A risk assessment, also referred to as a risk analysis, is a process used to identify and evaluate risks. Risks are then quantified based on their importance or impact severity. These risks are then prioritized.
Risk assessments are a major part of an overall risk management program. They help identify which risks are most important. A major difference between a risk assessment and a risk management program is that the risk assessment is created for a moment in time, whereas a risk management program is a continuous process.
A risk assessment helps identify which safeguards to implement. Safeguards are also known as controls. They are used to control or reduce risk. A control may reduce a vulnerability or reduce the impact from a threat. Either way, the control reduces the risk.
All companies have a finite amount of money. Although a security expert may continuously want more money spent on security, there is a limit. If too much money is spent on security, the profit and health of the company is affected. How much is too much? Where is the line? A risk assessment can help with determining where to draw the line.
Companies must consider profitability and survivability. A risk assessment helps a company maintain a proper balance between these two goals.
For example, a company has collected data through years of research. The same company has data identifying which food will be served in the cafeteria next week. If security funds are being prioritized, which data will get more money? The research data, of course. Identifying the priority in this example is easy, but that’s not always the case.
HIPAA governs the control of health-related data. SOX governs the accuracy of financial data.
Now, in this example, the same company holds data covered by both the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) laws and regulations. Which data is more important? Which data should have a higher priority of protection? What controls should be implemented to protect the data? These questions aren’t so easy to answer. Risk assessments for both the HIPAA and the SOX data could help answer these questions.
Risk assessments are an important part of the risk management process. Without a risk assessment, determining which systems should be protected becomes difficult and how to protect them remains unclear. However, a risk assessment will help to identify the most important systems to protect and provide insight into what controls will provide the most value.
A risk assessment should be completed:
Risk assessments are important tools to assist management. They help management quantify risks and identify and evaluate the effectiveness of controls. Risk assessments tend to:
Developing a risk assessment involves many steps. It isn’t a task that can be completed in a single sitting, a single day, or even a single week. When done properly, developing a risk assessment involves the input of several key players. Steps involved in developing a risk assessments are as follows:
A risk assessment identifies threats and vulnerabilities against the current system. It assumes current controls are working as expected. Another way of saying this is that a risk assessment is performed at a moment in time based on current conditions, whereas risk management is a continuous process.