How to do a risk assessment analysis using company assets
Risk Analysis and Assessment is a key backbone of risk management in an organisation. We will guide you through an asset-based approach that consists of seven basic steps.
Creating a risk catalogue in a company is certainly a challenge. It is therefore important to know where to start and how to proceed with the creation. In this article, we will look at one of the most common ways of creating a risk catalogue, based on a company asset register. This method is quite widely used and is especially common in the information security field.
We have put together 7 basic steps to guide you through the risk assessment so that you don't drown in them. There are certainly other approaches, this is just one possible approach.
Step 1: Identify and name your business assets
As a starting point, you need to have an inventory of corporate assets from which your risk analysis and assessment will be based. Create an inventory of assets that you know are of significant value to the company or that, if compromised, could put the company at risk. This will give you a clear idea of priorities and allow you to focus on the essential corporate assets - those that are valuable to the company. Use an asset register to set up basic asset types such as:
For each asset type, enter and name your specific business assets. Be specific.
Step 2: Identify and assign asset owners
Each named asset should have a business owner within the company who is responsible for it. It should be someone in the top management of the company who has responsibility but also authority over the asset. Assets as sources of potential threats and vulnerabilities.
Step 3: Identify threats and vulnerabilities to the assets
Every asset can succumb to some threats and has vulnerabilities. Carefully analyze each asset and identify and assign potential threats and vulnerabilities to it
Step 4: Name the risks and assign their owners
Based on the first three steps, identify the risks and their owners. Risk owners have the responsibility for risk mitigation and have sufficient authority to manage the risk.
Step 5: Evaluate each individual risk
Evaluate the risks and assign them probabilities of occurrence and impacts.
Step 6: Prioritise the risks
You need to create priorities in your risk list. You cannot address everything at once. A risk matrix helps you do this by visualizing the risks according to their likelihood and impact. Naturally, risks with high probability and impact have the highest priority. These are the ones that can put you most at risk and are worth addressing as a priority.
Step 7: Create measures, corrective or preventive actions for the priority risks
Based on the priorities, you'll move on to the final step, which is to create a set of actions that mitigate the risks (mitigate, eliminate or reduce their impact or likelihood of occurrence). Risks can never be completely eliminated, only their likelihood or impact reduced. The basic measures can be divided into
- risk transfer
- risk acceptance
- risk prevention and avoidance
You assign owners to each measure and use tasks to manage its implementation over time. We also recommend conducting regular status review meetings. Record and share the meetings and their results using minutes.