Identifying Risk Scenarios

HOPEX IT Risk Management : HOPEX IT Risk Management : Using HOPEX IT Risk Management : Managing IT Risks : Identifying Risk Scenarios

If required, you can define risk scenarios and identify the cause-and-effect relationship between risks.

An IT risk scenario is the description of an IT event that, if it occurs, can have an impact on the activity of the enterprise.

Creating a risk scenario

To create a risk scenario:

1. See "Accessing the IT Inventory".

2. Click Risks > Risk Scenarios.

3. Click New then Next.

4. In the Risk Scenario Element section, connect:

• applications, or

• software technologies

The Risks section does not display risks that are derived from diagram initialization.

Creating a risk scenario diagram

The IT RM Manager identifies cause/consequence type dependencies between risks using a risk scenario diagram. This diagram is used to create a network of risks with the aim of identifying pivot risks.

For more details on pivot risks, see "Pivot risks, causes and consequences".

To create a risk scenario diagram:

Click on the risk scenario icon and select New > Risk Scenario Diagram.

The following objects are automatically positioned on the diagram:

• the applications or software technologies

• the vulnerabilities and threats

• The business capability processes and business roles are now connected to the application.

• the associated risks

Risk scenario diagram example

Causality links

Risks are linked to each other by causalities (represented by links). These causality links are specific to a scenario.

Pivot risks, causes and consequences

Risks can be considered alternatively as:

• cause

• consequence

• pivot risk

A pivot risk is a risk that, in a risk scenario diagram, is linked to at least one cause and possibly one or more consequences.

A pivot risk can have more than one cause and consequence.

Risk causality report

A risk causality report summarizes the causality links of a risk scenario diagram.

To access this report:

In the properties page for a risk scenario, select the Risk Causality Report page.

Risk causality example

This report highlights the "pivot risks" of a risk scenario, that is, risks that are found in the middle of a risk chain.

This risk chain comprises:

• risks that are seemingly minor (such as technical IT risks, for example)

• risks that could have major consequences (such as important business risks, for example)

The processing of pivot risks is key to preventing these major risks from arising.

Examples

The scenario diagram below is illustrated by the corresponding causality report.