Risk in general is the likelihood and the possible impact of something bad happening in the near future. A risk assessment is an introspective document that helps the company understand risk and then take risks to move the business forward, in a managed, controlled way.
The output is based on the appropriate risk assessment framework. It should contain a risk register that describes how the risk was assessed, how it was calculated, the value of the risk and the math of how that risk value was derived. And then it should have a corresponding treatment plan that aligns with each risk item on the risk register in an organization that doesn't have a culture of risk assessment.
|Typically, in enterprise risk management we use a risk assessment matrix visually shown on a 5 x 5 heat map. Risk assessments are the language of how we talk, identify, and talk and quantify risk so that we can have an intelligent conversation about it. You have to have an established risk appetite.|
Q: Has much changed on the methodology front?
With new technology including .ai, we’re starting to get some better tools to help with quantitative risk assessments. A true quantitative risk assessment should in theory tie the risk value to ROI in U.S. Dollars, against the cost of the mitigating control that you're putting in place.
That's ultimately what the board would like and ultimately the best for business.
Nate S. Hartman CISSP, CCSP, CRISC, CEH, DCHA
Nate S. Hartman is CISO and VP of Professional Services at Truvantis. He has over 25 years of focused experience in Cybersecurity and was Director of Risk at Symantec Corporation leading a global team in GRC, Security Risk Management and Internal Security Audits.