Risk assessment is the process which - identify hazards, analyzes and evaluates the risk
associated with that hazard, determines appropriate ways to eliminate or control the hazard. In
practical terms, a risk assessment is a thorough look of a workplace to identify those things,
situations, processes, etc that may cause harm, particularly to people. After identification is
made, you evaluate how likely and severe the risk is, and then decide what measures should be in
place to effectively prevent or control the harm from happening.
Risk assessments are not easy and they are not meant to be. If companies could easily identify
and understand all the types of risks to their business and could evaluate how to effectively
mitigate those risks, then the world would be a much more boring place.
Fundamentally, while there are different titles used across formal methodologies, the expected
end result is still the same: to understand what risks exist to your business and have idea solid
understanding of the likelihood and impact of a realized risk.
Too often I see that an information technology or information security team member is assigned
to conduct a risk assessment that naturally, because of their role in the organization, becomes IT
focused. While there are some technology specific risks that are adequately addressed in this
manner, the intent I am focusing on is an organizational risk assessment. Information
security/technology teams usually do not know the business processes and will focus their efforts
on specific threats and technology and then are unable to justify, in business terms, the need for
new security products.
On the other side of the fence, business personnel will know their processes and what data is
important for them, but most likely have little knowledge of the technology supporting their
processes. This can result in “risk reducing” proposals for complicated process changes that may
not be needed if new technical tools can be introduced. Bringing the teams together and bridging
that knowledge gap is a key action to conducting a thorough risk assessment.
To solve this issue, it is best to have a team dedicated to risk management for an organization. As
an organization gets bigger, it may be appropriate to have a team or, or members of a team,
assigned to different business units. While this team may be charged with drafting the formal risk
assessment report(s), the purpose of this team should not be to conduct the risk assessment, but
to bring together the appropriate business and technical stakeholders and facilitate the risk
assessment process.
Whoever is responsible for facilitating the risk assessment should be able to establish with the
organization that protecting data is the primary goal and that all of the people processes,
hardware, software and other technology are tools used to do something with the data. Once the
premise of the assessment is understood and sensitive data elements are identified, then it is time
to .
Risk assessment is the process which - identify hazards, analyzes an.pdf
1. Risk assessment is the process which - identify hazards, analyzes and evaluates the risk
associated with that hazard, determines appropriate ways to eliminate or control the hazard. In
practical terms, a risk assessment is a thorough look of a workplace to identify those things,
situations, processes, etc that may cause harm, particularly to people. After identification is
made, you evaluate how likely and severe the risk is, and then decide what measures should be in
place to effectively prevent or control the harm from happening.
Risk assessments are not easy and they are not meant to be. If companies could easily identify
and understand all the types of risks to their business and could evaluate how to effectively
mitigate those risks, then the world would be a much more boring place.
Fundamentally, while there are different titles used across formal methodologies, the expected
end result is still the same: to understand what risks exist to your business and have idea solid
understanding of the likelihood and impact of a realized risk.
Too often I see that an information technology or information security team member is assigned
to conduct a risk assessment that naturally, because of their role in the organization, becomes IT
focused. While there are some technology specific risks that are adequately addressed in this
manner, the intent I am focusing on is an organizational risk assessment. Information
security/technology teams usually do not know the business processes and will focus their efforts
on specific threats and technology and then are unable to justify, in business terms, the need for
new security products.
On the other side of the fence, business personnel will know their processes and what data is
important for them, but most likely have little knowledge of the technology supporting their
processes. This can result in “risk reducing” proposals for complicated process changes that may
not be needed if new technical tools can be introduced. Bringing the teams together and bridging
that knowledge gap is a key action to conducting a thorough risk assessment.
To solve this issue, it is best to have a team dedicated to risk management for an organization. As
an organization gets bigger, it may be appropriate to have a team or, or members of a team,
assigned to different business units. While this team may be charged with drafting the formal risk
assessment report(s), the purpose of this team should not be to conduct the risk assessment, but
to bring together the appropriate business and technical stakeholders and facilitate the risk
assessment process.
2. Whoever is responsible for facilitating the risk assessment should be able to establish with the
organization that protecting data is the primary goal and that all of the people processes,
hardware, software and other technology are tools used to do something with the data. Once the
premise of the assessment is understood and sensitive data elements are identified, then it is time
to bring teams together to link business processes that access the sensitive data and the
technology used to support those processes and evaluate where risks are present. Once this is
complete the teams can define and evaluate controls that are appropriate for the protection of the
data.
In order to make a properly determine what the right level of protection is for your organization,
and make the sound business case needed to get the tools and resources to meet that level of
protection, you need to know both the operational risks and technology risks exposed within
your organization. Operational risks can include compliance, financial and reputational risks (i.e,
what happens if data is exposed, lost or manipulated) and technology risks include all risks
related to the use of IT (i.e., how do we ensure only authorized users have access to data or how
do we detect data loss or manipulation).
Solution
Risk assessment is the process which - identify hazards, analyzes and evaluates the risk
associated with that hazard, determines appropriate ways to eliminate or control the hazard. In
practical terms, a risk assessment is a thorough look of a workplace to identify those things,
situations, processes, etc that may cause harm, particularly to people. After identification is
made, you evaluate how likely and severe the risk is, and then decide what measures should be in
place to effectively prevent or control the harm from happening.
Risk assessments are not easy and they are not meant to be. If companies could easily identify
and understand all the types of risks to their business and could evaluate how to effectively
mitigate those risks, then the world would be a much more boring place.
Fundamentally, while there are different titles used across formal methodologies, the expected
end result is still the same: to understand what risks exist to your business and have idea solid
understanding of the likelihood and impact of a realized risk.
Too often I see that an information technology or information security team member is assigned
3. to conduct a risk assessment that naturally, because of their role in the organization, becomes IT
focused. While there are some technology specific risks that are adequately addressed in this
manner, the intent I am focusing on is an organizational risk assessment. Information
security/technology teams usually do not know the business processes and will focus their efforts
on specific threats and technology and then are unable to justify, in business terms, the need for
new security products.
On the other side of the fence, business personnel will know their processes and what data is
important for them, but most likely have little knowledge of the technology supporting their
processes. This can result in “risk reducing” proposals for complicated process changes that may
not be needed if new technical tools can be introduced. Bringing the teams together and bridging
that knowledge gap is a key action to conducting a thorough risk assessment.
To solve this issue, it is best to have a team dedicated to risk management for an organization. As
an organization gets bigger, it may be appropriate to have a team or, or members of a team,
assigned to different business units. While this team may be charged with drafting the formal risk
assessment report(s), the purpose of this team should not be to conduct the risk assessment, but
to bring together the appropriate business and technical stakeholders and facilitate the risk
assessment process.
Whoever is responsible for facilitating the risk assessment should be able to establish with the
organization that protecting data is the primary goal and that all of the people processes,
hardware, software and other technology are tools used to do something with the data. Once the
premise of the assessment is understood and sensitive data elements are identified, then it is time
to bring teams together to link business processes that access the sensitive data and the
technology used to support those processes and evaluate where risks are present. Once this is
complete the teams can define and evaluate controls that are appropriate for the protection of the
data.
In order to make a properly determine what the right level of protection is for your organization,
and make the sound business case needed to get the tools and resources to meet that level of
protection, you need to know both the operational risks and technology risks exposed within
your organization. Operational risks can include compliance, financial and reputational risks (i.e,
what happens if data is exposed, lost or manipulated) and technology risks include all risks
related to the use of IT (i.e., how do we ensure only authorized users have access to data or how
do we detect data loss or manipulation).