Definition

risk assessment

Contributor(s): Bianca Rawson, Ben Cole

Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify these inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations.

Companies can use a risk assessment framework (RAF) to prioritize and share the details of the assessment, including any risks to their information technology (IT) infrastructure. The RAF helps an organization identify potential hazards and any business assets put at risk by these hazards, as well as potential fallout if these risks come to fruition.

In large enterprises, the risk assessment process is usually conducted by the Chief Risk Officer (CRO) or a Chief Risk Manager (CRM).

Risk assessment steps
How a risk assessment is conducted varies widely depending on the risks unique to the type of business, the industry that business is in and the compliance rules applied to that given business or industry. However, there are five general steps that companies can follow regardless of their business type or industry.

Step 1: Identify the hazards. The first step in a risk assessment is to identify any potential hazards that, if they were to occur, would negatively influence the organization's ability to conduct business. Potential hazards that could be considered or identified during risk assessment include natural disasters, utility outages, cyberattacks and power failure.

Step 2: Determine what, or who, could be harmed. After the hazards are identified, the next step is to determine which business assets would be negatively influenced if the risk came to fruition. Business assets deemed at risk to these hazards can include critical infrastructure, IT systems, business operations, company reputation and even employee safety.

Step 3: Evaluate the risks and develop control measures. A risk analysis can help identify how hazards will impact business assets and the measures that can be put into place to minimize or eliminate the effect of these hazards on business assets. Potential hazards include property damage, business interruption, financial loss and legal penalties.

Step 4: Record the findings. The risk assessment findings should be recorded by the company and filed as easily accessible, official documents. The records should include details on potential hazards, their associated risks and plans to prevent the hazards.

Step 5: Review and update the risk assessment regularly. Potential hazards, risks and their resulting controls can change rapidly in a modern business environment. It is important for companies to update their risk assessments regularly to adapt to these changes.

Risk assessment tools, such as risk assessment templates, are available for different industries. They might prove useful to companies developing their first risk assessments or updating older assessments.

Quantitative vs. qualitative

Risk assessments can be quantitative or qualitative. In a quantitative risk assessment, the CRO or CRM assigns numerical values to the probability an event will occur and the impact it would have. These numerical values can then be used to calculate an event's risk factor, which, in turn, can be mapped to a dollar amount. 

Quantitative risk assessment example
This table illustrates an example of a quantitative assessment.

Qualitative risk assessments, which are used more often, do not involve numerical probabilities or predictions of loss. The goal of a qualitative approach is to simply rank which risks pose the most danger.

The goal of risk assessments

Similar to risk assessment steps, the specific goals of risk assessments will likely vary based on industry, business type and relevant compliance rules. An information security risk assessment, for example, should identify gaps in the organization's IT security architecture, as well as review compliance with infosec-specific laws, mandates and regulations.

Some common goals and objectives for conducting risk assessments across industries and business types include the following:

  • Developing a risk profile that provides a quantitative analysis of the types of threats the organization faces.
  • Developing an accurate inventory of IT assets and data assets.
  • Justifying the cost of security countermeasures to mitigate risks and vulnerabilities.
  • Developing an accurate inventory of IT assets and data assets.
  • Identifying, prioritizing and documenting risks, threats and known vulnerabilities to the organization's production infrastructure and assets.
  • Determining budgeting to remediate or mitigate the identified risks, threats and vulnerabilities.
  • Understanding the return on investment, if funds are invested in infrastructure or other business assets to offset potential risk.
Risk matrix example
A risk matrix is a qualitative tool for sharing a risk assessment.

The ultimate goal of the risk assessment process is to evaluate hazards and determine the inherent risk created by those hazards. The assessment should not only identify hazards and their potential effects, but should also identify potential control measures to offset any negative impact on the organization's business processes or assets.

This was last updated in June 2017

Continue Reading About risk assessment

Dig Deeper on Risk management and compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How have risk assessments changed as modern companies have become increasingly digitized?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close