Limiting the topic to aspects of risk management in the corporate environment, the concept of risk applies to a multiplicity of references: we talk about project risk, information risk, worker risk, and so on.
It formed a part of the study of probability until the middle of the last century, when it was introduced into the more general theory of business organization. In fact, during the late 1800s and the first half of the 1900s, the various pioneers of bureaucratic, administrative, scientific and humanistic management had not bothered much about analyzing the components of risk in the organization. In fact, it was only around 1950, following the conclusion of World War II or in light of experience, that principles of indeterminacy and contingency were introduced. It is from the theory of chance and complex systems in business organization theorizing that the treatment of risk analysis and management begin to find a place.
Risk analysis identifies a set of techniques that use scientific data and statistical calculations to produce reliable estimates of the occurrence of specific hazards under certain scenarios. Risk analysis is a process of qualitatively and quantitatively describing the likelihood and potential impact of certain risks, formulating decisions or proposing alternatives/options to control them, and communicating the results of the risk assessment and the suggested decisions to all stakeholders.
The analysis that is carried out is thus a process consisting of these three nodal components: risk MANAGEMENT, risk ASSESSMENT, and risk COMMUNICATION. It emerges that “risk” is the element that drives the design choices of a product or service.
The more correct term by which to call the technique of analyzing and assessing possible hazards is actually risk assessment. It takes place through the following steps:
- Identification of the system to be examined
- Identification of risks
- Risk estimation (risk estimation)
- Risk assessment (risk evaluation)
- Possible actions for risk reduction
- When tolerable risk is reached, preparation of information for users on residual unknowns and, where appropriate, on appropriate measures to reduce them.
“Risk Assessment” is the determination of the “qualitative” or “quantitative” value of risk related to a concrete situation and a specified “threat.” It can be applied in various contexts, such as in the IT sector (information security) or for the assessment of occupational health and safety risks or, in banking, for the assessment of those related to payment systems.
The “Risk Assessment” helps to define:
- What and from whom to protect, through analysis of critical processes, identification of assets, and analysis of threats actually feared
- How much to protect and how to protect, by estimating the impacts and implementing appropriate countermeasures, depending on the actual needs or the risk levels detected.
Systematically applying the correct methodology will yield the following benefits:
- Repeatability of analysis and results
- Greater efficiency in conducting the analysis
- greater comprehensiveness and coverage of threats
- Greater independence from corporate functions.
The methodology to be followed for proper information security management must adhere to the following steps:
- Analyze the risks;
- Identify security measures and prepare a plan to implement them;
- Create awareness and spread the culture of safety;
- Train staff and inform them continuously;
- Check the security measures in place and adjust them;
- Perform reporting, monitoring and auditing activities.
To conclude, proper Risk Analysis is therefore applied by pursuing the following objectives: knowledge of the risk, assessing and promptly intervening in the areas recognized as the most critical, entrusting this assessment to experts who can design and implement safe systems that provide quick solutions, developing maintenance programs, and using risk as one of the comparative parameters to evaluate alternative systems.
