Failure Mode and Effects Analysis: Process and System Risk Assessment
By Gideon T. Rasmussen, CISSP, CISA, CISM, CIPP

Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered application). It prioritizes potential failures by impact severity, probability of occurrence and likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and the Information Technology Infrastructure Library (ITIL).

FMEA overview

Under FMEA, each process step or system component is evaluated by the criteria using the table below:

Process Step or System Component

Potential Failure Mode

Potential Effect(s) of Failure


Potential Cause(s) of Failure


Current Process Controls






























Potential Failure Mode: How could a failure occur?
Potential Effect(s) of Failure: What are the consequences of failure?
Severity: How severe would the impact be on a scale of 1 to 5?
Potential Cause(s) of Failure: What would be the cause of the failure?
Occurrence: What is the probability of failure occurring on a scale of 1 to 5?
Current Process Controls: What controls are in place to detect or prevent failure?
Detection: What is the probability of failure being detected on a scale of 1 to 5?

FMEA calculates a risk priority number (RPN) for each process step or system component using this simple technique:

Risk priority number = Severity x Occurrence x Detection


Have a current process or system diagram available before beginning the FMEA process. The diagram must document process steps or system components with sufficient detail to support a thorough evaluation. Number each entry for easy reference.

The FMEA team should be comprised of people involved in the day-to-day operations of the process or system (e.g. the team manager and system administrators). Consider using an internal auditor or a peer team manager to act as a facilitator. At a minimum, engage an objective, independent third party. The facilitator is responsible for hosting FMEA meetings and should be actively involved in the evaluation of each process step or system component.


Begin the first meeting with an FMEA overview. Review the process diagram and enter it into an FMEA worksheet. Consider process flow, inputs, outputs and dependencies.

Conducting a system evaluation is a bit more complex. For example, to review a three-tiered architecture, the diagram should include systems and applications associated with the presentation, application and database layers. For additional scrutiny, review firewall and monitoring configurations and the system development life cycle.

Assign each team member a section of documentation to evaluate before the next meeting. Depending on process or system complexity, it may be necessary to have more than one. Carefully evaluate each process step or system component. Document control deficiencies and associated risk ratings in an FMEA worksheet.

Once the FMEA evaluation is complete, review the RPNs for each process step or system component, It will be apparent which areas pose the greatest risk exposure. The highest numbers correspond to the items with the greatest potential for risk. Corresponding narrative entries provide rationale and detail which can be used to prioritize remediation.

The second half of an FMEA worksheet documents remediation activity. Enter mitigating controls in the first two fields. Complete the Action Results section to determine if the new controls will reduce residual risk to an acceptable level.

Recommended Action(s)

Responsibility and Target Completion Date

Action Results

Actions Taken


























Conduct FMEA reviews at least annually. In additional to evaluation, FMEA helps ensure team members are familiar with critical processes and systems. FMEA also accomplishes process reviews and updates required by common security standards and frameworks.

Simplicity is FMEA's greatest strength. It documents risk posture using qualitative and quantitative approaches. FMEA is a great way to evaluate the risks associated with a process or a system. Consider adding it to your annual security management routines.

About the author:
Gideon T. Rasmussen is a Charlotte-based Information Security Vice President with a background in Fortune 50 and military organizations. His website is

1. Failure Mode and Effects Analysis (Wikipedia)
2. Failure Mode and Effects Analysis (U.S. Department of Defense)

Copyright © 2008 TechTarget ( All Rights Reserved.
Reprinted with Permission