Assigning Responsibilities
The risk management plan specifies responsibilities, which provides accountability. If responsibilities are not assigned, tasks can easily be missed. Responsibilities can be assigned to:
- Risk management PM
- Stakeholders
- Departments or department heads
- Executive officers, such as the CIO or CFO
Ensuring that any entity that is assigned a responsibility has the authority to complete the task is important. This is especially important for the PM.
For example, team members may not work directly for the PM. Technicians, for example, might work in the IT department. They can be assigned as team members for a project. However, they may still report directly to supervisors in the IT department. So their task assignments from the IT department and from the PM may compete with each other. If the PM doesn’t have the authority to resolve these problems, the success of the project can be affected. At the very least, the PM should have access to stakeholders to resolve problems.
The PM is responsible for the overall success of the plan. Some of the common tasks of a PM are:
- Ensuring costs are controlled
- Ensuring quality is maintained
- Ensuring the project stays on schedule
- Ensuring the project stays within scope
- Tracking and managing all project issues
- Ensuring information is available to all stakeholders
- Raising issues and problems as they become known
- Ensuring others are aware of their responsibilities and deadlines
NOTE
A risk management PM is sometimes called a risk management coordinator. The skills required of a successful risk management PM are the same skills required of a successful project manager for almost any project.
Individual responsibilities could be assigned for the following activities:
- Identifying risk—This responsibility includes identifying threats and vulnerabilities. The resulting lists of potential risks can be extensive.
- Assessing risk—This responsibility entails identifying the likelihood and impact of each risk. A threat matrix is a common method used to assess risks.
- Identifying risk mitigation steps—This responsibility encompasses identifying steps that can be taken to reduce weaknesses as well as steps to reduce the impact of the risk.
- Reporting—This responsibility entails reporting the documentation created by the plan to management. The PM is often responsible for compiling reports.
Examples of responsibility statements for the website and HIPAA compliance scenarios are presented in the following two sections.
TIP
Consider creating a threat-likelihood–impact matrix. A percentage from 10 to 100 is assigned for each likelihood. The impact severity is assigned a value between 10 and 100. The value is then calculated by multiplying the two values. Higher values indicate risks that should be addressed first. Lower values indicate risks that may be accepted.
Responsibilities Example: Website
The CFO will provide funding to the IT department to hire a security consultant who will assist the IT department.
The IT department is responsible for providing:
- A list of threats
- A list of vulnerabilities
- A list of recommended solutions
- Costs for each of the recommended solutions
The sales department is responsible for providing:
- Direct costs of all outages that last 15 minutes or longer
- Indirect costs of all outages that last 15 minutes or longer
The CFO will validate the data provided by the IT and sales departments. The CFO will then complete a CBA.
Responsibilities Example: HIPAA Compliance
The HR department is responsible for identifying all health information held by Mini Acme. The HR department is responsible for providing:
Using Affinity Diagrams
Although assigning responsibility is easy, identifying the tasks may not be so easy. One of the challenges is to generate lists of realistic threats, vulnerabilities, and recommendations. An affinity diagram can help with these tasks.
An affinity diagram is created in four basic steps:
- Identifying the problem—A basic problem statement is created. For example, consider the website problem. The problem could be stated as “Website outages result in lost sales.”
- Generating ideas—The more the better. The ideas can be about any elements of the problem. They can include threats and vulnerabilities and recommended solutions. Brainstorming is one method that can be used. In a brainstorming session, participants are encouraged to mention anything that comes to mind. All ideas are written down without judgment. The creative process can often bring out a wealth of ideas.
- Gathering ideas into related groups—After the ideas have been generated, they are grouped together. For a risk management plan, the groups will usually fit into categories of threats, vulnerabilities, and recommendations. Some of these categories may include subcategories. For example, vulnerabilities could be divided into network and server weaknesses.
- Creating an affinity diagram—FIGURE 4-1 shows an example of an affinity diagram. It groups all the ideas together.
FIGURE 4-1 Affinity diagram.
In an actual scenario, the affinity diagram is likely to be much larger. Threats could be divided into external and internal. The list of vulnerabilities could be almost endless.
- A list of all health information sources
- Inspection results for all data sources regarding their compliance with HIPAA:
- How the data is stored
- How the data is protected
- How the data is transmitted
- A list of existing HIPAA policies used by Mini Acme
- A list of needed HIPAA policies
- A list of recommended solutions to ensure compliance with HIPAA
- Costs for each of the recommended solutions
- Costs associated with noncompliance
The IT department is responsible for providing:
- Identification of access controls used for data
- A list of recommended solutions to ensure compliance with HIPAA
- Costs for each of the recommended solutions
The CFO will validate the data provided by the IT and sales departments and then complete a CBA.