The objective of a risk evaluation is to determine the events that can adversely affect an organization and the damage that such events can cause. In this blog we will cover the approach and what some key findings in each step should be.
A structured approach to risk evaluation involves four steps:
1. Asset and threat identification
Asset Identification:
- List and categorize your corporate assets
- Consider tangible, intangible, and transient assets
- Ensure you have identified all of your assets
Threat Identification:
- Policies and procedures
- Manufacturing processes
- Physical access security
- Computer systems and networks
- Marketing and customer interface
2. Quantification of potential losses
- Use of computer accounts
- Let marketing assess the cost of finding new customers or restoring a tarnished reputation
- Explore the effects of stock market valuation
- Look at recent events in your company and others in your sector
3. Assessment of vulnerabilities
- Use historical data
- Make subjective estimates
- Apply a risk weighting system, and then calculate and rank from most serious to least. Risk = Impact x Probability
4. Evaluation of solutions
There are many different ways to do this; here is one example:
- Low probability, Low impact – Accept
- High probability, Low impact – Manage
- High probability, High impact – Reduce
- Low probability, High impact – Plan
Though it is not likely you will remove all risk in the company, by conducting a structured approach to evaluate risk in your organization and concentrating on core business functions your company will be less likely to fall victim to a damaging risk.