Background

In carrying our a risk assessment, it is critical that assessors consider the key risk assessment components of risk criteria, scope and tolerance. Without these elements, an assessment is without important points of reference that make an assessment relevant to its intended organisation/audience.

Key risk assessment component #1: Risk Criteria

At the commencmeent of a security risk assessment, assessors must define the risk criteria that will be utilised/referenced in the conduct of the process. Assessors may consider the following:

  • The amount and type of risk the organization may or may not take.
  • Obligations and views of the stakeholders.
  • Uncertainties that can affect outcomes and objectives.
  • How we will measure and define likelihood and consequences.
  • Timeframe and time-related factors.
  • Measurement techniques and metrics.
  • How the level of risk is to be determined.
  • How combinations and sequences of multiple risks will be taken into account.
  • The organization’s capacity and resources.

Key risk assessment component #2: Risk Assessment Scope

When conducting an assessment, scope considerations are critical and assessors may also consider:

  • Objectives.
  • Expected outcomes.
  • Timeframe for analysis.
  • Geographic and virtual locations.
  • Business units to be included.
  • Inclusions and exclusions including practice areas and domains (eg:physical, ICT, safety, finance/fraud, etc.)
  • Risk analysis tools and techniques.
  • Resources.
  • Responsibilities.
  • Records to be kept.
  • Relationships to other groups.
  • Projects, processes and activities.

________________________________________________________________

RELATED ARTICLES: Musings On Security Risk Assessments  | The Benefits Of SECTARA’s Advanced & Intuitive Risk Assessment Methodologies  | What Is A Risk Assessment Template?What’s in a Good Security Risk Assessment?

________________________________________________________________

Key risk assessment component #3: Risk Tolerance

Risk Tolerance can be articulated in whichever way is appropriate for each organization; the following is just one example.

Sample risk tolerances
Image: Sample Risk Tolerances

 

The Australian Government Department of Finance recommend the following 10-step process for defining risk appetite and tolerance¹:

  1. Appoint a core reference group.
  2. Validate current risk categories.
  3. Review current risk profile.
  4. Build a risk appetite statement.
  5. Interview senior executive and define risk appetite statement.
  6. Engage with subject matter experts to build and refine risk tolerance statements.
  7. Senior executive review.
  8. Amend risk appetite and tolerance statements as required.
  9. Committee Validation.
  10. Incorporate and communicate.
¹ You can find implementation tips and more details at Finance, Department of.‘Risk Resources’. Text, 22 August 2017 https://www.finance.gov.au/sites/default/files/2019-11/case-study-defining-risk-appetite-and-tolerance.pdf. More guidance can be found at: https://www.finance.gov.au/government/comcover/risk-services/management
In considering these key risk security risk assessment components (and adopting/ignoring what’s not needed), assessors will be on solid ground when presenting their findings to stakeholders.

Julian Talbot

Julian is a SECTARA Advisory Board Member and, among many other things, the author of the Security Risk Management Body of Knowledge (SRMBoK). In recent times Julian contemplated how to take SRMBoK further, and in doing so publish a contemporary account of associated security models, principles and practices. The result is the Security Risk Management Aide Memoire (SRMAM), a book that is free to all SECTARA subscribers (yes, even on the free plan). This article is replicated from the SRMAM wesbite with permission.

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base, and you can still always contact us direct when you need to.