Risk management is both art and science. There is no better example of risk as an art form than risk scenario building and statement writing. Scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that succinctly describes the circumstances and consequences if it were to happen. The narrative is then further distilled into a single sentence, called a risk statement, that communicates the essential elements from the scenario.
Think of this whole process as a set-up for a risk assessment as it defines the elements needed for the next steps: risk measurements, analysis, response and communication. Scenario building is a crucial step in the risk management process because it clearly communicates to decision-makers how, where and why adverse events can occur.
Risk scenarios and statements are written after risks are identified, as shown in figure 1.
Figure 1—Risk Identification, Risk Scenarios and Risk Statements
What is a risk scenario?
The concept of risk scenario building is present in one form or another in all major risk frameworks, including NIST Risk Management Framework (RMF), ISACA’s Risk IT and COSO ERM. The above frameworks have one thing in common: the purpose of risk scenarios is to help decision-makers understand how adverse events can affect organizational strategy and objectives. The secondary function of risk scenario building, according to the above frameworks, is to set up the next stage of the risk assessment process: risk analysis. Scenarios set up risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.
See figure 1 above for the components of a risk scenario. Risk scenarios are most often written as narratives, describing in detail the asset at risk, who or what can act against the asset, their intent or motivation (if applicable), the circumstances and threat actor methods associated with the threat event, the effect on the company if/when it happens, and when or how often the event might occur.
A well-crafted narrative helps the risk analyst scope and perform an analysis, ensuring that the critical elements are included and irrelevant details are not. Additionally, it provides leadership with the information they need to understand, analyze and interpret risk analysis results. For example, suppose a risk analysis reveals that the average annualized risk of a data center outage is US$40M. The risk scenario will define an “outage,” which data centers are in scope, the duration required to be considered business-impacting, what the financial impacts are and all relevant threat actors. The risk analysis results combined with the risk scenario start to paint a complete picture of the event and guide the audience down the path to well-informed decisions.
For more information on risk scenarios and examples, read ISACA’s Risk IT Practitioner’s Guide and Risk IT Framework.
What is a risk statement?
It might not always be appropriate to use 4-6 sentence narrative-style risk scenarios, such as in board reports or an organizational risk register. The core elements of the forecasted adverse event are often distilled even further into a risk statement.
Risk statements are a bite-sized description of risk that everyone from the C-suite to developers can read and get a clear idea of how an event can affect the organization if it were to occur.
Several different frameworks set a format for risk scenarios. For example, a previous ISACA article uses this format:
[Event that has an effect on objectives] caused by [cause/s] resulting in [consequence/s].
The OpenFAIR standard uses a similar format:
[Threat actor] impacts the [effect] of [asset] via (optional) [method].
The OpenFAIR standard has a distinct advantage of using terms and concepts that are easily identifiable and measurable. Additionally, the risk scenario format from ISACA’s Risk IT was purpose-built to be compatible with OpenFAIR (along with other risk frameworks). The same terms and definitions used in OpenFAIR are also utilized in Risk IT.
The following factors are present in an OpenFAIR compatible risk statement:
- Threat actor: Describes the individual or group that can act against an asset. A threat actor can be an individual internal to the organization, like an employee. It can also be external, such as a cybercriminal organization. The intent is usually defined here, for example, malicious, unintentional, or accidental actions. Force majeure events are also considered threat actors.
- Asset: An asset is anything of value to the organization, tangible or intangible. For example, people, money, physical equipment, intellectual property, data and reputation.
- Effect: Typically, in technology risk, an adverse event can affect the confidentiality, integrity, availability, or privacy of an asset. The effect could extend beyond these into enterprise risk, operational risk and other areas.
- Method: If appropriate to the risk scenario, a method can also be defined. For example, if the risk analysis is specifically scoped to malicious hacking via SQL injection, SQL injection can be included as the method.
Risk statement examples
- Privileged insider shares confidential customer data with competitors, resulting in losses in competitive advantage.
- Cybercriminals infect endpoints with ransomware encrypting files and locking workstations, resulting in disruption of operations.
- Cybercriminals copy confidential customer data and threaten to make it public unless a ransom is paid, resulting in response costs, reputation damage and potential litigation.
Scenario building is a skill
Scenario building is one of the most critical components of the risk assessment process as it defines the scope, depth and breadth of the analysis. It also helps the analyst define and decompose various risk factors for the next phase: risk measurement. More importantly, it helps paint a clear picture of organizational risk for leadership and other key stakeholders. It is a critical step in the risk assessment process in both quantitative and qualitative risk methodologies.
Good risk scenario building is a skill and can take some time to truly master. Luckily, there are plenty of resources available to help both new entrants to the field and seasoned risk managers hone and improve their scenario-building skills. Additional resources on risk identification and scenario building include:
- ISACA’s Risk IT Practitioner’s Guide, 2nd edition
- ISACA’s Risk IT Framework, 2nd edition
- Risk Scenarios: Using COBIT 5 for Risk
About the author: Tony Martin-Vegue, CISM, CISSP, OpenFAIR, is a writer, speaker and risk expert with a passion for data-driven decision making. He uses his expertise in economics, cyberrisk quantification and information security to advise senior operational and security leaders on how to integrate evidence-based risk analysis into business strategy. Martin-Vegue serves on the board of the Society of Information Risk Analysts and is the co-chair of the San Francisco chapter of the FAIR Institute—2 professional organizations dedicated to advancing risk quantification. He can be contacted at www.tonym-v.com.