In carrying our a risk assessment, it is critical that assessors consider the key risk assessment components of risk criteria, scope and tolerance. Without these elements, an assessment is without important points of reference that make an assessment relevant to its intended organisation/audience.
Key risk assessment component #1: Risk Criteria
At the commencmeent of a security risk assessment, assessors must define the risk criteria that will be utilised/referenced in the conduct of the process. Assessors may consider the following:
- The amount and type of risk the organization may or may not take.
- Obligations and views of the stakeholders.
- Uncertainties that can affect outcomes and objectives.
- How we will measure and define likelihood and consequences.
- Timeframe and time-related factors.
- Measurement techniques and metrics.
- How the level of risk is to be determined.
- How combinations and sequences of multiple risks will be taken into account.
- The organization’s capacity and resources.
Key risk assessment component #2: Risk Assessment Scope
When conducting an assessment, scope considerations are critical and assessors may also consider:
- Expected outcomes.
- Timeframe for analysis.
- Geographic and virtual locations.
- Business units to be included.
- Inclusions and exclusions including practice areas and domains (eg:physical, ICT, safety, finance/fraud, etc.)
- Risk analysis tools and techniques.
- Records to be kept.
- Relationships to other groups.
- Projects, processes and activities.
RELATED ARTICLES: Musings On Security Risk Assessments | The Benefits Of SECTARA’s Advanced & Intuitive Risk Assessment Methodologies | What Is A Risk Assessment Template? | What’s in a Good Security Risk Assessment?
Key risk assessment component #3: Risk Tolerance
Risk Tolerance can be articulated in whichever way is appropriate for each organization; the following is just one example.
The Australian Government Department of Finance recommend the following 10-step process for defining risk appetite and tolerance¹:
- Appoint a core reference group.
- Validate current risk categories.
- Review current risk profile.
- Build a risk appetite statement.
- Interview senior executive and define risk appetite statement.
- Engage with subject matter experts to build and refine risk tolerance statements.
- Senior executive review.
- Amend risk appetite and tolerance statements as required.
- Committee Validation.
- Incorporate and communicate.
Julian is a SECTARA Advisory Board Member and, among many other things, the author of the Security Risk Management Body of Knowledge (SRMBoK). In recent times Julian contemplated how to take SRMBoK further, and in doing so publish a contemporary account of associated security models, principles and practices. The result is the Security Risk Management Aide Memoire (SRMAM), a book that is free to all SECTARA subscribers (yes, even on the free plan). This article is replicated from the SRMAM wesbite with permission.
How to get started with SECTARA
If you see the same great benefits that we do in SECTARA, there are several methods to get started:
- Register for one of our Bronze, Silver or Gold Plans.
- Sign up to our absolutely Free Plan.
- Arrange an online demo.
- Contact us