After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. The following article provides simplified guidelines for the risk assessment process.
Risk Criteria: Risk criteria can be defined as the point of reference which the implication of a risk is evaluated.
Risk Assessment: Risk Assessment is the overall process of risk identification, analysis and evaluation.
The first step in the risk assessment process is to determine the evaluation criteria for assets and threats. The evaluation criteria can be based on legal and regulatory requirements, the risk management policy set forth by your organization, as well as international standards. Risk criteria should be reviewed continuously to ensure its alignment with the aforementioned factors. As organizational objectives, regulatory requirements, or international standards change, so should risk criteria.
When defining risk criteria there are two approaches one can take. First, if time permits, scientific methods and statistical analysis can be used. Or, you can use quantitative judgment and intuition and identify criteria in terms of “Low, Medium, High, Very, Immense” with a scale of 1 to 5. For SME’s who do not have ample resources to commit to the analysis of statistics relating to risk criteria, we suggest a scale such as this as a starting point.
The next question, naturally, is what factors one should consider in regards to evaluation criteria. As a starting point, we suggest the following when implementing a risk management program for information security (please note, as mentioned, the criteria will be unique to your organization, the following factors, however can be applied to a wide range of organizations):
After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. As stated above, risk assessment is the overall process of risk identification, analysis and evaluation. The risk assessment begins with evaluating your organization’s critical assets. As outlined above, a predetermined risk criterion should be utilized for this process. Critical assets and major threats should be evaluated using your organization’s risk criteria.
Next, similar to the asset evaluation process, you should evaluate the threats to each critical asset identified. In some cases, the same threat will threaten multiple assets.
After completing this analysis, an aggregate security risk level for each asset and the business entity can be determined.
For an example of how to complete this process, you can see how RM Studio, Risk Management Software computes these see the Calculations section of our User Manual.
The goal of the risk assessment process is to gain an understanding of the risk level to your assets and the business entity in question. A risk assessment will provide you with your organization’s greatest threats. This information can be utilized to develop the next two steps in the process, the gap analysis and the risk treatment plan, which will be covered in future posts.