You can’t defend your organization if you don’t know what threats, vulnerabilities, and risks it faces. That’s why risk assessment is such an important part of risk management. We’ll cover the definition and step-by-step process below.

What is risk assessment?

Risk assessment is a process for identifying risks to organizational operations, assets, and individuals and assessing the likelihood they will occur and the harm that would arise if they did occur.

Risk assessment is a key part of risk management and incorporates threat and vulnerability management.

What is the purpose of risk assessment?

The purpose of risk assessment is to identify:

• Threats to your organization
• Internal and external vulnerabilities
• The adverse impact that may occur if those threats exploit those vulnerabilities 
• The likelihood that this adverse impact will occur

Based on these results, you can determine risk and then respond to it. 

Risk assessment process

Below is a high-level overview of the risk assessment process described in NIST 800-30, Guide for Conducting Risk Assessments. 

1. Prepare for assessment

The first step is preparing — or establishing context — for the risk assessment. This context should be informed by the results of the previous step in the risk management process, risk framing.

Preparation should include identifying:

• The purpose of the assessment
• The scope of the assessment
• The assumptions and constraints associated with the assessment
• The sources of information to be used as inputs to the assessment
• The risk factors, tools, and techniques that will be used during the assessment 

2. Identify threat sources and events

Now it’s time to conduct the risk assessment. 

To start, identify threat sources and events. Threat sources vary by type such as adversarial, accidental, structural, and environmental. Examples of threat sources include insiders, outsiders, IT equipment, software, and natural or man-made disasters. Examples of threat events that may be initiated by the sources described above are phishing attacks, Denial of Service attacks, and obtaining sensitive information via exfiltration. 

Threats should be identified for each asset in your asset inventory. Because threats are circumstances or events that can compromise the confidentiality, integrity, and/or availability of an asset by exploiting both known and unknown vulnerabilities, the next step in the risk assessment process is identifying as many known vulnerabilities as possible.

3. Identify vulnerabilities and predisposing conditions

Next, identify vulnerabilities — or attributes of an asset — which can be exploited by threat events. 

Organizations should also consider predisposing conditions that affect the likelihood that threat events, once initiated, will result in harm. There are different types of predisposing conditions, including information-related, technical, operational, and environmental. As an example, the location of a facility in a hurricane-prone region increases the likelihood of exposure to hurricanes. 

Vulnerabilities can be managed by implementing security controls or other remediation. The severity of a vulnerability will be determined in part by whether a security control or other remediation is implemented or planned and effective. 

4. Determine likelihood of threat events causing harm

Next, analyze the probability that a specific threat is capable of exploiting a specific vulnerability.  This will typically require three steps.

First, assess the likelihood that adversarial threat events will be initiated and the likelihood that non-adversarial threat events will occur. You may then assign them with qualitative or quantitative values. 

Here’s an example of how you might assess the likelihood of threat events initiated by adversarial sources:

Second, assess the likelihood that the threat event, once initiated or occurring, will result in harm. You can use the same qualitative and quantitative values as above. The descriptions will be similar as well. For example, the first row might say “If the threat event is initiated or occurs, it is almost certain to have adverse impacts.”

Finally, assess the overall likelihood of threat events by combining likelihood of occurrence and likelihood of resulting in adverse impact. Here’s an example of an assessment scale you may use to determine overall likelihood.

5. Determine level of impact

This step is focused on assessing the level of impact or magnitude of harm that can be expected when threat events successfully exploit vulnerabilities and result in unauthorized disclosure, modification, or destruction of information or loss of information or information system availability.

There are multiple types of impact, including harm to operations, harm to assets, and harm to individuals. Examples of impact are inability to perform current business functions, loss of intellectual property, injury, and identity theft.

Here’s an example of how you might assess the impact of threat events:

6. Determine risk

You’re now ready to determine risk by considering the likelihood of threat events occuring and the impact that would result from the events.

Here’s an example of an assessment scale you may use to determine level of risk:

7. Communicate results

The risk assessment process should involve ongoing communications and information sharing among stakeholders. This helps ensure that the risk factors being assessed are accurate, that intermediate results may be used to answer specific questions or inform specific decisions if necessary, and that the final results are meaningful and useful for informing the next step of the risk management process (ie. risk response). 

How you communicate risk assessment results depends on your organizational culture as well as any legal, regulatory, and contractual requirements. Having policies and procedures in place can help ensure that these results are effectively communicated and shared. 

8. Maintain assessment

The final step of the risk assessment process is maintaining risk assessments. This involves:

• Monitoring risk factors identified in risk assessments on an ongoing basis
• Understanding changes to those factors
• Updating the components of risk assessments, like purpose, scope, an d assumptions, to reflect the monitoring activities above

Risk assessment methodology

A risk assessment methodology is typically made up of the following:

1. A risk assessment process: The step-by-step process of identifying, estimating, and prioritizing risks to organizational operations, organizational assets, and individuals.
2. A risk model: A risk model defines risk factors and the relationships among those factors. Risk factors are characteristics that help determine levels of risk during the assessment process. Common risk factors are threat, vulnerability, likelihood, impact, and predisposing conditions.
3. An assessment approach: An assessment approach is how you assess risk and its contributing factors. Common assessment approaches are quantitative and qualitative. This approach should specify the range of values those risk factors can assume during the risk assessment and how combinations of risk factors are identified or analyzed so that their values can be combined to evaluate risk. 
4. An analysis approach: An analysis approach is how you assess risks, to what level of detail, and how you treat risks due to similar threat scenarios. Common analysis approaches are threat-oriented, impact-oriented, or vulnerability-oriented.

Risk assessment methodologies are a key component of an organization’s risk management strategy. As part of that strategy, an organization may use a single methodology or multiple. 

By explicitly defining a risk assessment methodology and all its parts, organizations can make risk assessments easier to reproduce and repeat, which will improve the quality of the data they get from those assessments. 

Risk assessment template

Use the template below as a starting point for assessing risks. It is tailored for non-adversarial risk, but you can use it to assess adversarial risk by replacing “range of effects” with “threat source characteristics.”

Risk assessment software

Risk assessment software can help simplify and streamline the risk assessment process. In addition to helping ensure each risk is assessed and reported in a consistent and repeatable manner, risk assessment software can also help save you time brainstorming categories, conducting risk formula math, or manually analyzing risks. 

Secureframe, for example, has a robust workflow that walks you through the risk assessment process step by step for both built-in risks from the risk library and custom risks. To start, you’ll be prompted to fill out required fields for each risk, including a risk description, risk ID, and risk owner. You can also assign it to categories, departments, and tags. Then you’ll be prompted to pick the impact and likelihood of each risk using either Secureframe’s default scoring model or a custom scoring model that you set up. Based on these inputs, an inherent risk score will be calculated automatically. Next, you can select a treatment decision type and change the impact and likelihood of the residual risk based on that treatment, if possible. Based on these inputs, a residual risk score will be calculated automatically. 

Or you can use Comply AI for Risk to automate this workflow. This eliminates manual analysis and provides almost instantaneous insights into each risk based on the risk description and company information, including its potential impact, likelihood, and recommended treatment, with clear justifications for each output. These insights enable organizations to make fast and educated decisions to improve their risk management program and strengthen their security posture.