Which of the following is the final step in the risk identification process of information assets?

What is a risk assessment?

Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify these inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations.

Companies can use a risk assessment framework (RAF) to prioritize and share the details of the assessment, including any risks to their information technology (IT) infrastructure. The RAF helps an organization identify potential hazards and any business assets put at risk by these hazards, as well as potential fallout if these risks come to fruition.

In large enterprises, the risk assessment process is usually conducted by the Chief Risk Officer (CRO) or a Chief Risk Manager.

Risk assessment steps

How a risk assessment is conducted varies widely depending on the risks unique to the type of business, the industry that business is in and the compliance rules applied to that given business or industry. However, there are five general steps that companies can follow regardless of their business type or industry.

Step 1: Identify the hazards. The first step in a risk assessment is to identify any potential hazards that, if they were to occur, would negatively influence the organization's ability to conduct business. Potential hazards that could be considered or identified during risk assessment include natural disasters, utility outages, cyberattacks and power failure.

Step 2: Determine what, or who, could be harmed. After the hazards are identified, the next step is to determine which business assets would be negatively influenced if the risk came to fruition. Business assets deemed at risk to these hazards can include critical infrastructure, IT systems, business operations, company reputation and even employee safety.

Step 3: Evaluate the risks and develop control measures. A risk analysis can help identify how hazards will impact business assets and the measures that can be put into place to minimize or eliminate the effect of these hazards on business assets. Potential hazards include property damage, business interruption, financial loss and legal penalties.

Step 4: Record the findings. The risk assessment findings should be recorded by the company and filed as easily accessible, official documents. The records should include details on potential hazards, their associated risks and plans to prevent the hazards.

Step 5: Review and update the risk assessment regularly. Potential hazards, risks and their resulting controls can change rapidly in a modern business environment. It is important for companies to update their risk assessments regularly to adapt to these changes.

Risk assessment tools, such as risk assessment templates, are available for different industries. They might prove useful to companies developing their first risk assessments or updating older assessments.

How to use a risk assessment matrix

A risk assessment matrix, as shown in the example above, is drawn as a grid with one axis labeled "likelihood" and the other axis labeled "consequence." Each axis progresses from "low" to "high." Each event is plotted on one line in terms of its low to high likelihood. On the other line, the event is plotted on one line in terms of its low to high consequence. Where they meet determines the plot point on the matrix. 

Quantitative vs. qualitative

Risk assessments can be quantitative or qualitative. In a quantitative risk assessment, the CRO or CRM assigns numerical values to the probability an event will occur and the impact it would have. These numerical values can then be used to calculate an event's risk factor, which, in turn, can be mapped to a dollar amount.

Qualitative risk assessments, which are used more often, do not involve numerical probabilities or predictions of loss. The goal of a qualitative approach is to simply rank which risks pose the most danger.

The goal of risk assessments

Similar to risk assessment steps, the specific goals of risk assessments will likely vary based on industry, business type and relevant compliance rules. An information security risk assessment, for example, should identify gaps in the organization's IT security architecture, as well as review compliance with infosec-specific laws, mandates and regulations.

Some common goals and objectives for conducting risk assessments across industries and business types include the following:

• Developing a risk profile that provides a quantitative analysis of the types of threats the organization faces.
• Developing an accurate inventory of IT assets and data assets.
• Justifying the cost of security countermeasures to mitigate risks and vulnerabilities.
• Developing an accurate inventory of IT assets and data assets.
• Identifying, prioritizing and documenting risks, threats and known vulnerabilities to the organization's production infrastructure and assets.
• Determining budgeting to remediate or mitigate the identified risks, threats and vulnerabilities.
• Understanding the return on investment, if funds are invested in infrastructure or other business assets to offset potential risk.

The ultimate goal of the risk assessment process is to evaluate hazards and determine the inherent risk created by those hazards. The assessment should not only identify hazards and their potential effects, but should also identify potential control measures to offset any negative impact on the organization's business processes or assets.