A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.
Parts of a Risk Management Plan
- Risk Planning
- Risk Identification
- Risk Analysis
- Risk Response Plans
- Risk Register
Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.
All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:
[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
The US Department of Health and Human Services defines a risk as:
The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.
Risks arise from legal liability or mission loss due to:
Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.
When a risk event occurs, it is no longer uncertain. It becomes an issue.
Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:
(Impact · Likelihood) × (Threat · Vulnerability)
The risk level is calculated using three underlying components:
- Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
- Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
- Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?
Likelihood × Impact − Controls ⇒ Risk Level
To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.
- What projects have been completed in the past and what unexpected issues occurred?
- What was the response of the organization?
- What permanent changes were made? Were they justified?
- Did the response cause a corresponding loss of business?
- Did the response cause a corresponding loss of future projects?
Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:
- Very Low: The event is highly unlikely to occur under regular circumstances.
- Low: The event is unlikely but should be noted by the project team.
- Medium: The event has a normal chance of occurring and the project team should be aware of it.
- High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
- Very High: The occurrence of the event should be actively managed and mitigation actions taken.
Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.
Theoretical risk. Unlikely to be a serious concern.
- Vulnerability is very unlikely to be exercised, OR
- Existing controls are highly effective at mitigating the risk, OR
- Potential impact on security, privacy and availability of ePHI is low
Unlikely to be an immediate concern, especially in light of other, more severe risks.
- Some likelihood that vulnerability could be exercised
- Existing controls provide some effective mitigation of risk
Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.
- Vulnerability is likely to be exercised
- Existing controls provide inadequate mitigation of risk
- Potential for significant impact on security, privacy or availability of ePHI
Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.
- Vulnerability is very likely to be exercised or is currently being exercised
- Existing controls provide little effective mitigation of risk
- Potential for high or even catastrophic impact on security, privacy or availability of ePHI
A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?
- What assumptions has the project budget made?
- What assumptions has the project schedule made (completion date, milestones, etc.)?
- What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
- Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
- How many previous projects with similar components have been completed successfully? What were the project issues?
Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.