The A3 technique was originally created by Toyota as a problem solving method. The name A3 comes from the fact that when the process is complete, all of the relevant information can fit on a standard A3 size piece of paper.
While the A3 technique was originally designed for problem solving during manufacturing, it can also be a valuable tool for risk management. The A3 technique can be used to guide the risk management process and ensure that all critical information is captured in a concise manner. Below is an example of analyzing a category 5 hurricane risk event using the A3 technique:
Here is a breakdown of the information that should be captured in each box.
Note - All qualitative values are based on the NIST SP 800-30 scale of Very Low to Very High.
Risk Title - A descriptive title for the specific risk event.
Risk ID Number - A unique identification number to represent the risk event.
Threat Type - Choose either adversarial (caused by a threat actor) or non-adversarial (accident, natural disaster, etc).
Risk Statement - A brief description detailing the risk event.
Threat Actor Capability - Qualitative assessment of the threat actor’s tactics, techniques, and procedures, and their ability to successfully exploit a vulnerability..
Threat Actor Intent - Qualitative assessment of the threat actor’s purpose for, and willingness to, carry out the threat event. The likelihood of event initiation is directly influenced by the actor’s intent.
Likelihood of Occurrence - The probability that a specific threat event will occur sometime in the future.
Vulnerability - Qualitative assessment of the weakness that can be exploited (taken advantage of) by a threat source
Event Severity - Qualitative assessment of how significant of an impact a threat event could have on your organization if it occurs.
Impact of Event - Qualitative assessment of the consequence to your organization, its operations, people, etc. if a threat event does occur and vulnerability exists.
Risk Assessment - A qualitative determination of the overall risk level based on the likelihood of occurrence (threat and vulnerability) and the impact of the risk event.
Risk Strategy - The method(s) that will be used to address the risk and a brief description of what that will entail. For more information on the risk strategies see the 4 Strategies for Cyber Security Risk Management.
Residual Risk - A qualitative assessment of the risk that remains after mitigations have been applied.
Contingency Plan - A brief description of how you will react if the risk event occurs.
By creating an A3 for each of your identified risks you can create an incident response playbook that is concise and easily accessible during an emergency. It also documents how risk decisions were made, which can be invaluable information when capturing lessons learned after an incident.
You can download a blank A3 risk management template using the link below.
For more information and tools to create a risk management plan check out our Cybersecurity Risk Management Workbook.