The A3 technique was originally created by Toyota as a problem solving method. The name A3 comes from the fact that when the process is complete, all of the relevant information can fit on a standard A3 size piece of paper.
While the A3 technique was originally designed for problem solving during manufacturing, it can also be a valuable tool for risk management. The A3 technique can be used to guide the risk management process and ensure that all critical information is captured in a concise manner. Below is an example of analyzing a category 5 hurricane risk event using the A3 technique:
Here is a breakdown of the information that should be captured in each box.
Risk Title - A descriptive title for the specific risk event.
Risk ID Number - A unique identification number to represent the risk event.
Risk Type - Choose either adversarial (caused by a threat actor) or non-adversarial (accident, natural disaster, etc).
Risk Event Description - A brief description detailing the risk event.
Threat - A qualitative threat determination based on the NIST SP 800-30 scale of Very Low to Very High. A brief description detailing the threat. If the threat is adversarial be sure to include a description of capability and intent.
Vulnerability - A qualitative vulnerability determination and a brief description of your current level of vulnerability to the threat.
Impact - A qualitative impact determination and a brief description of the impact to your organization if the risk event occurs.
Risk Level - A qualitative determine of the overall risk level based on the likelihood (threat and vulnerability) and the impact of the risk event.
Risk Strategy - The method(s) that will be used to address the risk and a brief description of what that will entail. For more information on the risk strategies see the 4 Strategies for Cyber Security Risk Management.
Contingency Plan - A brief description of how you will react if the risk event occurs.
By creating an A3 for each of your identified risks you can create an incident response playbook that is concise and easily accessible during an emergency. It also documents how risk decisions were made, which can be invaluable information when capturing lessons learned after an incident.
You can download a blank A3 risk management template using the link below.