by Risk identification is the process of identifying and assessing threats to an organization, its operations and its workforce. For example, risk identification may include assessing IT security threats such as malware and ransomware, accidents, natural disasters and other potentially harmful events that could disrupt business operations. Companies that develop robust risk management plans are likely to find they’re able to minimize the impact of threats, when and if they should occur.
Risk Identification Process Steps
There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment and risk monitoring.
- Risk Identification
The purpose of risk identification is to reveal the what, where, when, why and how something could affect a company’s ability to operate. For example, a business located in central California might include “possibility of wildfire” as an event that could disrupt business operations.
- Risk Analysis
This step involves establishing the probability that a risk event might occur and the potential outcome of each event. Using the California wildfire example, safety managers might assess how much rainfall has occurred in the past 12 months and the extent of damage the company could face should a fire occur.
- Risk Evaluation
Risk evaluation compares the magnitude of each risk and ranks them according to prominence and consequence. For example, the effects of a possible wildfire may be weighed against the effects of a possible mudslide. Whichever event is determined to have a higher probability of happening and causing damage, would rank higher.
- Risk Treatment
Risk treatment is also referred to as Risk Response Planning. In this step, risk mitigation strategies, preventative care and contingency plans are created based on the assessed value of each risk. Using the wildfire example, risk managers may choose to house additional network servers offsite, so business operations could still resume if an onsite server is damaged. The risk manager may also develop evacuation plans for employees.
- Risk Monitoring
Risk management is a non-stop process that adapts and changes over time. Repeating and continually monitoring the processes can help assure maximum coverage of known and unknown risks.
Evaluation of Risk
Risk evaluation is defined by the Business Dictionary as: “Determination of risk management priorities through establishment of qualitative and/or quantitative relationships between benefits and associated risks.”
So how does that relate to managed service providers or IT administrators?
Anyone responsible for a company’s data, server, network or software must perform a risk evaluation. A risk evaluation can help determine if those assets are at risk for a cyber attack, virus, data loss through natural disaster or any other threat.
The benefit of a risk evaluation is simple it provides IT professionals with knowledge of where and how their business and reputation are at risk.
Performing a Risk Evaluation
A risk evaluation can be performed in five simple steps.
- Identify and prioritize assets
Consider all the different types of data, software applications, servers and other assets that are managed. Determine which of these is the most sensitive or would be the most damaging to the company if compromised.
- Locate assets
Find and list the source of those assets. Be it desktop office computers, mobile devices, internal servers or anything else, you’ll want to trace each asset back to its source.
- Classify assets
Categorize each asset as either public information, sensitive internal information, non-sensitive internal information, compartmentalized internal information and regulated information.
- Perform a threat modeling exercise
Identify and rate all the threats faced by your top-rated assets. Microsoft’s STRIDE method is a popular one.
- Finalize data and make a plan
Once you have your evaluation, it’s time to start tackling those risks, beginning with the most critical.
