9 steps to a successful risk assessment
May 24 2020Few businesses are able to effectively function when IT systems fail, so completing regular risk assessments is a crucial way to defend against any worst-case scenario.
The importance of an IT risk assessment is often underestimated as daily IT demands pile up, and the sheer volume of ‘paperwork’ required can be daunting. To make the whole process easier, we’ve detailed the nine key steps that you as a CIO can take to ensure a smooth risk assessment in your organisation.
Why should you perform an IT risk assessment?
The purpose of an IT risk assessment is to ensure all vulnerabilities and shortfalls are addressed and managed properly.
“To survive and thrive amidst the uncertainty, complexity, and interconnectivity of the global business environment, organisations must improve resilience, anticipate and prepare for disruption if they hope to remain relevant and continue to serve their customers,” says Alla Valente, security and risks professionals analyst at Forrester.
“As part of the risk management strategy, the risk assessment is essential to help companies gain visibility into existing and emerging risk that threaten their critical assets (data, systems, processes, people), their operations, and their intellectual property.”
Risk assessments are particularly important for security teams and they should be performed regularly, with the findings shared with all relevant employees and board members.
An additional benefit to risk assessments is their potential to help keep costs under control and make auditing a lot easier.
Define every possible vulnerability
Before every risk assessment, there is a large quantity of necessary admin that goes along with it. You should set aside some time to create a document (you can find a decent variety of free templates online) detailing all the possible vulnerabilities and risk that could crop up.
Note down the possible threats to your IT network – whether that be ransomware, DDoS attacks, phishing or more severe malware attacks, the possible routes in, the most vulnerable people – and provide examples.
Your organisation might only fall victim to one or so of these attacks, but noting every possible malicious activity that could befall your business will help people outside of the IT department grasp the importance of regular maintenance of the IT department and IT audits and assessments.
“Risks are interconnected and unforeseen events often trigger a cascading effect. For example, an event such as a cyberattack starts in security, but can have a domino effect on compliance, resulting in fines and regulatory scrutiny, revenue loss and reputational damage,” says Valente.
Each possible risk identified requires a detailed review of the threat. Using real-life scenarios is an effective way of envisioning the possible consequences for the organisation.
A vulnerability assessment should be conducted by IT using both automated and manual tools to identify any areas of weakness that should be classified as at-risk areas. A security risk assessment checklist and an audit checklist are useful tools to help review the risks, while web-based tools offer more advanced means to compute them.
The assessment should note the current security situation covering the protection in place and any gaps that may not be covered.
Communicate your plans and gather relevant stakeholders
It’s easy to think that a risk assessment is only relevant to the people directly involved. However, you should consider explaining the procedures and the possible impact of its outcome, whatever that may be, to everyone in the whole department.
A risk management procedure will be easiest to implement with the right people involved. Set an advisory committee to include representatives of every area of the business where risks could be contained, and any individuals who could know how to contain it.
Offering a meeting to give an overview to everyone in your team or dropping them an email is not only good practice, but it should make everyone ready for any interferences in schedules or unfamiliar faces around the office.
As well as keeping the whole department and organisation in the loop, you should keep key people involved in the whole process and report your findings methodically throughout the assessment process.
Communication is key to ensure information isn’t lost or misunderstood.
Data collection
Any risk assessment starts with a review of the current infrastructure. Both hardware and software require an assessment of strengths and weaknesses. Assets with security risks should be inventoried and assessed by surveying the organisation and then sending the findings for review to the IT department.
Don’t forget that data is also an asset and can be subject to data privacy legislation, such as GDPR, and should be include in any IT risk assessment. Data includes a wide range of information, from HR records to clients’ private data.
“Data is the lifeblood of digital transformation,” Valente explains. “As companies innovate and accelerate their transformation journeys, data becomes the input and throughput of the digital experience. That creates new and additional risk for the business”
The results will form the basis of a review covering the purpose, scope, data flow and responsibilities expected in the risk assessment.
Risk analysis
Any danger areas discovered then need to have a strategy put in place to protect them from serious consequences.
The specific vulnerability, the threat to it and the probability of it occurring should all be analysed for each specific area.
Aspects to look out for include the likelihood and magnitude of harm from any unwanted access to the systems and information they process.
Recommendations and departmental review
The resulting recommendations of an IT risk assessment should then be listed in a report and issued to all the relevant stakeholders. Content will include the findings from those conducting the assessment and the selected response strategy.
Each department that receives the report will be expected to review the risks it describes. They should then devise their own strategy to reduce or avoid the dangers based on the nature of the business and the specific risks.
Risk mitigation plan
The strategy will only be effective when integrated in a risk mitigation plan by the department that established it.
This plan should include a timeline to follow when implementing the mitigation procedure. Once composed it will be sent to IT for review.
Any risk mitigation plan should also take into account third party relationships, partnerships and integrations, especially when data is involved over which you don’t have direct visibility into.
“It’s not enough to assess risks that impact your enterprise, companies must do a better job at assessing risks that impact third-party relationships,” adds Forrester’s Valente.
“Firms are working with more third parties than ever, and while companies have little or no control over how third parties secure their IT, but are fully responsible for security incidents that occur because of the relationship.”
Implement
The resulting risk assessment policy will guide planning for future controlling of risk. This will cover how to eliminate the possibility of incidents occurring and the consequences when it happens.
The impact on third parties such as insurance companies and warranties should also be included. Each department is responsible for ensuring compliance, and should review findings at least annually, and whenever a new risk emerges from changes to systems.
Review and maintenance
The IT team should regularly assess the risk mitigation plan to ensure it is comprehensive and effective. Each step on the plan needs to be reviewed and approved. Further additions or modifications can then be made if required.
A proactive approach to risk management will build the most effective barriers to threats, so any resource using IT resources should be reviewed for dangers periodically.
A typical timeline for repeating the risk assessment involves a review of the policy at least every two years, but the exact scheduling for future assessments should be determined by the CIO. Any additional assessments to review emerging risks should be conducted as required.
