Magnifying Glass on White Paper

Beginner’s Guide to Assessing Risk

Risk affects every organization, in every industry. Risk manifests in numerous forms – financial, operational, security, compliance, competitive, staffing – too many to list.

Assessing risk is complex. Every industry approaches risk differently. Numerous assessment models exist. Most agree in principle though – risk is a product of likelihood and impact.

Sounds simple, right? A threat that is more likely to occur, with greater impact, naturally is a higher risk. Unfortunately, the simplicity ends there. Measuring likelihood and impact can be daunting.

Ultimately, strive for three things when assessing risk:

  • Accuracy – to focus on the correct risks
  • Speed – to quickly identify critical risks to ensure timely action
  • Repeatability – to ensure the same result or conclusion, regardless of the person executing the assessment process

Assessing risk is just one component of an overall risk management process. Check out this companion article for a broader overview: Building Blocks of Risk Management.

The Risk Matrix

A risk matrix helps to frame risk. Usually, a risk matrix is represented as a grid, with likelihood on one axis and impact on the other. Grids can vary in complexity and depth, though 3×3, 4×4, or 5×5 grids are common. We will explore some examples below.

The risk matrix allows the person performing the risk assessment to assign an overall rating or score to the risk. The rating intends to appropriately categorize the risk, to determine urgency and the correct next action.

Organizations often use Critical, High, Medium, and Low to categorize risks. Some organizations may assign a numerical value with (or instead of) this label. Regardless, a higher risk rating should drive more immediate action. Lower-rated risks may be added to backlogs for future prioritization. Some risks may simply be accepted, with no action taken.

A risk matrix can tailored for any type of risk, in any industry. Let’s explore some examples below, focusing on security risk.

Examples

Search Google for a risk matrix, and you may find something that looks like this:

Simple Risk Matrix

Simple is good, generally. However, the above example lacks anything quantifiable. How is ‘probable’ versus ‘occasional’ likelihood measured? What constitutes ‘moderate’ impact versus ‘significant’?

The risk matrix above is fully qualitative – up to the judgement of the person performing the assessment. Qualitative risk assessments can provide speed, at the potential expense of accuracy and repeatability. In a vacuum, this is neither good nor bad. Qualitative assessments are common in many industries. However, the example above is too generic to be meaningful and effective.

Let’s look at the other end of the spectrum:

Advanced Risk Matrix

This is certainly more detailed, more data-driven, and thus more quantitative in nature. Mature organizations may use a risk matrix like this. Accuracy and repeatability will (likely) be high, assuming the data feeding the assessment is thorough and precise.

Quantitative assessment requires rigorous process and a well-trained staff. Measuring probability will require a strong dataset and a robust analytics team or tool.

Associating impact with financial or business loss is commendable. Arguably, this is the best measure of impact. In practice, financial impact can be difficult or time-consuming to quantify. Beware getting stuck in a quagmire of analysis. Sacrificing too much speed will hinder your response to critical risks.

The matrix above is something to aspire to, as you mature a risk program. Take caution using it as a starting point. Walk before you run, until the right processes, team, and analytics are in place.

Is there a practical middle-ground, especially when starting out? Consider the following example:

Balanced Risk Matrix

This balances qualitative and quantitative approaches. It intends to provide ‘good enough’ accuracy to reach a quicker conclusion.

With this matrix, measuring impact requires a companion guide defining critical assets, which will differ for each organization. There is value in separating this – the risk matrix itself can remain largely static, while a critical asset list may change frequently.

Likelihood always proves more difficult to measure. In terms of security risk, the matrix above strives to simplify the thought process:

  • If something is happening right now at your organization, likelihood is 100%
  • If something is happening right now at other similar organizations (i.e., in the wild), the likelihood it could happen to yours is reasonably high
  • Failure of a single protective control is more likely than failure of multiple controls

Some things are still qualitative. The difference between ‘massive’ versus ‘moderate’ exposure of PII is a judgement call. Set boundaries or definitions as needed. Do not get stuck in the weeds. Remember the intention is good enough accuracy to reach a speedy and reasonable conclusion.

Matrix #3 above is merely an example of a balanced approach. It does not necessarily represent the ‘correct way’ to do it. Find what works for you.

Adopting a Process

After careful preparation, you settle on a risk matrix and assessment process. What’s next?

Train your team. They serve on the front lines. Explain the thought process to them. Get their feedback. Refine as necessary. Document the process well.

Next, test the process. Perform table top exercises of real or fabricated risks. Make sure the results make sense, and are reached quickly enough. Refine again where needed.

Continuously monitor for flaws in the process. What happens if different people come to different conclusions for similar risks? Step back and question everything. Is your matrix or process unclear? Is more training needed? Are certain members of your team over-zealous? Take the appropriate corrective action.

Repeatability is vital. Without it, confusion and frustration will reign. Avoid sending mixed messages about the urgency of risks. This will damage the credibility of your team.

Occasionally, there will be legitimate debate on the severity of a particular risk. This will happen even with the best process. Keep that debate within the risk team. The team leader should shepherd alignment. Where that fails, the leader must ultimately make a call. Once decided, the team should then speak with one voice.

closing Thoughts

Every organization faces unique threats. Not everyone is at the same maturity level. Be thoughtful and practical. Qualitative versus quantitative assessment is not right versus wrong. Choose a balanced process that best fits your organization.

Remember – the goal of risk assessment is to reach the correct next action. Get comfortable with ‘good enough’ accuracy, especially in early stages of maturity.

Spending countless hours or days assessing each risk is a red flag. Your process may be too complex and your reaction too slow. Hours or minutes matter if your organization is actively being exploited. Apply common sense. Move to remediation quickly for critical risks. Your detailed analysis means nothing if the building is burned down.

Risk assessment is just one piece of an overall risk management program. Future articles may explore other components in more depth. I hope this brief overview on assessment was of some value. Best wishes!

© 2024 Aaron Balchunas
Lucid Resource content is free to use and distribute under two conditions:
(1) my name and copyright remain attached, and
(2) this content is not sold or altered without my written permission