What is the first step in a risk assessment
What is the first step in a risk assessment
The Five Step Guide to Risk Assessment
“What is a risk assessment?” This article aims to allow you to answer basic questions on risk assessments such as “a definition of risk assessment”, “why do risk assessments?”, “when to do a risk assessment?” and “how to do a risk assessment?”.
What is a risk assessment?
The HSE’s definition of a risk assessment is:
“….a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm….”
A risk assessment is a vital element for health and safety management and its main objective is to determine the measures required to comply with statutory duty under the Health and Safety at Work Act 1974 and associated regulations by reducing the level of incidents/accidents.
Why do a risk assessment?
A risk assessment will protect your workers and your business, as well as complying with law. As for when to do a risk assessment it should simply be conducted before you or any other employees conduct some work which presents a risk of injury or ill-health.
A person from your organisation needs to attend risk assessment training as it will ensure that this person is competent within your organisation and will gain abilities such as hazard identification, ability to categorise and evaluate risk(s). These abilities will allow a ‘suitable and sufficient’ risk assessment to be conducted within your own organisation.
How to do a risk assessment
There are no fixed rules on how a risk assessment should be carried out, but there are a few general principles that should be followed.
Five steps to risk assessment can be followed to ensure that your risk assessment is carried out correctly, these five steps are:
Step 1: Identify the hazards
In order to identify hazards you need to understand the difference between a ‘hazard’ and ‘risk’. A hazard is ‘something with the potential to cause harm’ and a risk is ‘the likelihood of that potential harm being realised’.
Hazards can be identified by using a number of different techniques such as walking round the workplace, or asking your employees.
Step 2: Decide who might be harmed and how
Once you have identified a number of hazards you need to understand who might be harmed and how, such as ‘people working in the warehouse’, or members of the public.
Step 3: Evaluate the risks and decide on control measures
After ‘identifying the hazards’ and ‘deciding who might be harmed and how’ you are then required to protect the people from harm. The hazards can either be removed completely or the risks controlled so that the injury is unlikely.
Step 4: Record your findings
Your findings should be written down it’s a legal requirement where there are 5 or more employees; and by recording the findings it shows that you have identified the hazards, decided who could be harmed and how, and also shows how you plan to eliminate the risks and hazards.
Step 5: Review your assessment and update as and when necessary
You should never forget that few workplaces stay the same and as a result this risk assessment should be reviewed and updated when required.
For more information on our risk assessment course, visit our website, email or call us on +44 (0)121 248 2000.
The five steps to risk assessment explained
Whether you are looking to create a risk assessment for the first time, or just simply want to brush up on the steps involved, either way you’re in the right place!
Our easy to follow guide will help you to understand what a risk assessment is and highlight the five steps that you should follow when creating one, as outlined by the HSE (Health and Safety Executive).
Before we dive in to the five steps, let’s first briefly recap what a risk assessment is and its purpose.
What is a risk assessment?
In short, a risk assessment is an examination of a given task that you undertake at work, that could potentially cause harm to people.
The goal is to understand any potential hazards, before then outlining and undertaking reasonable steps to prevent harm. Therefore, a risk assessment can help you to understand and take precautions for such eventualities.
Finally, remember that some regulations will likely require certain control measures to be put in place, see step 3 for more information on this.
If you need help creating a risk assessment, then be sure to use our free risk assessment template online or download our free app to streamline the process, and undertake risk assessments wherever you may be
The five steps to risk assessment
Below are the five steps to risk assessment, as outlined by the HSE. These steps should be adhered to when creating a risk assessment.
Workplace hazards can come in many forms, such as physical, mental, chemical, and biological, to name just a few.
Hazards can be identified by using a number of techniques, although, one of the most common remains walking around the workplace to see first-hand any processes, activities, or substances that may injure or cause harm to employees.
Of course, if you work in the same environment every day, then you may miss some hazards, therefore, the HSE also recommend looking at and considering;
Identifying who may be at risk extends to full and part-time employees, contract staff, visitors, clients, and other members of the public at the workplace.
You should also consider people that may not be in the office all the time or at different times, such as employees working night shifts for example, and lone workers.
For each hazard you will need to understand who may be harmed, this of course, will help you to identify preventive measures for controlling a given risk.
Once you’ve identified hazards, the next logical step it to completely remove the associated risks, however, where this is not possible, then certain control measures should be put in place.
For example, if an employee is a cleaner, then they’ll inevitably come into contact with chemicals. The likelihood is that such a hazard can not be removed, however, certain control measures, such as providing protective gloves, mops, and even training for safely storing and handling cleaning chemicals can and should be in place.
Below is an example of just some hazards, which can easily be applied to risk assessments using our risk assessment template and award winning safety app.
The HSE recommend that you should record your significant findings. Such findings will include, the hazards, how people may be harmed by them, and essentially the control measures that you have implemented.
It’s worth highlighting that currently only organisations with five or more staff are required to record in writing the findings of a given risk assessment, regardless, it’s still good practice to have a reference.
Last, but not least, reviewing the risk assessment. Overtime workplaces will change there may be new equipment, substances, and or tasks, that have been introduced since the last assessment took place. With this in mind, it’s recommended that you look back on past risk assessments and consider if there have since been significant changes, and if so, are there new hazards, and or control measures that should be introduced?
Note: the information provided in this article derives from the HSE, and is correct at the time of publishing. The information here is provided as a guide and as general background information, this article should not be taken as legal advice.
Risk Assessment
Identify, analyze, and mitigate potential hazards and the risks associated with it.
Published 27 Jul 2022
What is a Risk Assessment?
A risk assessment is a systematic process that involves identifying, analyzing and controlling hazards and risks. It is performed by a competent person to determine which measures are, or should be, in place to eliminate or control the risk in the workplace in any potential situation.
Risk assessment is one of the major components of a risk analysis. Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business. This is an ongoing process that gets updated when necessary. These concepts are interconnected and can be used individually.
Risk communication is the process of exchanging information and opinion on risk to concerned parties. Risk management is the proactive control and evaluation of threats and risks to prevent accidents, uncertainties and errors. Together with risk assessment, these are all vital elements that help make informed decisions such as mitigating risks.
Why Is Risk Assessment Important?
Identifying hazards by using the risk assessment process is a key element when ensuring the health and safety of your employees and customers. OSHA requires businesses to conduct risk assessments. According to regulations set by OSHA, assessing hazards or potential risk will determine the personal protective gears and equipment a worker may need for their job. There are guidelines available for different industries since present types of possible risks may vary, an example of this is agribusinesses. Unique risks for this industry include manure storage, tractor operation, animal handling, behavior, and health.
The Environmental Protection Agency (EPA) of the US specializes in assessing hazards related to humans and its environmental receptors such as animals, chemicals, and other ecological factors. While in the UK, conducting risk assessments are a legal requirement as stated in the Health and Safety at Work Act. The specific regulation under this law can be retrieved from the Management of Health and Safety at Work Regulations Section.
The gravity of hazard identifications is clear with all these organizations and governments requiring risk assessments at work. Prevent and reduce risks to save lives and to ensure that the workplace stays as a safe space.
Risk Analysis Framework
When Do You Perform a Risk Assessment?
Beyond complying with legislative requirements, the purpose of risk assessments are to eliminate operational risks and improve the overall safety of the workplace. It is employers responsibility to perform risk assessments when:
Risk assessments are also performed by auditors when planning an audit procedure for a company.
Difference Between Risk Assessment and Job Safety Analysis (JSA)
Risk assessments are often confused with a Job Safety Analysis (JSA) or Job Hazard Analysis (JHA). The key difference between a risk assessment and a JSA is scope. Risk assessments assess safety hazards across the entire workplace and are oftentimes accompanied with a risk matrix to prioritize hazards and controls. Whereas a JSA focuses on job-specific risks and are typically performed for a single task, assessing each step of the job.
3 Types
While the exact details of risk assessments may vary greatly across different industries, HSE distinguishes three general risk assessment types:
Large Scale Assessments
This refers to risk assessments performed for large scale complex hazard sites such as the nuclear, and oil and gas industry. This type of assessment requires the use of an advanced risk assessment technique called a Quantitative Risk Assessment (QRA).
Required specific assessments
This refers to assessments that are required under specific legislation or regulations, such as the handling of hazardous substances (according to COSHH regulations, 1998) and manual handling (according to Manual Handling Operations Regulations, 1992).
General assessments
This type of assessment manages general workplace risks and is required under the management of legal health and safety administrations such as OSHA and HSE.
Examples
Risk assessments are essential to identify hazards and risks that may potentially cause harm to workers. There are a variety of risk assessments used across different industries tailoring specific needs and control measures. Here are common risk assessment examples:
Risk assessments can be seen as a regulatory paperwork burden, but understanding the reason and purpose of a risk assessment will help your team identify, prioritize and control hazards in your workplace.
Create Your Own Risk Assessment Checklist
Eliminate manual tasks and streamline your operations.
Planning
Risk assessments should be carried out by competent persons who are experienced in assessing hazard injury severity, likelihood, and control measures. To start off, good planning will be essential in order to implement a risk assessment effectively. Consider the following 4 elements as stated by the Occupational Safety and Health Administration (OSHA):
By determining all of these, you can create a solid foundation for an effective risk assessment. Once you’ve planned out your risk assessment, you can proceed with performing the risk assessment. A risk assessment is performed in 5 steps or stages.
5 Steps
1. Identify hazards
2. Evaluate the risks
To evaluate a hazard’s risk, you have to consider how, where, how much and how long individuals are typically exposed to a potential hazard. Assign a risk rating to your hazards with the help of a risk matrix. Using a risk matrix can help measure the level of risk per hazard by considering factors such as the likelihood of occurrence, and severity of potential injuries. Meanwhile, performing an environmental analysis lets you gauge potential risks and their impacts on your business environment.
3. Decide on control measure to implement
After assigning a risk rating to an identified hazard, it’s time to come up with effective controls to protect workers, properties, civilians, and/or the environment. Follow the hierarchy of controls in prioritizing implementation of controls.
4. Document your findings
It is important to keep a formal record of risk assessments. This can help your organization keep track of hazards, risk, and control measures. Documentation may include a detailed description of the process in assessing the risk, an outline of evaluations, and detailed explanations on how conclusions were made.
Use a risk assessment template to document your findings. Get started with iAuditor’s free risk assessment templates that you can use on your mobile device while on-site. Share your report and findings with key parties who can implement changes.
5. Review your assessment and update if necessary
Follow up with your assessments and see if your recommended controls have been put in place. If the conditions in which your risk assessment was based on change significantly, use your best judgment to determine if a new risk assessment is necessary.
Tools and Techniques
There are options on the tools and techniques that can be seamlessly incorporated into a business’ process. The four common risk assessment tools are: risk matrix, decision tree, failure modes and effects analysis (FMEA), and bowtie model. Other risk assessment techniques include what-if analysis, failure tree analysis, and hazard operability analysis.
How to use a Risk Matrix?
| Likelihood | Very Likely | Likely | Unlikely | Highly Unlikely | |
| Consequences | Fatality | High | High | High | Medium |
| Major Injuries | High | High | Medium | Medium | |
| Minor Injuries | High | Medium | Medium | Low | |
| Negligible Injuries | Medium | Medium | Low | Low | |
A risk matrix is often used during a risk assessment to measure the level of risk by considering the consequence/ severity and likelihood of injury to a worker after being exposed to a hazard. The two measures can then help determine the overall risk rating of the hazard. Two key questions to ask when using a risk matrix should be:
The most common types are the 3×3 risk matrix, 4×4 risk matrix, and 5×5 risk matrix.
How to Assess Consequences?
In assessing the consequences of a hazard, the first question should be asked “If a worker is exposed to this hazard, how bad would the most probable severe injury be?”. For this consideration we are presuming that a hazard and injury is inevitable and we are only concerned with its severity.
It is common to group the injury severity and consequence into the following four categories:
To illustrate how this can be used in the workplace we will use the example of a metal shearing task. A hazard involved could include a piece of metal flying out of the equipment while in use. In this example the probable most severe injury would be “Major or Serious Injury” with the possibility of bruising, breakage, finger amputation.
How to Assess Likelihood?
In assessing the likelihood, the question should be asked “If the hazard occurs, how likely is it that the worker will be injured?”. This should not be confused with how likely the hazard is to occur. It is common to group the likelihood of a hazard causing worker injury into the following four categories:
In our metal shearing example the question should not be “How likely is the machine expected to fail?” but instead “When the machine fails and causes metal to fly out, how likely is the worker expected to be injured?”. If in our example we observe a safe distance between the machine and worker and proper PPE being worn, we could rate it as “Unlikely” given our observations
Risk Assessment Training: Achieving a Culture of Safety
“Safety has to be everyone’s responsibility… everyone needs to know that they are empowered to speak up if there’s an issue.” – Captain Scott Kelly, at the SafetyCulture Virtual Summit.
Thinking about safety shouldn’t stop at the completion of a risk assessment. Embody a safety culture, that way employees are empowered to be greatly aware and conscious of their safety as they do their best work. A hazard identification and risk assessment training can help your organization achieve that.
A good and effective risk assessment training should orient new and existing employees on various hazards and risks that they may potentially encounter. It should also be able to walk them through safety protocols. When everyone is on the same page, managing risks becomes easy.
Conducting or providing training shouldn’t be a pain. With today’s technology, many mobile applications allow you to transform training into engaging and bite sized lessons. Below are a few courses we picked out that can be beneficial for you in getting started:
How do you Perform a Risk Assessment with iAuditor?
Many factors and processes can come into play when conducting a risk assessment. The process usually takes a lot of time as it involves going through multiple hands for review and completion. Which in turn, opens the whole risk assessment procedure to issues like losing track of paperwork and records.
Using a risk assessment software like iAuditor makes it easy for you to have everything in one place. Organizations are able to track hazards, risks, control measures, and corrective actions within just a few taps.
See how iAuditor can help your risk assessment every step of the way:
iAuditor is a Powerful Inspection Software and App
iAuditor gives you the flexibility to power any inspection you require – onsite, underground, and across the globe. Inspect construction sites, restaurants inspections for food safety, conduct temperature checks, pre-flight checks, toolbox talks and more. It is the mobile forms inspection solution for all industries.
Risk Assessment Templates
Risk assessments are traditionally completed through pen-and-paper checklists which are inconvenient when reports and action plans are urgently needed. Streamline the process with iAuditor by SafetyCulture, a mobile app solution. Get started by browsing this collection of customizable Risk Assessment templates that you can download for free.
SafetyCulture Content Specialist
Jai Andales is a content writer and researcher for SafetyCulture since 2018. As a content specialist, she creates well-researched articles about health and safety topics. She is also passionate about empowering businesses to utilize technology in building a culture of safety and quality.
Jai Andales is a content writer and researcher for SafetyCulture since 2018. As a content specialist, she creates well-researched articles about health and safety topics. She is also passionate about empowering businesses to utilize technology in building a culture of safety and quality.
Featured Topics
Construction Management
Lone Worker Solutions
Lone Worker Policy
What are the five steps to risk assessment?
The Health and Safety Executive (HSE) advises employers to follow five steps when carrying out a workplace risk assessment:
Step 1: Identify hazards, i.e. anything that may cause harm.
Employers have a duty to assess the health and safety risks faced by their workers. Your employer must systematically check for possible physical, mental, chemical and biological hazards.
This is one common classification of hazards:
Step 2: Decide who may be harmed, and how.
Identifying who is at risk starts with your organisation’s own full- and part-time employees. Employers must also assess risks faced by agency and contract staff, visitors, clients and other members of the public on their premises.
Employers must review work routines in all the different locations and situations where their staff are employed. For example:
Employers have special duties towards the health and safety of young workers, disabled employees, nightworkers, shiftworkers, and pregnant or breastfeeding women.
Step 3: Assess the risks and take action.
This means employers must consider how likely it is that each hazard could cause harm. This will determine whether or not your employer should reduce the level of risk. Even after all precautions have been taken, some risk usually remains. Employers must decide for each remaining hazard whether the risk remains high, medium or low.
Step 4: Make a record of the findings.
Employers with five or more staff are required to record in writing the main findings of the risk assessment. This record should include details of any hazards noted in the risk assessment, and action taken to reduce or eliminate risk.
This record provides proof that the assessment was carried out, and is used as the basis for a later review of working practices. The risk assessment is a working document. You should be able to read it. It should not be locked away in a cupboard.
Step 5: Review the risk assessment.
A risk assessment must be kept under review in order to:
How to Perform a Successful IT Risk Assessment
Table of Contents
With a cyber attack being attempted every 40 seconds and ransomware attacks increasing at a rate of 400% year over year, it’s no wonder your organization has to take security seriously. But do you feel confident that you’ve allocated an appropriate amount of resources towards your security program?
Do you know which information assets and systems are most vulnerable? And have you calculated the potential financial costs you’d incur if key systems were to go down? In our modern, highly volatile cyber risk environment, these are critical questions for every organization to answer. Getting the answers will require your organization to become proficient in conducting an IT risk assessment.
What is an IT Risk Assessment?
IT security risk assessments focus on identifying the threats facing your information systems, networks and data, and assessing the potential consequences you’d face should these adverse events occur. Risk assessments should be conducted on a regular basis (e.g. annually) and whenever major changes occur within your organization (e.g., acquisition, merger, re-organization, when a leader decides to implement new technology to handle a key business process, when employees suddenly move from working in an office to working remotely).
Not only is IT risk assessment important for protecting your organization and right-sizing your security investment, but it may also be mandatory. Some information security frameworks, such as ISO 27001 and CMMC, actually require risk assessments to be conducted in specific ways and documented on paper in order for your organization to be considered “compliant”.
IT risk assessments are a crucial part of any successful security program. Risk assessments allow you to see how your organization’s risks and vulnerabilities are changing over time, so decision-makers can put appropriate measures and safeguards in place to respond to risks appropriately.
Is your compliance program effective for the current regulatory landscape? Find out what are the key elements you need with our free guide.
Why Conduct an IT Risk Assessment?
For some businesses, especially small companies, it might seem like a big enough job just to put a team in place to develop and manage information security plans without the added work of proactively looking for flaws in your security system. But in reality, an IT risk assessment is something you can’t afford to skip over. Information security risk assessments serve many purposes, some of which include:
Cost justification
An IT risk assessment gives you a concrete list of vulnerabilities you can take to upper-level management and leadership to illustrate the need for additional resources and a budget to shore up your information security processes and tools. It can be difficult for leadership to see why you need to invest more money into information security practices that, from their point of view, are working just fine. Showing them the results of an information security risk assessment is a way to drive home that the risks to your sensitive information are always changing and evolving, so your infosec practices need to evolve with them.
Productivity
If you are consistently performing risk assessments, you will always know where your information security team should dedicate their time, and you will be able to use that time more effectively. Instead of always reacting to a problem after it has caused a security event, you’ll spend that time fixing vulnerabilities in your security practices and processes so you can avoid the issue in the first place. IT risk assessments also show you which risks require more time and attention, and which risks you can afford to divert fewer resources to.
Breaking barriers
Information security should ideally involve two groups: senior management and IT staff. Senior management should dictate the appropriate level of security, while IT should be implementing the plan that will help achieve that level of security. Risk assessments bring these two groups together. They give IT staff a tool to open up conversations with management about infosec risks the organization is facing, and how the company can achieve the highest level of security possible.
Communication
Above all else, risk assessments improve information security by facilitating communication and collaboration throughout an organization.
First, to properly assess risk within a business, the IT security staff will need to have conversations with all departments to understand,
This gives the security team a chance to learn about other peoples’ positions, challenges, and contributions to the information security of the business as a whole.
Second, risk assessments provide IT and compliance teams a chance to communicate the importance of information security to people throughout the entire organization and to help each employee understand how they can contribute to security and compliance objectives.
Changes in many different parts of a business can open it up to different risks, so it’s important for the people responsible for information security to understand if and when the business’s processes or objectives change.
As we said earlier, the more people and information sources you can include, the better the output will be. But it’s important to know that any company can perform an information security risk assessment and find areas for improvement, even if you don’t have extensive IT or compliance teams.
How is an IT Risk Assessment Done?
You can perform two categories of risk assessments, but the most effective approach is to incorporate aspects of both of them.
Quantitative risk assessments, or assessments that focus on numbers and percentages, can help you determine the financial impacts of each risk.
Qualitative risk assessments help you assess the human and productivity aspects of a risk.
Both of these categories have value, and both of them will allow you to communicate risk with different types of people. For example, your legal and financial teams will likely be most interested in the numbers, while your operations teams, such as sales and customer service, will be more concerned about how a security event would affect their operations and efficiency.
Following these steps will help you conduct a basic information security risk assessment and give you the tools you need to begin building a consistent process for identifying key business risks.
1. Identify and catalog your information assets
The first step in a risk assessment is to make sure that you have a comprehensive list of your informational assets. It’s important to remember that different roles and different departments will have different perspectives on what the most important assets are, so you should get input from more than one source here. For salespeople, the most important information asset might be your company’s CRM, while IT likely sees the servers they maintain as a higher priority, while HR’s most important information asset is confidential employee information.
Once you have identified all of your information assets and key stakeholders within all departments you’ll need to classify these data assets based on their sensitivity level as well as the strategic importance of the asset to the organization. To get accurate and complete information, you’ll need to talk to the administrators of all major systems across all departments.
Below is a sample data classification framework. For more information on how to classify data, please refer to this article from Sirius Edge.
Once you have your data classified, you can zero in on the most sensitive data and see how it is being handled.
2. Identify threats
When thinking about threats to data security, hackers are usually top of mind, but threats to your business’s information security come in many different forms. You can see from this list of 2019 data breaches that while hackers exploiting weaknesses in a business’ firewalls or website security programs has been very common, a lot of different threat types contributed to data breaches in 2019. You need to take into account many different threat types when compiling a list of all the unique threats your business faces.
For example, you also have to take into account not just malicious human interference, but also accidental human interference, such as employees accidentally deleting information or clicking on a malware link. Depending on the quality of your hardware and your information systems, you might also need to account for the risk of system failure.
Finally, things such as natural disasters and power failures can wreak as much havoc as humans can, so you need to account for any of those kinds of threats as well. After you’ve completed this step, you should have a thorough list of the threats to your assets.
New Cybersecurity Risks Prompted by COVID-19
Now that the novel coronavirus has forced most organizations into a remote-only operating model, organizations are left in a more vulnerable position. Employees are working outside of corporate firewalls. Malicious cybercriminals could take advantage of public concern surrounding the novel coronavirus by conducting phishing attacks and disinformation campaigns.
Phishing attacks often use a combination of email and bogus websites to trick victims into revealing sensitive information. Disinformation campaigns can spread discord, manipulate public conversation, influence policy development, or disrupt markets.
During this time, your IT security team should remind employees to take precautions, reiterate key concepts covered in your security training, ensure that all monitoring systems are operating correctly, and be ready to respond to any security incidents promptly.
3. Identify vulnerabilities
A vulnerability is a weakness in your system or processes that might lead to a breach of information security. For example, if your company stores customers’ credit card data but isn’t encrypting it, or isn’t testing that encryption process to make sure it’s working properly, that’s a significant vulnerability. Allowing weak passwords, failing to install the most recent security patches on software, and failing to restrict user access to sensitive information are behaviors that will leave your business’s sensitive information vulnerable to attack.
During the coronavirus health crisis, another vulnerability you may face is the lack of staff. Security controls are at risk of not being performed as IT security staff are working remotely or worse, sick themselves.
You can find vulnerabilities through audits, penetration testing, security analyses, automated vulnerability scanning tools, or the NIST vulnerability database.
It’s also important to consider potential physical vulnerabilities. For example, if your employees work with hard copies of sensitive information or use company electronics outside of the office, this can lead to the misuse of information just like vulnerabilities in your software and electronic systems.
4. Analyze internal controls
After identifying the vulnerabilities in your systems and processes, the next step is to implement controls to minimize or eliminate the vulnerabilities and threats. This could be either control to eliminate the vulnerability itself or control to address threats that can’t be totally eliminated.
Controls can be technical, such as computer software, encryption, or tools for detecting hackers or other intrusions, or non-technical, such as security policies or physical controls. Controls can also be broken down into preventive or detective controls, meaning that they either prevent incidents or detect when an incident is occurring and alert you.
Creating effective controls requires experience and skills. If your firm does not have security and compliance subject matter experts on staff, it is crucial to seek out assistance from professional services firms that have deep expertise in addressing IT security issues.
5. Determine the likelihood that an incident will occur
Using all the information you have gathered – your assets, the threats those assets face, and the controls you have in place to address those threats – you can now categorize how likely each of the vulnerabilities you found might actually be exploited. Many organizations use the categories of high, medium, and low to indicate how likely a risk is to occur.
So, if, for example, a core application you use to run your business is out-of-date and there’s no process for regularly checking for updates and installing them, the likelihood of an incident involving that system would probably be considered high.
On the other hand, if you handle a large volume of personal health information, have automated systems for encrypting and anonymizing it, and regularly test and check the effectiveness of those systems, the likelihood of an incident could be considered low. You will need to use your knowledge of the vulnerabilities and the implementation of the controls within your organization to make this determination.
6. Assess the impact a threat would have
This step is known as impact analysis, and it should be completed for each vulnerability and threat you have identified, no matter the likelihood of one happening. Your impact analysis should include three things:
If possible, you should consider both the quantitative and qualitative impacts of an incident to get the full picture. Depending on the three factors above, you can determine whether a threat would have a high, medium, or low impact on your organization. Taken together with how likely an incident is to occur, this impact analysis will help you to prioritize these risks in the next step.
7. Prioritize the risks to your information security
Prioritizing your security risks will help you determine which ones warrant immediate action, where you should invest your time and resources, and which risks you can address at a later time.
For this step, it might help to utilize a simple risk matrix that helps you use the information you already have about each vulnerability/threat pair you’ve identified and plot it on the matrix. Risks that are both likely to happen and would have severe consequences would be mapped as a high priority, while risks that are unlikely to happen and would have marginal consequences would be mapped as the lowest priority, with everything else falling somewhere in between.
You can make your risk matrix as simple or as complex as is helpful to you. If you’re a large organization with a lot of risks competing with each other for time and attention, a more in-depth 5×5 risk matrix will likely be helpful; smaller organizations with fewer risks to prioritize can probably utilize a simple 3×3 matrix and still get the same benefit.
Cyber Risk Models for Information Security
At this time, there are several different frameworks for risk quantification. Here are a few popular frameworks to date for risk quantification:
NIST SP 800-30: Originally published in 2002 and updated in 2012, NIST Special Publication 800-30 or NIST Risk Management Framework is built alongside the gold-standard NIST Cybersecurity Framework as a means to view an organization’s security threats through a risk-based lens.
World Economic Forum Cyber Risk Framework and Maturity Model: This model was published in 2015 in collaboration with Deloitte, and bears some similarities to the NIST RMF in that it relies on subjective judgments. The model looks at risk through a lens known as “value-at-risk” and asks the stakeholders to evaluate three components: 1) existing vulnerabilities and defense maturity of an organization, 2) value of the assets, and 3) profile of an attacker.
8. Design controls
Once you’ve established priorities for all risks you’ve found and detailed, then you can begin to make a plan for mitigating the most pressing risks. To determine what controls you need to develop to effectively mitigate or eliminate the risks, you should involve the people who will be responsible for executing those controls.
Senior management and IT should also be heavily involved to ensure that the controls will address risks and align with your organization’s overall risk treatment plan and end goals. You’ll also need to develop a plan for implementing all of the new controls. You may also need to consult with professional services firms with IT and security expertise to develop a new set of controls. In this plan, be sure to include the resources you would need to train pertinent employees.
For further guidance on how to design effective controls to mitigate risks, check out this article The Four Signs of an Effective Compliance Program
9. Document the results
The final step in your risk assessment is to develop a report that documents all of the results of your assessment in a way that easily supports the recommended budget and policy changes.
Risk assessment reports can be highly detailed and complex, or they can contain a simple outline of the risks and recommended controls. Ultimately, what your report looks like depends on who your audience is, how deep their understanding of information security is, and what you think will be the most helpful in showing potential risks. The purpose of a risk assessment is to document your organizational risks and create a plan to address those risks to avoid encountering a risk without preparation.
Creating this report for senior management is the final step in this process and is crucial for communicating what they need to understand about information security risks. It’s important to note that assessing risks should be an ongoing process, not a one-time-only exercise. As your systems or your environment change, so will your information security risks.
IT Risk Assessment Template
To make it easier for you to document the results of your risk assessment, we’ve created an IT risk assessment template.
IT Risk Assessments Don’t Need to Be Complicated
Purpose-built risk register software makes it easy for risk owners to document everything that should go into a risk register, make updates to risks on the fly, visualize changes to risks, and communicate risk information to leadership teams.
Hyperproof offers a secure, intuitive risk register for everyone in your organization. With the application, risk owners from all functions and business units can document their risks and risk treatment plans. You can link risk to control and gauge how much a specific risk has been mitigated by an existing control versus the residual risk that remains. With this clarity, your risk management, security assurance, and compliance teams can focus their energy on the risks you truly need to worry about.
With Hyperproof’s dashboard, you can see how your risks change over time, identify which risks and controls to pay attention to at a given moment, and effectively communicate the potential exposure for achieving strategic, operations, reporting, and compliance objectives to your executives.
If you can successfully bring together the parties necessary for a thorough risk assessment and account for all of the risks to your data, you’ll be taking a huge step toward earning your customers’ trust and protecting the sensitive data you’re entrusted with.