Risk assessment is the process of determining risks to the organization. These risks may involve IT systems, buildings, assets, and even people.
Risk Analysis Terms
- Risk - A combination of the chance that an undesired event will occur and how bad or damaging that event would be. The greater the damage or possibility of damage, the greater the risk. Risk=Summary of (threat * probability * impact). Vulnerabilities increase the probability of the threat materializing.
- Threat - An undesired event which may cause harm.
- Impact - The consequences of a threat that materializes usually measured by the amount of damage.
- Vulnerability - A weakness which can provide a method for an undesireable consequence. More vulnerabilities increase the chance that a threat will materialize. Some vulnerabilities are worse than others having a greater chance of allowing a threat to materialize.
Risk to Business
Risk assessment should be approached from the standpoint of risks to the organizational business activities and assets. Risks should consider possible damage to:
- The ability of the business to function
- Loss of secrets, reputation, or money for negligence.
- Damage to property or assets.
- Harm to members of the organization.
Risk Analysis Process
When doing a risk analysis in the Information Technology area, the primary area of consideration today is normally where the data is stored and how it is used by the organization. This is because most business processes today are centered around the organization's data. It is important to keep the data available to the authorized users but not allow unauthorized people to access or change any data that may cause damage (impact).