Risk Reduction Overview
A vizualisation method for risk management communication
This is the official website for the Risk Reduction Overview (RRO) method. It is deliberately hosted on a platform known for open source projects because the method and all downloads are free and open the same way as open source software is. Contributions for (open source) tools to create a RRO are also welcome to be hosted here.
The release candidate for the new RRO tool is ready for testing. Check it out at http://rro.sourceforge.net/tool/
A paper about the Risk Reduction Overview was presented at the ARES conference september 8 2014: Risk Reduction Overview: A visualization method for risk management. HNJ Havinga, ODT Sessink, Availability, Reliability, and Security in Information Systems, Lecture Notes in Computer Science Volume 8708, 2014, pp 239-249.
What is the Risk Reduction Overview
The Risk Reduction Overview (RRO) method presents a comprehensible overview of the coherence of risks, measures and residual risks. A good example can be found on the examples page. The method is designed to support communication between different stakeholders in complex risk management. The method has initially been developed for cyber security and information assurance. The RRO visualization can be used to discuss, optimize, evaluate, and audit a design or a change in a complex IT security environment. The method has been used, evaluated, and improved over the last six years in large government and military organization. Seven areas in design and decision making are identified in which a RRO is found to be beneficial. Despite the widely accepted need for risk management we believe this is the first practical method that delivers a comprehensive overview that improves communication between different stakeholders.
Most IT Risk Management methods state that communication between business process representatives and security specialists to discuss the acceptable residual risk levels is vital. This process, also called Risk Communication, is one of the most challenging parts of risk management. The Risk Reduction Overview has been proven very valuable in this process. The Risk Reduction Overview method can be used in methods such as ISO 27005 (in Security Risk Acceptance and Security Risk Communication), IRAM (in the Business Impact Analysis stage), and NIST-800-30 (for example in the Risk Assessment Report).
The RRO can be used in different stages of the IT security design and decision making process, and can be used to review the design of an already existing implementation. Seven areas are identified in which the RRO is beneficial.
- Rethink the design
- Optimize the design
- Review of risks
- Review of measures
- CSO get lists of residual risks
- Review a design after changes to risks
- Inspiration for a new design
Who uses the Risk Reduction Overview method?
The RRO method was designed at the IT branch of the Dutch Ministry of Defence, and improved in cooperation with the Dutch Rijkswaterstaat and is now an official method in both departments. In Dutch the method is called "Risico Reductie Overzicht". Several other departments and agencies in the Netherlands are currently evaluating the method.