We perform Risk Management for all software applications that we use, whether developed by us or sourced from 3rd-party vendors.
The process for managing risk includes:
- risk analysis
- risk assessment
- risk control
- manufacturing and post-release information
The first step in managing risk is identifying it — and understanding it.
During risk analysis, we write down all of the known or possible defects (“hazards”) of a given product, and then analyze the risks of each.
Our goal, in doing this, is to identify the seriousness of each risk. To that end, we classify each risk in terms of its severity, likelihood of occurrence, and probability of detection, following this scheme:
- Severity (Critical, Major, Minor, Trivial)
- Likelihood of Occurrence (High, Low, Very Low, Occurrence Not Anticipated)
- Probability of Detection (Practically Impossible to Detect, Random, High, Almost Certain / Impossible to Miss)
After that, we assess the risk to determine what, if any, mitigation actions are needed to reduce or eliminate it, along with their priority.
A risk assessment has three possible outcomes:
- Accept the Risk
- Reduce the Risk
- Remove the Risk
Our Risk Management Plan tells us how to respond based on the overall seriousness of the risk, as measured by the criteria mentioned previously.
Generally, we accept risks only when we believe the severity of their impact will be low and/or we think their occurence is unlikely. We also consider how easily they can be detected and dealt with.
In rare cases, when mitigation isn’t possible or easily achievable, we eliminate the risk entirely by removing its source, whether it’s a component or feature within an application, or a process flow that introduces more problems than it solves.
In most cases, however, we work to reduce risks by mitigating them. When risk reduction is selected, the risk is recorded as part of project and/or product risk documentation, along with any planned remediations. (Alternatively, if we decide to accept a given risk, we note that as well, along with the reasons for its acceptance.)
Rick Control describes the process for dealing with risks that need to be reduced.
Risk Control comprises four key areas:
- Risk Reduction
- Recommended Measures
- Assessment of Residual Rick
- Risk / Benefit Analysis
We take into account the following elements (listed in order of importance) when reducing a risk:
- The product’s own reliability (in terms of information security, data privacy, data integrity and availability, etc.)
- Protective measures that are part of the product or development process
- Additional reliability or performance information
Based on the above, we determine the mitigation measures we need to implement to reduce the risk and assign them to responsible staff members, along with a target implementation date.
Once they’ve implemented the recommended measures, the team responsible for the product checks the results. In some cases, we might find there are still residual risks, even after the mitigation measures have been implemented. In such cases, we analyse the residual risks and assess them acceptability/unacceptability.
Assessment of Residual Risk
We assess any residual risk that still exists against the same quantitative assessment criteria as the primary risk and document it accordingly. If the residual risk does not meet the required criteria, we implement additional risk control measures, then carry out risk-benefit analyses for any residual risk that still remains.
Risk / Benefit Analysis
In cases where the residual risk is unacceptable (per our risk management plan) and further risk control is no longer feasible, we assess whether the benefits of the product exceed its risks.
If they don’t, it means that the risk is unacceptable and we have to suspend the development and/or distribution of the product. But if the benefits of the product do exceed the residual risk, then we’re more likely to accept the risk.
Other Created Hazards
Risk control measures are reviewed for their potential to cause other hazards. As a result of the application of risk control measures, new hazards may arise which need to be assessed by analogy as existing risks.