In our post titled What is Risk Management, we touched on the steps in the risk management process. In this post we will look a bit deeper into the first half of the process, namely that of completing a risk assessment. In a later post we will look into how to respond to the risks identified, so watch this space!
Let us first start off with the objective for completing a risk assessment. Doing a risk assessment should not be a tick mark exercise to keep auditors happy when they come by once a year! Rather, the risk assessment is a tool we use to identify threats that pose a risk to us or our organisation. If we know what the risks are, we can design our control environment to respond to these threats in the most effective and efficient manner. Each organisation will have their approach to identifying and assessing risks, but we will aim to explain the approach generally followed.
Determine the scope of the Risk Assessment
Step 1 is to determine the scope of the assessment. Is the assessment to cover Business Continuity, IT, Information Security, Vendor Management, etc? The risks specific to Information Security will likely be different from the risks Vendor Management, so we need to understand what the risk assessment is to cover.
Involve the right people
A common issue we encounter when we have reviewed the risk assessments completed by organisations, is that the risk assessment was completed by one person on his/her own. The reason we refer to this as an issue, is because one person cannot necessarily identify and assess all risks effectively and subjectively. More than likely the person would have missed or incorrectly assessed some risks. For that reason we suggest that once the scope of the risk assessment has been determined, identify the business units and persons that would be relevant to the area in scope and that would be able to provide input in the assessment process. Once the business units and persons that needs to be involved in the assessment has been identified, we have found that getting everyone in the same room and doing a workshop has been the most effective method for getting everyone’s input.
Identify and assess the risks
Now that we have determined our scope and gotten the right people in the room, we can start identifying and assessing risks!
Identify the assets
To be able to identify risks, we need to identify and list the assets for which we want to identify risks. Assets can include equipment, persons/employees, software and data (people often only think of assets as physical equipment, but it is much more!).
Identify the risks
Once we have a comprehensive list of assets, we need to ask ourselves the question ‘what could go wrong’ for each assets, without taking into consideration any existing controls that might be in place. Thus we might end up identifying several threats and risks for a single asset! From this step we will likely end up with a very long list of risks that we have identified. But not all risks are equal, so we need to assess the risks to be able to determine which risks we need worry about and come up with a plan of action for!
Assess the risks
For each risks we now need to ask ourselves, what is the likelihood of the risk actually happening and if it did happen, what would the impact be? Let us look at a quick and simple example. The risk of an earth quake disrupting business operations is more likely for an organisation in California than perhaps an organisation in New York. The risk of an earth quake disrupting business might have a bigger impact on an organisation with all its employees working in a central location than it would have for an organisation whose employees all work remotely in different areas around the country.
When determining the likelihood and impact, a rating should be given to each. We often find the ratings of High, Medium or Low being used, but use what ever would work best for you. Using the score given to the likelihood and the score given to the impact, we can now determine the overall risk rating for each risk. For example, if we have determined that the likelihood is High and the impact is High then the risk is overall a High risk. A risk with a Low likelihood but High impact might be determined to be a Medium risk. We can now use the overall risk ratings to identify the priority risks that we need to focus on!
Responding to risks
By this stage we have identified and assessed the risks relevant to our assets and we can start to respond to those risks. That is a whole article in itself, so watch our for our follow up article to this piece where we will look at assigning owners to risks, developing Risk Treatment Plans and determining the residual risks.
What do you think?
We would love to get any feedback from you and hear your thoughts! If you have any recommendations to share or ideas you have for completing a risk assessment, please leave a note and share with everyone or you can send us an email via our contact page.
Did you find this post useful? Share it on LinkedIn!
If you want to stay up to date with new posts and join in discussions, join our LinkeIn group ISRiskAcademy.
How to complete a Risk Assessment is a post from: isriskacademy.com
