Risk assessment for IT systems identifies what information, data or infrastructure you have in your business, the impact of this being inaccessible, and the impact to the business function as a whole. In essence you identify, rank, prioritise, categorise and mitigate Information Technology risks. This approach applies to any risk, operational, marketing, sales, finance in any business.

To determine what the risks are to your business:

Once you have a clear understanding of what requires protection, you can develop the process to mitigate the risk potential. Before you spend resources to mitigate this risk, you need to understand and reconcile the ‘why’ on –

This Is the core process to identify your risks and develop a risk assessment

Risk is the likelihood of a financial loss to an organisation.

Risk implies uncertainty, if something is guaranteed to happen it is not a risk, but a certainty and you would be advised to but controls in place to address this.

Here are some common ways you can suffer financial damage:

#Identify your Assets

Perform an audit of the electronic / computer hardware, software, communications and data contained within the business.

To consider – confer with others to understand what is critical information to the business function. Work with management and others to review the list of valuable assets.

For each asset, gather the following information, as applicable;

IT Risk Management is a cost like most of IT to an organisation. You must contend that there will be a limited budget for risk controls; it is a necessary evil for a business to function in this day of cyber security and IT Risk Management

Cyber security – this terminology is banded around a lot, it means the security of all data, hardware, communications platforms that is used within an organisation to operate and the process in place to keep it secure.

You will need to define a standard to determine the importance for each asset class e.g. monetary value, legal standing and importance to the business. Once a standard has been approved and incorporated into the risk assessment security policy, use it to classify each asset.

#Identify Threats

A threat is anything that could exploit a weakness to breach security and cause harm to your organisation. The most advertised threats are hackers and malware but many others have to contend with:

#Identification of System Weaknesses

Identification of weaknesses of the system to exploit, potentially breach the system and harm the organisation. Vulnerabilities can be identified through many sources; audit reports, NIST* vulnerability databases, vendor data, software patch reports and Penetration Tests.

* NIST, National Implementation Standards and Technology, www.nist.com, is an American standard adopted worldwide for the overall management of IT risks, security and good IT practice.

Testing of the security of your IT system should be performed annually. Both the business environment and IT systems are in a constant stage of change.  Based on the resources available to management and IT department, this weakness may be best detected by external specialised vendors, who have dedicated teams performing these duties for many clients.

These are mostly counteracted by use of proper patch management, physical security of your IT environment.

# Controls

IT systems operate by means of controls; access to data, hardware, encryption, software, communication systems. These are typically password enabled and access level to data. They are in place to minimise the probability that persons will have access to information beyond their appropriate job function.

Controls are both preventive and reactive to issues e.g.  Antivirus software is preventative to prevent malicious software operating on your computer, while other security programs, firewalls may be reactive to stop issues from migrating further, lock down systems if a red flag has been highlighted, lockdown network traffic and prevent data exportation out of the computer from the internet for example.

Preventive controls attempt to anticipate and stop attacks. Examples of preventive technical controls are encryption and authentication devices. Detective controls are used to discover attacks or events through such means as audit trails and intrusion detection systems.

# Likelihood of the Incident

The probability of the impact is a key stone of the Risk assessment. The PI Risk Matrix chart illustrates this as a high, medium or low factor. And these are typically coloured in Red (high), Amber (medium) and Green Low. White is used for those risks that have been mitigated and have an inconsequential impact on the business.

# Impact

Impact analysis typically includes the following

A Business Impact Statement is utilised to document the impact, either by quantitative or qualitative means on the organisation. What would be compromised if an incident occurred and the financial impact to the business.

An incident can result in the compromise of sensitive business data, customer information. This is factored with in the High, Medium or low risk categorisation. The following additional items should be included in the impact analysis:

#7 Pritorising Information Security Risks

For each of the impact/likelihood, determine the IT risk to the organisation

This is where the Risk Matrix is most useful. This visually indicates the ranking of Information security risks.

# Controls

Once the risk matrix is determine, an action plan should be developed

We utilise this action plan to determine a 12 month process to mitigate and control the risks. High levels tackled within a short period, immediate to 1 month, Medium risk from 2 – 3 months and then Low risks over the term of the action plan depending on their severity. We will recommend that you conduct a quarterly review of each risk and re-score it. Working with the management team to prioritise these according to business operations requirements.

As you consider controls to mitigate each risk, be sure to consider:

#9 Documentation

The next step of the risk assessment process is to develop a report for management. This will document risk owners, budgetary impact, resource requirements, timeline and any associated risks.

This report will identify remediation steps that will mitigate or reduce the risk. Each step has an associated cost, and as prior, depending on the budget, can deliver real benefit in reducing risks. Again there must be a business reason for mitigating the risk or prioritising it.

Some risks may be tolerated and not warranty any resources, and or part of a risk family, where a greater ranking risk, once mitigated can have a trickle down reduction effect on other risks. For example, having an offsite backup replication of data, can impact many IT security risks, business continuity and restoration.


The Risk Assessment process for IT is at the heart of IT Management and risk management. These are the process that establishes the groundwork for the organisations information security management, providing a framework to determine what is a threat or weakness, means to respond and the financial impact to the business. Ultimately it is documents the process on how a risk can be identified, ranked, controlled and mitigated