Risk Assessment

Risk assessment is a step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Departments who handle or manage information assets or electronic resources should conduct formal risk assessments. A risk assessment is a process by which to determine what information resources exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets.

Successful risk assessments require full support of senior management and must be conducted by teams that include both functional managers and information technology administrators. As business operations, workflow, or technologies change, periodic reviews must be conducted to analyze these changes, to account for new threats and vulnerabilities created by these changes, and to determine the effectiveness of existing controls.

Types of risk assessment processes are:

Qualitative—A simplified process of identifying the major threats to which an enterprise is exposed. For example, if one’s IT enterprise is located within “tornado alley,” there is an implied threat of a tornado occurring that could subsequently cause an impact to assets or processes?

Quantitative—Today’s risk management requires a direct correlation to the value of the assets that require protection. Organizations increasingly want to know what the cost/benefit is to protecting an asset or process. CFOs also want to know what the return on investment (ROI) is for investing in risk reduction/mitigation strategies. To find this information, an advanced risk analysis technique, known as a quantitative approach, is used to provide statistical insight to risk prediction and impact. This method requires that one establish a monetary value for the assets and processes, estimate the probability of a threat occurring, and determine the ROI for implementing safeguards to reduce the impact caused by that threat occurring.

Risk Assessment Tools

Risk Assessment Tools

Ref: – ISACA