Risk Analysis and Impact Analysis

Introduction

Photo by John Moeses Bauan on Unsplash

Risk analysis was a vital process that was used by Unhappy Bank to identify potential threats and vulnerabilities that could harm their operations or reputation. It involved a systematic evaluation of the likelihood and impact of risks, followed by the development of strategies to mitigate, avoid, transfer, or accept them. The goal of risk analysis was not to avoid any threats but to minimize the negative consequences of adverse events while maximizing opportunities for success.

Impact analysis helps organisations understand the potential consequences of a proposed change. It involves assessing the impact of a change on various aspects of the organization, such as processes, systems, people, and stakeholders. The primary goal of impact analysis is to identify the potential risks, costs, and benefits associated with a change, and to make informed decisions about whether or not to proceed with the change.

The primary difference between risk analysis and impact analysis is that risk analysis is focused on identifying potential risks and developing a risk management plan, while impact analysis is focused on assessing the potential impact of a change and making informed decisions about whether or not to proceed with the change.

Risk Management Approaches

Risk Acceptance

Unhappy Bank had already decided to launch a new mobile app. However, the bank’s legal and compliance teams had identified the risk of potential regulatory fines or penalties due to ambiguities in the regulatory landscape. The bank’s risk management team conducted a thorough analysis of the potential risk and its consequences, including the estimated cost of any fines and the potential damage to the bank’s reputation.

After the analysis, the bank decided that the potential benefits of launching the new service outweighed the potential risks. Therefore, the bank decided to accept the risk and proceed with the launch while implementing appropriate measures to mitigate the risk, such as ensuring compliance with regulatory requirements, engaging with regulators, and monitoring the service for potential compliance issues.

Risk Avoidance

The complaints department at Unhappy Bank used an old system that functioned well in accepting manual complaints with a set workflow that was rarely modified. Furthermore, the number of complaints per year were steady and relatively low.

In the project planning phase, the business analysts determined that the advantages of transferring existing complaints to a new system and developing new workflows were not substantial. Consequently, the bank chose to avoid the risk entirely by deciding against the migration to a new system. By doing so, the complaints department could continue with their present operations, avoiding disruption to active complaints that could have legal implications.

Risk Mitigation

Unhappy Bank had in scope to upgrade the data center to increase capacity and reliability. However, during the risk assessment phase, the business analysts identified a potential risk of a data center outage due to unforeseen circumstances, such as power failures, hardware malfunctions, or natural disasters.

To mitigate the risk of a data center outage, the bank decided to back up critical data and applications to an off-site location to ensure they are not lost in the event of a data center outage. Furthermore, a detailed disaster recovery plan was developed that outlined the steps to be taken in the event of an outage, including communication protocols, backup procedures, and alternative work arrangements.

By implementing these measures, the bank reduced the impact of a data center outage and ensured that critical systems and applications could remain available to customers.

Risk Transfer

We already discussed the business benefits of developing a mobile app for Unhappy Bank. However, during the risk assessment phase, the bank’s security team identified a potential risk of a cyber attack that could compromise customer data and lead to financial losses.

To transfer the risk of a cyber attack, the bank decided to purchase a cyber insurance policy that covered the financial losses and damages resulting from a cyber attack. This would allow the bank to transfer the financial risk to an insurance company, which would cover the costs associated with the breach, such as the cost of forensic investigations, legal fees, and customer notification.

Example of Impact Analysis

Unhappy Bank decided to to introduce a new mobile app to improve the customer experience. Below are the steps of a impact analysis that took place:

Step 1: Identify the changes that will result from the project

The first step was to identify the changes that will result from this project. In this case, the changes included new online banking features, changes to the existing IT infrastructure, new training requirements for bank employees, and potential changes to customer support processes.

Step 2: Identify the stakeholders who will be affected by the changes

The next step was to identify the stakeholders who will be affected by the changes. In this case, the stakeholders could include bank customers, employees, IT staff, management, and regulatory bodies.

Step 3: Assess the impact of the changes on each stakeholder

For each stakeholder group, the impact of the changes was assessed. For example:

  • Customers: The new mobile app could improve the customer experience by making it easier to check account balances, transfer funds, and pay bills. However, if the platform was not user-friendly, customers may struggle to use it, leading to frustration and potential loss of business.
  • Employees: The bank’s employees would need to be trained to use the new online banking platform and may need to adjust their workflow to accommodate the changes. This could be disruptive in the short term but may lead to increased efficiency in the long run.
  • IT staff: The IT department would need to implement and maintain the new online mobile app, which could require additional resources and investment. However, if successful, the new platform could result in reduced maintenance costs and improved system reliability.
  • Management: The bank’s management would need to oversee the implementation of the new online banking platform and ensure that it aligns with the bank’s overall strategy. They may also need to address any potential risks or issues that arise during the implementation process.
  • Regulatory bodies: The bank would need to ensure that the new online banking platform complies with all relevant regulations and standards, which could involve additional testing and documentation requirements.

Step 4: Determine the feasibility and costs of the project

After assessing the impact of the changes on each stakeholder group, the feasibility and costs of the project were evaluated. This involved conducting a cost-benefit analysis to determine whether the potential benefits of the new online banking platform outweighed the costs and risks.

Step 5: Make informed decisions

Based on the results of the impact analysis and feasibility assessment, the bank made informed decisions about whether or not to proceed with the project.

By conducting impact analysis, the bank identified the potential risks, costs, and benefits associated with the introduction of a new mobile app and made informed decisions about whether or not to proceed with the project.

Below are the steps in summary:

  1. Identify changes
  2. Identify stakeholders impacted
  3. Assess the impact of changes on each stakeholder
  4. Determine feasibility and cost of changes
  5. Decide how to proceed