How to conduct asset-based risk assessment

Last updated: 2024-01-15
See our solution:
Risk Management SoftwareRisk Management
Was this article helpful?
28 of total 31 found this helpful.

How to do a risk assessment and analysis using company assets

Risk Analysis and Assessment is the key backbone of risk management in an organization. We will guide you through an asset-based approach that consists of seven basic steps. 

Creating a risk catalog in a company is certainly a challenge. It is therefore important to know where to start and how to proceed with the creation. In this article, we will look at one of the most common ways of creating a risk catalog, based on a company asset register. This method is quite widely used and is especially common in the information security field.

We have put together 7 basic steps to guide you through the risk assessment so that you don't drown in it. There are certainly other approaches, this is just one possible approach. 

7 basic steps of risk analysis

Step 1: Identify and name your business assets

Assets along with processes are a sources of risks. As a starting point, you need to have an inventory of corporate assets from which your risk analysis and assessment will be based. Create an inventory of assets that you know are of significant value to the company or that, if compromised, could put the company at risk. This will give you a clear idea of priorities and allow you to focus on the essential corporate assets - those that are valuable to the company.  Use an asset register to set up basic asset types such as:

  • infrastructure
  • people
  • information
  • hardware
  • software
  • processes

For each asset type, enter and name your business assets. Be specific. 

Step 2: Identify and assign asset owners

Each named asset should have a business owner within the company who is responsible for it. It should be someone in the top management of the company who has responsibility, but also authority over the asset. Assets are sources of potential threats and vulnerabilities.  

Step 3: Identify threats and vulnerabilities to the assets

Every asset can succumb to some threats and has vulnerabilities. Carefully analyze each asset and identify and assign potential threats and vulnerabilities to it.

Step 4: Name the risks and assign their owners 

Based on the first three steps, identify the risks and their owners. Risk owners have the responsibility for risk mitigation and have sufficient authority to manage the risk. 

Step 5: Evaluate each individual risk 

Evaluate the risks and assign them probabilities of occurrence and impacts. 

Step 6: Prioritise the risks

You need to create priorities in your risk list. You cannot address everything at once. A risk matrix helps you do this by visualizing the risks according to their likelihood and impact. Naturally, risks with high probability and impact have the highest priority. These are the ones that can put you most at risk and are worth addressing as a priority. 

Step 7: Create measures, corrective or preventive actions for the priority risks

Based on the priorities, you'll move on to the final step, which is to create a set of actions how to treat your risks. Risks can never be completely eliminated, only their likelihood or impact reduced. 

You assign owners to each measure and use tasks to manage its implementation over time.  We also recommend conducting regular status review meetings. Record and share the meetings and their results using minutes.