A qualitative Risk Analysis typically involves holding one or more ‘RA workshops’, bringing together a bunch of experts in risk (including but ideally not just information risk), information security, compliance, IT, internal audit and the business (concerned managers, business continuity people) etc. with a competent facilitator (again, ideally someone outgoing with a background in information risk, possibly just a brilliant facilitator with an interest in making it happen and a successful record!) to organize and lead the session/s.
Here are my hints on organizing and running RA workshop session/s (based on my personal experience and prejudices: your approach will vary!):
- Do some preparatory work before even
booking or inviting people to the first event – in particular, consider the purpose. What do you expect the organization to get out of it? Why should
people invest their valuable time by participating? Find out how
other kinds of risks are analyzed/assessed normally, and how workshops are
typically run. Speak to supportive senior managers to get them
on-board with this – their support, and ideally their participation, will
be invaluable. Start talking to other potential participants to
sound them out, informally, and hopefully get them engaged/interested if
not actually committed to participate (note: ‘participate’ not
‘attend’!). Once word gets around and others start to enquire about
joining in, it’s time to press ahead to phase 2 …
- Based on the availability of key people,
decide on the (first) session date, book a suitable meeting room or videoconference
facilities, and send out invitations with a clear description of the
purpose. Ideally send out background info too, such as an
outline of relevant information risks already identified and managed, plus
items for discussion such as further info risks that perhaps ought to be
assessed and treated too (e.g. based on recent incidents, within the
organization or elsewhere). Perhaps give people some homework to do
before the session – at least a few issues to consider and hopefully get them
in the right frame of mind for a productive session. Work closely
with the facilitator (if not you) and other key players. Think about
how the session/s will be run – perhaps even rough-out the agenda.
- Keep promoting the event/s. [It
may be possible to complete the whole thing in one session, but I suggest leaving
open the possibility of further sessions, follow-ups, focus groups or
whatever might be needed to explore some aspects in more depth, or simply
to complete a wide-ranging analysis. It may be hard to convince people
to commit to a lengthy and laborious process, so be sure to clarify the
benefits: explain why this is a worthwhile and necessary investment of everyone’s
time! The payoff includes awareness, understanding, collaboration,
decisions, agreement, authority to proceed etc. …]. Spend time
contacting and meeting people, explaining what is going on, reiterating
the purpose, and generally lining things up. Send out reminders a
week or so before the event. Via or in conjunction with those
supportive senior managers, apply thumbscrews to any key people who are
still reluctant to participate. As a last resort, persuade them to
attend key parts of the session (beginning, middle or end – wherever
they will gain and provide most value).
- Meanwhile, get things ready for the event itself. You’ll probably need whiteboards, for instance, but what else? How will the session pan out? What’s the agenda and timescale? How
will things be recorded, and by whom? What outputs are to be generated? What inputs/info might be needed, or should be accessible? Order
coffee and donuts!
- Think about the team dynamics and
personalities of those who will participate. Are there shy people
who need to be supported to open up? How? Are there assertive
ones who may need to be gently restrained? How? Are there bones of contention,
hot buttons to be pushed, parked or avoided? Who are the diplomats,
the most powerful, well-connected and well-respected people present who can
help keep things running smoothly and on-track?
- There are lots of ways to run the
session: my personal favourite involves first setting the background and
explicitly agreeing the objectives, then getting people to write down
their initial thoughts/ideas on Post-It notes (one per note), then
inviting them one at a time to stick their notes on the whiteboard (ideally
in related groups) while explaining briefly what concerns them. Don't dominate, facilitate! Let the discussion evolve and continue naturally from
there, with gentle guidance as needed … gradually bringing things together
by focusing on building, say, a PIG (Probability Impact Graph) or risk spectrum diagram or risk matrix or whatever – something, anyway, that
brings sense and order to the thoughts and discussion, drawing out
important themes, concerns or issues. Gradually firm up the group’s
view of the information risks, relative to each other and perhaps relative
to other risks to the organization. Check that you are on-track and meeting the
objectives. Put extra effort into discussing and clarifying the main
risks, and any issues, concerns or matters still unclear. Pick out and record any show-stopping/surprising comments, agreements, disagreements or
decisions for extra emphasis. End by thinking forward to next steps:
is more analysis needed e.g. another meeting? Are there already
actions arising that need to be initiated and progressed? Who needs
to do what, how and by when?Who else needs to be involved or agree
to that? End by checking that you’ve met the objectives, sum-up what
you’ve achieved, outline what happens next, and of course thank everyone
for their active participation.
- Follow-up. At the very least, tidy up the records and outputs of the session and circulate them to participants and other interested parties (possibly a brief overview for everyone – it’s a security awareness opportunity after all!). Get going on those actions arising e.g. update your risk register, Risk Treatment Plan, budget proposals etc. Make notes on how to make these activities even better next time.
There are websites, books and probably training courses in this area if you need even more guidance, as well as standards and methods for risk analysis and management as a whole. I’ve learnt how to do it by participating in and organizing these and other similar sessions, and by trying stuff out over several decades. It’s exhausting but can be fun and very rewarding when it goes well. An effective group is greater than the sum of its parts.
If risk workshops don't appeal, another approach is to do the initial risk analysis yourself (perhaps with your team or someone from Risk) on the basis of your knowledge, experience, expertise and biases (!), producing a ‘straw man’ that you can then discuss with individuals or small groups, modifying it as you go according to those discussions and further information that comes to light, including incidents and near-misses plus ongoing risk treatments. Work your way systematically up to and then around the management team, plus assorted info-risk-related experts. Every time you discuss it with a new person, add them to the distribution list for periodic updates including notes about recent changes made, to keep them informed as the picture evolves. It becomes a kind of live status report on the organization’s information risks – a metric in fact - that focuses attention on the risks identified, prioritized or ranked according to the consensus opinions of their relative probabilities and severities (or whatever parameters you use). Take the opportunity to mention information security initiatives and challenges, emphasizing how your work relates to risks of concern to the business.
Although the process (however you do it) is clearly subjective, I believe it would be a huge improvement for many organizations that either don’t do this kind of thing all, or leave it entirely to someone buried away in the deep dark depths of IT or Risk. Stronger interaction or engagement between “information security” and “the business” is invaluable in gaining and retaining widespread support for an ISO27k ISMS, when the time is right.
PS Chris Hall suggested that it might be worth running workshops with different groups of attendees, giving them the chance to explore their areas of concern more freely perhaps than in a mixed audience:
"You might need to hold a few workshops with different groups of attendees from different business areas. For example, it would not normally be a good idea to hold a risk workshop with both IT techies and some business function people."