The term risk assessment is not risk management. We have seen clients using these terms as synonyms as part of daily office interactions. So, what is the key difference? A risk assessment consists of three parts:
Some of you may now be wondering where does risk treatment exist then? The answer is after risk evaluation. To keep things simple, let us understand each of these terms in a bit more detail.
Risk Identification – This is all about identifying what could go wrong and potential risks that exist within a business environment. The best way to do this is via a Business Impact Analysis (BIA). (For more information on BIA, see our separate blog in order to justify this topic). Our next question is, can these be IT risks? The answer is yes; IT supports the business processes where risks reside and it is important that this stage captures risks related to IT infrastructures, such as servers, network devices, wires, file servers, etc. and employee digital assets including laptops, mobiles, tablets, etc. So, as in one scenario, should multiple IT risks, say a 1,000 risks, all be included? Yes and a No; it depends on the asset and key data you are considering for risk assessment; in other words, the scope of risk assessment exercise. Always remember, risk management can never be completed 100% in one attempt. It is a continuous process where you keep monitoring existing risks and adding new risks as they evolve or are identified. In my experience, a typical number of business and IT risks would be around 250 odd risks which can be marked as a good starting point to proceed on to the next stage of risk analysis.
Risk Analysis – Once the risks have been identified, they need to be assessed based on a defined risk assessment methodology. It is important that the senior management commit to the risk assessment methodology, and apply it uniformly across risk assessment projects within the organisation. So, how exactly is a risk assessed? It is the individual's choice to decide what scoring model, qualitative and/or quantitative, they will consider for scoring tow parts of the risk:
the likelihood (the probability) that the risk could materialise, and
the consequence (potential impact).
Keeping things simple definitely helps. A number range such as 1, 2 and 3 as low, medium and high is sufficient to assign scores to the likelihood and consequence. Finally, the risk score could be an addition of likelihood score and consequence score. Again, the risk assessment methodology document can specify risk scores that are under the risk appetite that organisation can tolerate (a total of 2 and 3), and the risk score that is outside the risk appetite, e.g. risk scores of 4, 5 and 6. The risk appetite level should be defined in the risk methodology document. You may be wondering if a risk appetite should be defined at a risk level, a process level, a business unit level or an organisation wide level; this will be covered in a later blog to clarify this area. For now, we will proceed to the risk evaluation stage.
Risk Evaluation – This stage involves categorising your risks into high risks (risk scores of 5 or 6), medium risks (risk scores of 3 and 4) and low risks or risks that can be tolerated (risk scores of 2 and 3).
Further, this stage will act as a foundation to the next stage, i.e. the risk treatment stage. Risk evaluation will include some evaluation of the risks in order to:
Treat the risk by implementing some controls which could be technical, administrative, physical or environmental.
Transfer the risks, e.g. buy an insurance cover.
Accept the risk as it may difficult to mitigate the risk or involves huge control cost.
Avoid the risks by stop conducting that business activity.
Next will be the risk treatment stage to identify the appropriate actions for each of the four risk treatment options. (A later blog will follow on the subject of the risk treatment stage).
Unlike risk assessment, risk management is an umbrella term that includes risk assessment as one of the key stages. Risk assessment consists of three steps – risk identification, risk analysis and risk evaluation. All three stages go hand-in-hand and follow one after the other. This article provides an explanation for each stage and the key differences between them. Risk treatment exists next to the risk assessment stage; in other words, when the risk evaluation stage is completed.
The author is a senior consultant within CMA dedicated Information risk management teams. He is CMA's CISSP/ CISA/ ISO 27001/SOX/ERP Cyber security trainer. He has an MBA (Finance), Computer Engineering, CISSP, CISA, ITIL (expert), COBIT (foundations), and SAP security qualifications.
Current demand of these roles and what is next -
In current scenario, as the risk management domain strengthens, there is a growing demand for Information Risk Management professionals. The average salary for this role with 4 to 5 years' experience is £55-60,000 per annum. There is a huge demand within accounting firms, such as BDO, in banks including Morgan Stanley, Goldman Sachs and Barclays, retailers like TESCO, and other industries. There is also growth for professionals in the areas of SoX, SEC, ISO 27001 standards implementation and reviews.
If you are interested in learning more about this and developing consulting skills in the area of risk management, we recommend you consider looking at CISSP certification as well as domain -1 Security & Risk Management.
About CMA CISSP course-