Last month I wrote about Risk Management related to Information Technology. One of the primary steps in the risk management process is to conduct a risk assessment.
A Risk Assessment identifies both the internal and external factors that impact your critical business processes. It also helps to determine the seriousness and likelihood of occurrence.
First, begin by identifying your most critical business processes. It helps to segment them by your functional areas or departments. If you have branches or divisions, you may want to distinguish between processes that affect individual segments, and those that impact the business universally.
Once you have the processes identified, you can begin to collect information on threats. There’s a lot of public information available when it comes to natural and broadly impacting events. Your own staff and your vendor-partners are also an excellent source for specific events.
When looking at threats, come at it from two points of view. The first is “likelihood”. How frequently does an event like this occur? The second is “severity”. If that event occurs, what’s it going to do to your business? Will you be closed? Loose customers? Money? Reputation? Severity is not a static impact. The longer you fail to address a vulnerability, the chances are that severity will increase over time.
If you’re not sure about likelihood or severity, conducting a vulnerability analysis can help.
Once your risk analysis is complete, it’s time to summarize your findings in a report and present it to management. Before you present, you should also have recommended mitigation activities that include actions, time frame, resource requirements and budget. Your mitigation responses are going to be a combination of Protective Measures, Mitigation Measures, Recovery Activities, and Contingency Plans.
How much or little attention and budget is committed to each vulnerability is dependent on your likelihood and severity analysis.
For more information on Risk Assessment, the National Institute for Standards and Technology (NIST) developed a very helpful and comprehensive guide for conducting risk assessments. It can be found at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Tim Krueger, PEI