Home > Guidance > Risk

Risk

In order to understand and manage the risk posed to your business and assets, you must first understand the threats. It can be quite difficult to carry out a single, complete risk assessment for your organisation as each of your assets will face different threats, and therefore have different risk profiles so it is often easiest define a small scope for your risk assessment . The headers below can be used as a basis risk management methodology:

Identify and Assess the Threats

There are several methodologies to identifying threats, but all threats broadly fall into one of three categories:

  • Natural (Earthquakes, flooding, severe winds, extreme temperatures)
  • Technical (Power failure, loss of connectivity, server failure)
  • Human (accidental data leakage, theft, illness)

Once you have identified the threats, you need to assess how real and how applicable those threats are. Is the threat greater than it’s perceived to be? Is it less than it’s perceived to be? Has the threat become more serious since your last assessment?

The threat landscape is constantly changing, and you should review risk assessments to take this into account.

Assess the vulnerability of Critical Assets to Specific Threats

In order to do this, you need to identify your critical assets: Is your website critical to your business? How critical are particular members of staff to your business? What are the chances of 5 members of your sales team, all having the flu for a week? Will internal email be affected if there is a loss of Internet connectivity?

Different assets are vulnerable in different ways to different threats: For example, influenza could render 5 members of your sales team unable to work, but it doesn’t affect your CRM system.

Determine the Risk

What are the consequences of loosing Internet Connectivity? Being unable to connect to the Internet will leave you unable to browse websites and use email, but will your internal emails still work? Will you be able to access your CRM database?… The answers to questions like these will determine the risk posed by the vulnerabilities.

Identify Ways to Reduce those Risks

Generally risks can be either avoided, reduced, shared or accepted. If a risk can’t be avoided, look for ways to reduce it to a point where it can’t be accepted. Risk can be shared through outsourcing or insurance (for example).

Prioritise Risk Reduction Measures

Not all risks can be reduced or shared, but where possible, risk reduction measures should be put in place. As most of these measures will have an associated cost, both in time and financially, there is clearly a need to priorities these measures. Begin with the greatest threats to your most critical assets. If your business has a strategy/strategies in place make sure that your risk reduction measures align with these. You should also form a risk management policy / strategy that will outline the approaches a projects created with the

Further Information

The Institute of Risk Management - http://www.theirm.org/
A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000 – http://www.theirm.org/ISO31000guide.htm