The purpose of a risk assessment is to identify the internal and external threats that could cause a business interruption and assess their probability and impact of a variety of specific threats. The risk assessment studies all aspects of threats including physical, environmental, administrative, and technical measures. It provides a complete identification, sourcing, and evaluation of the risk at which an organization operates and puts the vulnerabilities in perspective for the business. It may be possible to implement measures to reduce the likelihood or mitigate the impact of these threats by prioritization on the most urgent business functions identified during the business impact analysis.
Type of Risk Assessments
It is essential to understand different types of risk assessments. There are at least two different risk assessment types. One is information security risk assessment. Another one is business risk assessment. Information security risk assessments focus exclusively on the risk to information and information systems. Information security risk assessments should only be performed by information security professionals. Business risk assessments focus risks to business operations. This is in contrast to business risk assessments that should be performed by organizations such as accounting firms who have a strong understanding of business risks. Information security risks are a subset of business risk.
Risk Assessment Flow
Common elements of risk assessment approaches involve five phases:
Asset Identification and Valuation
Risk assessments are done methodically and should be performed nearly the same way and pattern each time. This provides for consistency. Risk assessment should be planned as broadly scoped as possible so that senior management can get a good understanding of the current status of risk preparedness and has a sound foundation for establishing initial risk acceptance criteria and risk mitigation priorities.
Examples of Risks
The key part of the risk assessment is the assessment of the potential risks to the business which could result from disasters or emergency situations. There are examples of the risks that are possible for any organization.
Success Factors for Risk Assessment
Understanding the business is the most critical. The fundamental for the methodology is that a risk assessment starts with having a solid understanding of the business. It is impossible to achieve quality risk assessment without understanding the business and the mission-critical business processes.
Pre-defined procedures, coordination, and central control facilitate to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Coordination and central control will also help an organizational view of risks learned from the risk assessment process.
Communication with stakeholders should be addressed. One of the major common steps in each of the phases of the methodology is communication with the stakeholders. Stakeholders should always be kept aware of the progress of the assessment and of the findings that have been uncovered. This is essential for two reasons. First, stakeholders have the opportunity to provide additional information that might change the nature of findings. Second, the stakeholders are prepared to discuss it when the final report is presented to senior management.
The methodology should be flexible. Risk assessments will seldom go exactly the way the methodology is laid out, so flexibility is important. The methodology is meant to be flexible to allow for such things as scheduling conflicts or resource issues. The methodology is meant to provide a framework within the assessment work, and at times assessment will have to be flexible with the steps as long as the assessment stays within the general framework of this methodology.
Preparation is a key concept in the risk assessment methodology. Preparation is in the form of doing research on companies and preparing question sets for meetings with stakeholders. Preparation is essential because it enables assessors to ask more informed questions during the assessment. Instead of wasting time on things assessors could have learned by preparing, you can spend the time in interviews discussing about more meaningful aspects of the business.
A risk assessment provides groundwork for the remainder of the risk process by guiding the selection and implementation of risk controls and the timing and nature of testing those controls. Testing results provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.
Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions are fundamental to achieving accountability for risk decisions.
Frank Kai Fat Chow is a systems manager for Automated Systems (HK) Limited (ASL). He has more than 10 years of experience working on risk assessment and management. He holds a bachelor’s degree in computer information science and a master’s degree in business administration.
"Appeared in DRJ's Winter 2007 Issue"