Failure mode and effects analysis: Process and system risk assessment

What is Six Sigma? Tom Bowers explains how Six Sigma can be used to determine a "business value."

FMEA overview
Under FMEA, each process step or system component is evaluated by the criteria using the table below:

FMEA calculates a risk priority number (RPN) for each process step or system component using this simple technique:

Risk priority number = Severity x Occurrence x Detection

Preparation
Have a current process or system diagram available before beginning the FMEA process. The diagram must document process steps or system components with sufficient detail to support a thorough evaluation. Number each entry for easy reference.

For more on risk analysis Contributor Khalid Kark discusses five steps to building information risk management frameworks. Risk management metrics are helpful at budget time, but contributor Mike Rothman explains why businesses should be wary of any security measurements. A readers asks our expert panel, "Should all members of a security staff be involved in the risk assessment process?"

The FMEA team should be comprised of people involved in the day-to-day operations of the process or system (e.g. the team manager and system administrators). Consider using an internal auditor or a peer team manager to act as a facilitator. At a minimum, engage an objective, independent third party. The facilitator is responsible for hosting FMEA meetings and should be actively involved in the evaluation of each process step or system component.

Execution
Begin the first meeting with an FMEA overview. Review the process diagram and enter it into an FMEA worksheet. Consider process flow, inputs, outputs and dependencies.

Conducting a system evaluation is a bit more complex. For example, to review a three-tiered architecture, the diagram should include systems and applications associated with the presentation, application and database layers. For additional scrutiny, review firewall and monitoring configurations and the system development life cycle.

Assign each team member a section of documentation to evaluate before the next meeting. Depending on process or system complexity, it may be necessary to have more than one. Carefully evaluate each process step or system component. Document control deficiencies and associated risk ratings in an FMEA worksheet.

Once the FMEA evaluation is complete, review the RPNs for each process step or system component, It will be apparent which areas pose the greatest risk exposure. The highest numbers correspond to the items with the greatest potential for risk. Corresponding narrative entries provide rationale and detail which can be used to prioritize remediation.

The second half of an FMEA worksheet documents remediation activity. Enter mitigating controls in the first two fields. Complete the Action Results section to determine if the new controls will reduce residual risk to an acceptable level.

Recommended Action(s)	Responsibility and Target Completion Date	Action Results
		Actions Taken	SEV	OCC	DET	RPN
						0
						0
						0

Conduct FMEA reviews at least annually. In additional to evaluation, FMEA helps ensure team members are familiar with critical processes and systems. FMEA also accomplishes process reviews and updates required by common security standards and frameworks.

Simplicity is FMEA's greatest strength. It documents risk posture using qualitative and quantitative approaches. FMEA is a great way to evaluate the risks associated with a process or a system. Consider adding it to your annual security management routines.

About the author:
Gideon T. Rasmussen is a Charlotte-based Information Security Vice President with a background in Fortune 50 and military organizations. His website is http://www.gideonrasmussen.com.

References:
1. Failure Mode and Effects Analysis (Wikipedia)
2. Failure Mode and Effects Analysis (U.S. Department of Defense)