How to manage a risky project
In my previous column I introduced the topic of risk and explained how to perform an impact risk analysis. One reason for doing this exercise is to find out what type of risk, or exposure, is associated with your project. A chart indicating how the probability (on a three-point scale) of an attack intersects with the impact (also on a three-point scale) of a successful attack gives a general impression of the overall project risk or, from another point of view, the likelihood of failure.
For example, consider the following two risk charts:
Probability Impact of Attack
of Attack L M H
L 4 9 10
M 6 15 14
H 9 17 22
Project A
Probability Impact of Attack
of Attack L M H
L 8 4 3
M 6 5 2
H 3 2 1
Project B
The value in each cell represents the number of identified risks for the given combination. It is easy to see that Project A carries much more risk than Project B. We know we will have to manage Project A much more carefully than Project B.
But how do we manage risks? In general, two basic strategies may be followed. Taking steps to reduce the probability of an attack is called a countermeasure. Taking steps to reduce the impact of an attack is called a hedge. Risk management involves trying to discover cost-effective countermeasures and hedges so that we can downgrade the risk profile on our chart. For example, if we take a risk listed as HH and manage to apply a hedge, the risk will now be represented as HM. In this way we can gauge the effectiveness of our strategies as we plot before and after risk charts.
As you might expect, developing and implementing such strategies takes time and resources. Risk management tends to make any project longer and more costly. Of course, we are willing to pay those costs to avoid the impact of the risk.
How are countermeasures and hedges developed? In a number of ways. You can try to do it on your own. Consider each attack and its possibility/impact combination, and think of what you might reasonably do to minimize the risk. The problem with that approach is that you will probably forget something. In general it is much better to have a team involved in brainstorming such strategies.
The team should consist of whoever will be doing the work, the stakeholder for the task, whoever the final user of the output will be, the security officer (if available), and as many experts as you can gather. Many of these experts will be in your own organization, people who have worked on similar projects and who will be willing to share their experiences. Another excellent source of risk avoidance/minimization strategies are consultants. By using an external consultant who has a specialty in the topic area, you can leverage that knowledge very quickly. Remember to stay focused on the task at hand: it is very easy to be distracted when you have a number of experts gathered in one room.
Also, try not to do too much in a single meeting. Brainstorming is challenging, and the best you can hope for is two to three hours of creativity. My suggestion is to have one meeting just on determining the assets to be protected, the threats to the assets, and modes of attack those threats take. The meeting should also attempt to assign initial values to the probability of a successful attack, and to the impact of such an attack. Once the meeting is complete, you should review each probability/impact combination and determine whether it is legitimate. For example, a power surge that destroys delicate electronics is a possibility you will want to examine in more detail. On the other hand, the possibility of aliens attacking delicate electronics can most likely be discounted.
Your second meeting should focus on countermeasure/hedge strategies. Try to avoid spending too much time analyzing any one risk; otherwise you will never finish. Remember, in many cases it will not be possible to take countermeasures -- some risks are unavoidable. You cannot do anything to avoid an act of nature, for example, but you can try to hedge, or minimize its impact.
Finally, make sure that someone is put in charge of implementing your risk management strategy.
Your risk management strategy should be reviewed from time to time to make sure that it is still relevant and that no new risks have emerged that need attention.
» posted by abennett
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
