Risk Assessment

What is a risk assessment?
A risk assessment takes each threat to the organisation’s key processes and critical activities in turn and assesses the current exposure of the organisation to it through identifying controls to prevent the threat occurring or limit its impact, making practical recommendations for control improvements.

What is meant by a “threat”?
A threat (or hazard) is anything that can go wrong or cause harm e.g. power loss, theft, explosion, flood, accident, sabotage etc. The impacts of threats materialising vary but they normally result in direct and indirect financial loss, in some cases reputation/brand damage and even, following severe incidents for which the organisation is unprepared, failure of the organisation to survive.

What is meant by a “risk”?
A risk consists of two components:

  1. The likelihood or probability that a particular threat will materialize
  2. The impact or consequences that might result

Hence a risk is a measure of how likely a threat is to impact the organisation given the level of control in place to avoid or manage the threat.

What is meant by a “control”?
A control is a means by which the likelihood of a threat materialising or the impact of the threat should it materialise is reduced. Controls come in many forms but can include fire suppression systems, security access controls, an effective off-site data backup regime, manual workarounds for key processes, use of multiple offices to spread risk etc. Controls should be cost-effective and appropriate to the risk faced

Why do I need a risk assessment?
A risk assessment is required to understand the threats which could materialise and the impact they would have on the organisation. By then reviewing the controls in place to minimise the impacts of the threats, the current exposure to each threat is understood and control improvements can be implemented or the risks accepted by senior management as deemed appropriate.

When should I conduct a risk assessment?
A risk assessment can be conducted at any time but is normally best performed following a Business_Impact_Analysis which serves to identify the key processes in the organisation and hence allows the risk assessment to target those key processes and the resources upon which they depend.


A risk assessment should also be performed when major organisational changes occur, such as the opening or closure of offices, mergers and acquisitions, the introduction of new processes, product lines or services etc.

 

Return to Top