilized provide some useful data that is compared across same organizations within the industry. Hence, these data assists in the development of proper frameworks that strengthens the security measures, which else could have not been possible without the risk assessment (Henderson, 1998, p. 5). Generally, the paper has shown that it is crucial for organizations to perform risk assessment in ensuring safety of the workforce and the equipments of the organization. The security structures security strength is improved through frequent performances of regular assessments. The AS4360 standard plays an important role in ensuring that the organization sticks on measures that guarantee the safety of the workforce and equipments. The comparison between AS4360 and crime triangle has shown that AS4360 is better for the organization to perform productive risk assessments. Thus, the security departments are encouraged to utilize the AS4360 in their security procedures that should be carried out regularly. References Coster, M. N., & Hankin, R, K. (2003). “Antagonistic hazards’ Risk assessment.” Journal of Loss Prevention in the Process Industries, 16, 545-550. Cox, L. & Ricci, P. (1990). New Risks: Issues and Management. London, UK: Springer. Davies, S. & Hertig, C. (2007). Security Supervision and Management: The Theory and Practice of Asset Protection, 3rd Ed. London, UK: Butterworth-Heinemann Publishers. Eck, J. (2003). Become a Problem-Solving Crime Analyst: In 55 Small Steps. Washington, US: Willan Publishers. Hendershot, D. (1998). Comparing Industrial Risk Analysis. Pennsylvania, US: Rohm and Haas Company. Jones, S. & Vidalis, A. (2005). Analyzing Threat Agents & Their Attributes. Wales, UK: School of Computing, University of Glamorgan. Sadgrove, K. (2005). The Complete Guide to Business Risk Management, 2nd Ed. London, UK: Gower Publishers. Sennewald, C. & Christman, J. (2008). Retail Crime, Security, and Loss Prevention: An Encyclopedic Reference. London, UK: Butterworth-Heinemann. Tregear, J. (2001). “Risk assessment.” Technical Report Regarding Information Security, 10, 19-30. Tpton, H. & Krause, M. (2002). Information Security Management Handbook, 4th Ed. New York, US: CRC Press. Read More