Risk Assessment Overview

Types of Risk Assessment

• Qualitative Risk Assessment

  • Evaluates individual risk factors and criteria.
  • Use a Traffic Light Grid for broad categorization (Low, Medium, High risk).
  • Example:
    • Legacy Windows Clients: Medium impact, High annualized rate of occurrence (ARO), Medium cost of controls, Overall risk set to High.
    • Untrained Staff: Low impact, Medium ARO, Low cost, Medium overall risk.
    • Devices without Antivirus: Medium impact, High ARO, Medium cost, Very High overall risk.

• Quantitative Risk Assessment

  • Calculates specific values such as Annualized Rate of Occurrence (ARO).
  • Terms:
    • Asset Value (AV): Value to the organization, not just replacement cost.
    • Exposure Factor (EF): Percentage of asset loss.
    • Single Loss Expectancy (SLE): Monetary loss for a single event, calculated as AV × EF.
    • Annualized Loss Expectancy (ALE): Total loss in a year, calculated as ARO × SLE.

Risk Impacts and Measurements

• Impact Considerations

  • Priority to life and safety.
  • Also consider property, safety impact, and financial impact.

• Likelihood vs Probability

  • Likelihood: Qualitative (e.g., rare, possible, almost certain).
  • Probability: Quantitative, statistical measure.

Risk Appetite and Tolerance

• Risk Appetite

  • Amount of risk an organization is willing to take.
  • Qualitative posture: conservative, neutral, expansionary.

• Risk Tolerance

  • Larger variance than risk appetite.
  • Practical Example: Speed limits vs actual enforcement.

Risk Register

• Documentation of Project Risks
  • Lists risks associated with a project.
  • Contains Key Risk Indicators (KRIs).
  • Assigns an owner and determines risk threshold.
  • Balances cost of mitigating risk with potential cost to company.

These concepts help organizations manage and prioritize risks, balancing safety, cost, and operational needs effectively.