Failure mode and effects analysis: Process and system risk assessment

Gideon T. Rasmussen, CISSP, CISA, CISM, CIPP

    Requires Free Membership to View

What is Six Sigma?

Tom Bowers explains how Six Sigma can be used to determine a "business value."
Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered application). It prioritizes potential failures by impact severity, probability of occurrence and likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and the Information Technology Infrastructure Library (ITIL).

FMEA overview
Under FMEA, each process step or system component is evaluated by the criteria using the table below:

Process step or system component



Potential failure mode

(How could a failure occur?)



Potential effect(s) of failure

(What are the consequences of failure?)




(How severe would the impact be on a scale of 1 to 5?)



Potential cause(s) of failure

(What would be the cause of the failure?)




(What is the probability of failure occurring on a scale of 1 to 5?)



Current process controls

(What controls are in place to detect or prevent failure?)




(What is the probability of failure being detected on a scale of 1 to 5?)






FMEA calculates a risk priority number (RPN) for each process step or system component using this simple technique:

Risk priority number = Severity x Occurrence x Detection

Have a current process or system diagram available before beginning the FMEA process. The diagram must document process steps or system components with sufficient detail to support a thorough evaluation. Number each entry for easy reference.

For more on risk analysis

Contributor Khalid Kark discusses five steps to building information risk management frameworks.

Risk management metrics are helpful at budget time, but contributor Mike Rothman explains why businesses should be wary of any security measurements.

A readers asks our expert panel, "Should all members of a security staff be involved in the risk assessment process?"
The FMEA team should be comprised of people involved in the day-to-day operations of the process or system (e.g. the team manager and system administrators). Consider using an internal auditor or a peer team manager to act as a facilitator. At a minimum, engage an objective, independent third party. The facilitator is responsible for hosting FMEA meetings and should be actively involved in the evaluation of each process step or system component.

Begin the first meeting with an FMEA overview. Review the process diagram and enter it into an FMEA worksheet. Consider process flow, inputs, outputs and dependencies.

Conducting a system evaluation is a bit more complex. For example, to review a three-tiered architecture, the diagram should include systems and applications associated with the presentation, application and database layers. For additional scrutiny, review firewall and monitoring configurations and the system development life cycle.

Assign each team member a section of documentation to evaluate before the next meeting. Depending on process or system complexity, it may be necessary to have more than one. Carefully evaluate each process step or system component. Document control deficiencies and associated risk ratings in an FMEA worksheet.

Once the FMEA evaluation is complete, review the RPNs for each process step or system component, It will be apparent which areas pose the greatest risk exposure. The highest numbers correspond to the items with the greatest potential for risk. Corresponding narrative entries provide rationale and detail which can be used to prioritize remediation.

The second half of an FMEA worksheet documents remediation activity. Enter mitigating controls in the first two fields. Complete the Action Results section to determine if the new controls will reduce residual risk to an acceptable level.

Recommended Action(s)

Responsibility and Target Completion Date

Action Results

Actions Taken


























Conduct FMEA reviews at least annually. In additional to evaluation, FMEA helps ensure team members are familiar with critical processes and systems. FMEA also accomplishes process reviews and updates required by common security standards and frameworks.

Simplicity is FMEA's greatest strength. It documents risk posture using qualitative and quantitative approaches. FMEA is a great way to evaluate the risks associated with a process or a system. Consider adding it to your annual security management routines.

About the author:
Gideon T. Rasmussen is a Charlotte-based Information Security Vice President with a background in Fortune 50 and military organizations. His website is http://www.gideonrasmussen.com.

1. Failure Mode and Effects Analysis (Wikipedia)
2. Failure Mode and Effects Analysis (U.S. Department of Defense)

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.