Risk

Simply put, a risk is the possibility of a negative impact on practically anything i.e., business, financial, security, there are many areas where risk may reside. A vulnerability is a weakness that can be exploited by a threat. Vulnerabilities can be managed whereas a threat cannot. Management of risk is done by applying controls to bring the risk to an acceptable level. Risk can be at different levels in an organization, from a single piece of equipment to a whole department or division.

The likelihood that a threat will exploit a vulnerability depends on the existence of the threat, the vulnerability, and how effective the controls in place are.

Risk Assessments

Risk assessments are conducted to identify and determine the impacts of risk, the likelihood and the consequences should a risk materialize. These can help organizations make informed decisions based on the outcome of the assessment. Some risk assessments are required by law and so risk assessments are carried out to comply with these laws and regulations.

For example, there is a risk of a corporate laptop being lost by an employee, the likelihood is the probability it will occur and the consequence/impact is equipment & data loss. A risk assessment highlights this and enables mitigation to be put in place to prevent the consequence from ever materializing.

Conducting an Assessment

There are various ways risk assessments are carried out, but the basic steps are below:

Identifying potential hazards
Identifying who might be harmed by those hazards
Evaluating risk (severity and likelihood) and establishing suitable precautions
Implementing controls and recording your findings
Review your assessment and re-assessing if necessary.

Risk assessments should be dynamic to be effective, they should be periodically reviewed and updated. In the world of cybersecurity, things are always changing at a fast pace and so should a risk assessment change with the risks.

Managing Risk

Risk can be managed in four different ways depending on the organization's risk appetite or objectives.

PreviousManagement Principles NextPolicies and Procedures

Last updated 3 months ago

Risk Assessments

Conducting an Assessment

There are various ways risk assessments are carried out, but the basic steps are below:

Identifying potential hazards

Identifying who might be harmed by those hazards

Evaluating risk (severity and likelihood) and establishing suitable precautions

Implementing controls and recording your findings

Review your assessment and re-assessing if necessary.