How do I assess risks?

At RTG Commercial Services, a key way we help our clients is to identify and assess their risks. For most organisations, risk management is a key control to prevent security incidents, but doing it properly is a real challenge.


Firstly, lets address a common question. What is the difference between a risk and an issue?

Put simply, this is a risk. The dog is barking and may attack. But it has not yet attacked you and may never do so. There are things you can do and actions you can take to prevent the dog from seeing through the threat, such as offering the dog a toy to distract them (treat the risk), walk past without looking at the dog (tolerate the risk) or ask someone else to go near the dog (transfer the risk).


An issue however, is this image. The dog has followed through and is now actively biting. And your response needs to be different.


For individuals that don't do this for a living, mixing risks and issues is a very common problem. Our job is to help clients identify all of their risks and issues, and then sort and prioritise them.



So how to assess risks? Our first suggestion would be to have some structure and a consistent method and approach. That way you will have a repeatable process that can be maintained and matured over time. RTG uses a simple, five step model which provides an easy method for identifying and managing risks.


Step one - Identify your information assets and data flows

You will often have heard us say that the place to start in information security is to do a risk assessment. This is because, unless you know what risks you are facing, how do you know what controls need to be applied? However, in reality, you need to take a step back. What is it that you are trying to protect? If you can identify your information assets and data flows, you can start to understand the threats posed to keeping them secure.

The key output of this step is a list of your information assets (often known as an information asset register), ideally ranked by importance to your organisation.


Step two- Identify your security risks

Once you understand what you are trying to protect, you should think about what you are trying to protect them from. There are lots of tools you can use to identify risks - from a standard PESTLE (Political, Economic, Social, Technology, Legal, Environmental) or SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis. If you are assessing a new system, a risk discovery approach based on your data flows and information assets works well.


Whatever the approach, don't skimp or take short cuts - risks emerge all of the time and need to be reviewed regularly. And at this stage, don't try and analyse them - the key output of this step is clarity of the full range of risks your assets face.


Step three - Assess your risks

Once you have identified your risks, it is time to analyse and assess them. Again, RTG can help with a structured methodology and approach that is repeatable and easy to maintain. The simplest approach can be an intuitive 2 dimensional likelihood and impact assessment. A more complex approach can apply quantitative analysis to assess the importance, resources required to exploit a vulnerability and maturity of existing defences.

Whichever approach or method you take, the key is to focus on how to establish which are the most critical risks that you need to target. There will always be a long list of potential risks, and a limit on the resources that you can apply to resolving them. So your most important output of this step is a clear understanding of your most significant risks.


Step four - Manage your risks

Once you have identified and analysed your risks, you must manage them. For each risk, what are the actions you can take to stop them from happening? At RTG we talk a lot about the four T's as a simple method of managing your risks:

  • Treat the risk - take action to reduce the likelihood of the risk occurring or the impact it could have

  • Tolerate the risk - accept that this risk exists. You may decide it is unimportant or that the resources required to address the risk do not meet the benefit

  • Transfer the risk - can you transfer the risk elsewhere - for example by purchasing insurance

  • Terminate the risk - this is often ignored, but can you terminate the risk either through removing or modifying the underlying process to remove the risk altogether

The output of this step is a clear action plan for each prioritised risk - and remember this needs to be SMART (Specific, Measurable, Achievable, Realistic and Time-bound).


Step five - Maintain your risks

Once you've identified and analysed your risks and the actions you are going to take to manage them, the job is not done. One of the most interesting things about risk management is that risks are always changing. That means they need to be reviewed and updated on a regular basis. Whether you are a small onestop shop or a large multi-national, reviewing and managing your risks regularly is a key output of this step.


RTG has recently announced a partnership with ISMS Online which provides an cost effective tool for managing risks and controls. We provide a range of services from an initial free consultation, a gap analysis or creation of a full information security management system to help you setup an effective and efficient risk management approach. If you have questions or thoughts about this article, comment here or contact us and we would be happy to have an informal, no obligation chat.