How to conduct a risk assessment for information management companies. Fairly general and most of the presentation is applicable to a much broader audience.

1. INFORMATION
MANAGEMENT RISK
ASSESSMENT
Presented by Jim Booth,
Brightstone Consulting
jbooth@brightstoneconsulting.com

2. Why focus on Information Security & Risk
Assessment?
• Regulatory compliance
• HIPAA
• PCI DSS
• SOX
• Insurance Requirement for E&O/Cyber
coverage
• Red Flags Rule

3. Why focus on Information Security & Risk
Assessment?
•Operational improvement
•SOPs can be revised to reduce risk
•Training objectives are easier to
focus
•Employees can be a part of solution
– goal is clear

4. What is involved in a Risk Assessment
process?
• Review risks to the operation that could
interrupt or degrade business operations
• Rank the risks in terms of their probability
• Rank the risks in terms of their impact
• Identify current mitigation strategies in place
• Identify additional mitigation strategies needed
to reduce the probability and/or impact of risks
• Create priorities and assign resources and
deadlines
• Implement and review

5. Risk assessment plan
• Identify objectives of the risk assessment program
• Outline the steps of the risk assessment process
• Define how the information gained is captured
• Create a process for defining mitigation strategies and
implementing those steps
• Identify how the risk assessment report will be used by
other business units and groups within the organization
• Record how the plan is updated and how the review
process/cycle operates

6. Risk assessment survey
• Survey instrument should contain natural and man-made
risks
• Should deal with more than disaster – business
interruption, including items like power loss or loss of
Internet connectivity should be included
• Loss of critical personnel should be included as a risk
• Measurement should record both the likelihood of
occurrence (probability) and the severity of the event
(impact)

7. Quick exercise
• Fire
• Flood
• Employee Error
• Probability Rating Scale = 1(low) to 5 (high)
• Impact Rating Scale = 1(low) to 5 (high)
• Rank it
• Mitigation strategy

8. Example – assessing risk of fire
• You conducted an internal survey asking employees to rank various
risks.
• Employees ranked fire risk probability as 4 out of 5 and impact as 5
out of 5 for a combined score of 4.5 out of 5.
• Existing mitigation strategy assessment identifies:
• Sprinklers
• Central station monitoring
• Fire extinguishers
• Overall mitigation is seen to reduce the combined score by .5
• Employees identify additional steps to further mitigate risk
• Fire extinguisher training
• Fire drill and evacuation in cooperation with fire department
• Score of additional steps by risk assessment team is additional
.5 reduction in risk for overall risk score of 3.5

9. Example, implementation
• Employee assigned to identify vendor to train employees
in fire extinguisher use
• Resources allocated to pay for training, or budgeted in
future period for training
• Employee with emergency liaison role with first
responders arranges for fire drill with cooperation of fire
department
• Employees trained in appropriate fire response and
evacuation procedures
• Fire drill conducted with fire department cooperation
• Fire extinguisher training conducted at time identified

10. Report creation
• Capture all risk measurements and survey data
• Capture methodology and rationale for truncating the list
to a limited number of actionable elements
• Capture any additional information or resources shared
with risk assessment team
• Assign an individual responsibility for each mitigation
element identified and prioritized for action by the team
• Assign a deadline for action for each mitigation element
• Identify the chain of accountability and periodic reporting
requirements for implementation of elements
• Capture completion dates and any additional results

11. QUESTIONS?
Jim Booth, CAE, Brightstone Insurance and Brightstone
Consulting Services
jbooth@brightstoneins.com 919-696-7754