Describe the risk scenarios
Find out what risk scenarios are, and how to write clear risk scenarios that will help you to analyse them during the risk assessment.
Working out risk scenarios
A risk scenario is a way to find out if any risks exist to an information system — leaking its confidential information, or harming its integrity or availability. If they exist, list the causes of each risk and the effects if they happen.
Be clear when describing risk scenarios
The key here is to be specific, using the structure of risk scenarios to help you in writing them. With more detailed information, you’ll be able to properly assess the likelihood and impact of each risk during the analysis phase.
Structure of risk scenarios
- Because [risk cause],
- [risk event] happens,
- causing [risk impact].
Tips for writing clear risk scenarios
The business and technical contexts normally inform what the possible causes of risks are.
Make sure that you and the stakeholders discuss all possibilities — there can be more than one cause of a risk.
Example of a badly written risk scenario
This shows why it’s important to write risk scenarios clearly.
When moving on to assess the likelihood and impact of this poorly written risk scenario, it will be difficult if not impossible to do so. It’s too vague to allow for any meaningful discussion about the risk.
This improved risk scenario will be much more useful during the risk analysis phase of the risk assessment. Remember, if you do not properly explain or become aware of risks in the identification phase, then you’ll likely miss them entirely.
Your chances of catching risks later in the assessment process are low, which is why it’s important to put the work in here.
List the causes and impacts of risks
Identifying all of the risks to an information system helps you and your team in finding and selecting controls to manage each risk.
With this goal in mind, it’s also useful to write out separate lists for the causes and impacts of risks. Even though the risk scenarios have this information, these lists provide a clear idea of:
- where risks are coming from
- how they could harm your organisation.