When thinking about Risk Assessment you might use following techniques:
- bayesian method,
- bowtie analysis, or
- brainstorming and structured discussions,
- cause and consequence analysis,
- cause and effect analysis.
It´s useful to use Risk Rankings – levels of risk associated with a threat – severity, likelihood, characteristics. Risk Rankings might be presented in the form of Risk Maps. E.g. Heat Maps.
Whenever thinking about Risk Assessment we need to make sure we individually identify Risk Owner. Risk Owner who is empowered to make decision on behalf of an organization. Otherwise taking any action will be crippled.
Risk Assessment Phase should be documented for the Senior Management including:
- risk assessment report indicating gaps,
- advises if they are on the acceptable levels,
- provides basis for severity assessment,
- report should mention issues which has already been addressed as well – to give the comprehensive picture of risk landscape.
Remember that in order to provide comprehensive documentation, following sections should be included:
- objectives of the risk assessment,
- scope,
- external context,
- internal factors,
- risk assessment methodology,
- identification or risk, threats and vulnerabilities,
- results of risk assessment,
- recommendation and conclusions.
And as the say in ISACA:
The reason to conduct risk assessments in a consistent, structured manner is to provide predictable, repeatable results that support future assessments.