Risk Assessment vs Risk AnalysisPublished November 13, 2018 by Karen Walsh • 5 min read
Although we think of the words “assess” and “analyze” as interchangeable, they aren’t the same in the risk management world.
A risk assessment involves many steps and forms the backbone of your overall risk management plan. A risk analysis is one of those steps—the one in which you determine the defining characteristics of each risk and assign each a score based on your findings.
What Is a Risk Assessment?
A risk assessment is an assessment of all the potential risks to your organization’s ability to do business. These include project risks, function risks, enterprise risks, inherent risks, and control risks.
Every risk assessment should consist of two main parts: risk identification and risk analysis. Each of these components, in turn, comprises several important actions.
In security, for example, risk assessments identify and analyze the risks that external and internal threats pose to enterprise data integrity, confidentiality, and availability.
The security risk assessment process involves identifying potential threats to information systems, devices, applications, and networks; conducting a risk analysis for each identified risk; and pinpointing security controls to mitigate or avoid these threats.
Security risk assessment models typically involve these elements:
- Identifying the organization’s critical technology assets as well as the sensitive data those devices create, store, or transmit
- Creating a risk profile for each asset
- Assessing cybersecurity risks for all critical assets
- Mapping all critical assets’ interconnections
- Prioritizing which assets to address after an IT security breach
- Developing a mitigation plan with security controls for each risk
- Preventing or minimizing attacks and vulnerabilities
- Monitoring risks, threats, and vulnerabilities on an ongoing basis
Security risk assessments are important not just for cybersecurity but also for regulatory compliance. The Sarbanes-Oxley Act (SOX) and the Health Information Portability and Accountability Act (HIPAA) require periodic security risk assessments. The National Institute of Standards and Technology’s (NIST) Special Publication 800-53, Guide for Conducting Risk Assessments, provides a framework for the information security risk assessment process.
Many organizations are using risk management and compliance software to help them manage all the many tasks associated with risk assessment, risk analysis, and risk management.
Security risks aren’t the only type of risk that organizations face. Here are some others:
- Financial risk
- Audit risk
- Credit risk
- Compliance risk
- Reputational risk
- Competitive risk
- Legal risk
- Economic risk
- Operational risk
- Third-party risk
- Quality risk
Identification: What’s involved?
For the risk identification phase, you’ll need to use your imagination and envision worst-case scenarios, from natural disasters to economic ones.
What if a fire broke out in your building? What if someone stole your proprietary secrets? What if the economy crashed? What if ransomware locked your systems? What if a competitor undercuts your prices? And so on.
During the risk identification process, it’s important to keep in mind that we cannot see into the future. New risks could emerge for which you have no plan — yet. It’s also important to keep your options open, and your risk management process and program flexible. Plan to review your risk list regularly, and establish contingency plans for new and unforeseen risks.
What Is a Risk Analysis?
In the risk analysis phase, you’ll examine each identified risk and assign it a score using one of two types of scoring system: quantitative or qualitative. These scores help you prioritize your risks and define your high risks so that you know which you should work to avoid or mitigate and which you can ignore or accept.
Quantitative scoring assigns specific dollar amounts to the risk factors under consideration.
- What would be the cost to the organization if the risk were to materialize? This is known as “single loss expectancy” (SLE)
- How often should you expect the risk to materialize? Once per year assigns an annual rate of occurrence (ARO) of 1; once every 10 years, an ARO of 0.1.
To calculate the financial risk in a given year, multiply the SLE by the ARO.
Qualitative scoring is less specific and more subjective and uses a risk assessment matrix. One matrix we like involves four factors:
- Likelihood: What’s the probability of occurrence—the likelihood that the risk will materialize?
- Impact: How hard would your project, function, or enterprise be hit if the event occurred?
- Velocity: How quickly would your project, function, or enterprise feel the impact?
- Materialization: What’s the potential severity of the impact? To arrive at this score, add the impact and velocity scores and divide by 2.
You can use mitigations or controls to reduce a risk’s scores for impact, velocity, and severity.
In the risk analysis phase, it’s also important to determine your organization’s risk appetite and risk tolerance.
The COSO Enterprise Risk Management framework defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.”
Risk tolerance, the framework states, “reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.”
Prioritizing your Risks
Once you’ve assigned scores to your risks, you can categorize them according to their priority. Many enterprises assign rankings of “high-priority,” “medium-priority,” or “low-priority.”
A ransomware attack, in which malicious actors use malware to lock you out of your systems and demand payment to restore your access, would fall under this category. So would a zero-day attack, in which hackers exploit a previously unknown vulnerability.
A medium-risk event might be a former employee stealing information after being terminated. Reviewing your organization’s employee-access policies would be a control against this risk’s materializing—but since the likelihood is low of its occurring, you most likely would not need to conduct this review every time someone leaves.
If your buildings are properly secured, the probability might be low of someone’s breaking into your offices and stealing devices. If those devices don’t contain any information, the likelihood of a data loss may also be low or nil. Since there is no urgency associated with this risk, you might decide to review your device-risk-mitigation controls annually.
Automate, for Best Results
Keeping track of everything all at once, and all the time can seem impossible, especially when it comes to cyber risk. Threat actors continually switch and evolve their tactics and technologies—and so must you, or risk losing control of your systems, data, and brand.
Continuously monitoring your systems and networks can apprise you in real-time of security threats, but beware: your solution may ping you every time there’s an anomaly of any kind, generating false alarms and causing “alert fatigue” among your teams.
Good governance, risk management, and compliance solution, however, can help you handle the many tasks associated with managing cybersecurity risk.
ZenGRC helps you pinpoint risks by probing your systems and finding cybersecurity and compliance gaps. It helps you prioritize those risks and assign tasks to members of your team. Its user-friendly dashboards let you see in a glance the status of each risk, and what needs to be done to address it—and in what order.
Zen also generates an audit trail of your risk management activities, and stores all documentation in a “single source of truth” repository for easy retrieval come audit time. And it allows unlimited self-audits so you always know where your organization’s risk management and compliance efforts stand.
With ZenGRC, cyber risk management all but takes care of itself—leaving you to other, more pressing concerns, like boosting your business and your bottom line. Worry-free GRC: that’s the Zen way. Contact us now for your free consultation.