Risk Identification

Assumption Analysis

Brain Storming

I propose that we use a standard 1-9 system for for risk identification and calculation. With where everyone on the grin's ***** gets to vote on the following three things:

1. How much they know about the scope of the risk?
2. If unaddressed how likely is the risk to occur? (Risk Chance)
3. If unaddressed how big is the impact of the risk?(Risk Impact)

For example, in a traditional organization, imagine we were looking at risk that the firms database suffer a catastrophic failure the CIO may say 1=9, 2=2, and 3=8 while the CFO may say 1=2, 2=5, and 3=3. You then multiply the answer to questions 2 & 3 by the answer to question 1. So the CIO would have a weighted Risk Chance of 18 and the CFO would have a weighted Risk Chance of 10.
So you end up with the following results:

Someone format this table for me please

Risk of Database Failure
Knowledge 	Chance 	Weighted Chance 	Impact 	Weighted Threat

CIO 9 2 18 8 72 CFO 2 5 10 3 6 Total 11 7 28 11 78 Weighted Totals Max Risk Weighted Chance Weighted Threat 99 28% 79%

Table Done

We might need a system for assigning the knowledge weights, typically they can be self assigned and should be defended if questioned. But a bad actor could easily disrupt this in an open source organization (where they can't be fired and are not under the same pressures to behave professionally).

In addition to doing our own in-house risk identification, I propose that we create a webpage where anyone can submit a risk and then vote on the risks Chance and Impact. In order to keep votes constant they should last a finite amount of time (such as 1 year). We could use this portal to identify new and unseen risks, and outsource a considerable amount of the brainstorming. If the core's opinion on risk differs significantly from the community's then the core team should provide a written explanation of our reasoning.

Checklists