Mastering a Risk Assessment

In light of the recent news of the data breach at Anthem Blue Cross/Blue Shield, risk assessment is our theme today. We welcome this guest post from our partner, KirkpatrickPrice….


Performing a Risk Assessment is a critical component of any Information Security Program. It’s mandated by several frameworks (SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA). In order to comply with those frameworks, your organization has to complete a risk assessment, and then assess and address the risks by implementing security controls. The Risk Assessment process is a constantly moving and evolving process for an organization. So, where do you begin?


1. Conduct Risk Assessment Survey

A Risk Assessment is a systematic process of evaluating the potential operational, reputational, and compliance risks that pertain to your organization. So why should you care about performing a Risk Assessment? As a business owner or stakeholder, it is your priority to protect the assets that are required to deliver your service or product. It can protect your revenue and business operations, insure future growth and responsibilities, and help you avoid costly lawsuits and fines.

2. Identify Risks

Risk = Vulnerability X Threat

In order to identify your risks, you must first identify your assets and the threats and vulnerabilities that can affect these assets. What wakes you up in the middle of the night? Are you worrying about the security of your hardware, software, human resources, data, or processes? After you have identified your assets, you have to identify the threats to those assets. Threats can be man-made or natural events that take advantage of an asset’s flaws and that can result in a loss of integrity, availability, or confidentiality such as floods, earthquakes, accidental or intentional acts. What are your assets’ vulnerabilities? A vulnerability is a known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality, such as a lack of security awareness training or software support for a critical application.

3. Assess Risk Importance and Likelihood

Now that you are aware of what your risks are, you can begin to assess the importance and likelihood that this even is going to happen. What is the likelihood of this specific event having a negative effect on the asset? If it’s not likely, should we even worry about it? The likelihood of a risk can be expressed subjectively or quantitatively (High, Medium, Low, or 1, 2, 3, 4, 5). Determining the Risk Importance is determining what the impact on business is if an event has a negative effect on the asset.

4. Create a Risk Management Action Plan

Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk. Creating your Risk Management Action Plan can look like a number of things. Your control recommendations could be to get a spare part, cross train employees, or create new policies and procedures.

5. Implement a Risk Management Plan

After you’ve developed a plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement these controls. This won’t necessarily be an overnight process, but you should now have successfully developed an effective way to identify and manage your risks. The final step of mastering a Risk Assessment is knowing that in order to constantly monitor and manage your risks, you must return back to Step 1.

For help with conducting your Risk Assessment, contact us for a free Risk Assessment Matrix (spreadsheet) and Guide.


Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit