Guide to Comparing Risk Assessment Methodologies

Risk assessment is a critical component of enterprise risk management – perhaps even the most important component. If you assess your risks incorrectly, all the steps you subsequently take to control those risks can fall short.

Most risk management teams use two types of risk assessment methodologies: qualitative risk assessment and quantitative risk assessment. Within these two broad categories are various specific risk assessment techniques you can implement in your organization. This article explores these methods to guide your risk management efforts.

What Is Risk Assessment and Why Is It Required?

Understanding Risk Assessment

Risk assessment is an ongoing process of identifying, analyzing, and prioritizing risks that could harm your organization.

Your company might face any number of risks as it operates in its industry and market, and these risks are not all equal. Some can have a dire effect on your business continuity, cybersecurity posture, or financial stability; others might occur more frequently and cause ongoing headaches for your risk management team, but they won’t necessarily derail your organization.

To manage risk effectively, organizations must identify all their risks and then analyze the potential impact and probability of each one. This helps you to implement strategies that keep risk at acceptable levels. Many of these steps fall under the purview of risk assessment.

Benefits of Risk Assessment

With effective use of risk assessment methodologies, your organization can:

• Understand key risk factors, risk types, and risk sources;
• Decide how much risk your organization can tolerate;
• Assess the potential impact of identified risks and mitigate this impact to minimize potential harm.

With robust risk assessment methodologies, you can discern your organization’s risk exposure and compare that to the company’s risk appetite and tolerance. You can also assess your current risk management process and control measures. This improved visibility helps you to make better investments in risk mitigation tools and technologies.

Business risk assessments also help to increase risk awareness throughout the organization, and to build consensus to identify the most significant risks and take required steps for risk mitigation.

When to Conduct Risk Assessments

Risk assessments should be done at regular intervals, such as once a year. (Once you understand your most pressing risks you might also want to assess those even more often, such as every few months.)

You should also conduct new risk assessments after any major “triggering event.” Those events could be an acquisition your business just made, a new regulation that went into effect, an expansion into a new market, and so forth.

Common Challenges to Effective Risk Assessment

Effective risk assessment is crucial to risk management and mitigation. That said, many organizations struggle to assess risks, for various reasons:

• Missing common definitions of important risk terms;
• Little or no support from the board of directors, executive management, or process owners;
• Lack of established best practices and ground rules;
• Inadequate understanding of the organization’s culture and business context.

To address these challenges, you first must develop a common risk language, complete with a risk taxonomy, framework, knowledge base, dictionary, and templates. It’s also essential to choose the right risk assessment methodology to assure that all critical risks are identified, analyzed, addressed, and managed.

Quantitative vs. Qualitative Risk Assessments

Quantitative Risk Assessment

A quantitative risk assessment is objective in nature. It is driven by measurable data and metrics, where risk assessment teams quantify asset value, threat frequency, and threat probability.

For example, to assess the cost of a potential data breach (cybersecurity risk), the team might:

• Assign a dollar value to understand the breach impact on the company’s bottom line;
• Predict how many records or sensitive files may be exposed;
• Draw up a numbered list of assets that could be affected.

A quantitative risk assessment starts by compiling one list of possible risks, and another list of assets that might suffer if those risks materialize. The assets could include sensitive data, intellectual property, mission-critical applications, or the IT infrastructure itself. For each asset, assessors usually assign a financial value to quantify the harm of a risk on that asset.

A quantitative analysis is valuable since it reveals the risk in black-and-white numbers; that clarifies decision-making. Quantitative approaches, however, cannot answer all risk-related questions, such as the possible harm to organizational culture or corporate reputation. For such analyses, a qualitative risk assessment is required.

Qualitative Risk Assessment

A qualitative risk assessment is subjective. It helps answer questions such as, “What might happen if an identified risk were to materialize?” After all, a risk is about more than its financial or other quantifiable ramifications. A qualitative assessment can help reveal possible future situations and show how risk and uncertainty can affect the organization.

Assessors use qualitative assessments to group risks by category rather than specific dollar values. While the goal of a quantitative risk analysis is to define a risk by cost, delays, and other quantifiable parameters, the objective of qualitative assessment is to:

• Identify risks;
• Measure the likelihood and impact of a risk event;
• Determine risk severity based on this likelihood and impact;
• Implement controls to mitigate identified risks and prevent undesirable situations, such as chaos or productivity loss.

Qualitative risk analysis results are often recorded in a graphical report such as a risk matrix to communicate risk information to relevant stakeholders.

Five Proven Risk Assessment Methodologies

Here are five popular risk assessment techniques that organizations and their risk management teams use.

Asset Audits

Your company has many assets that influence its operations, business continuity, and competitiveness. These assets are business-critical, so it’s essential to assess the risks attached to them. This assessment is the key to protecting them.

Here’s where an asset audit comes in. An asset-based risk assessment is often associated with information technology, information systems security, and data privacy. The goals here are two:

• Identify the organization’s assets;
• Determine if each asset is being protected adequately and consistently.

The steps involved in a typical asset audit are:

1. Identify all the assets:
   • Data
   • Customer information
   • Hardware
   • Mission-critical systems
   • Software and applications
   • Source code
   • People
   • Equipment
   • Intellectual property
   • Physical property
2. Review each asset to determine potential threats and vulnerabilities.
3. Determine the likelihood of each threat and the impact on each asset.
4. Assess the effectiveness of existing security controls.
5. Design and implement additional safeguards to protect assets.

An asset audit is an easy and direct way to look at the organization’s assets, assess their risk exposure, and implement controls to protect them from harm.

Fault Trees

A fault tree analysis (FTA) is a risk assessment tool that represents undesirable events, faults, or failures in a tree-like structure. It is a great risk assessment methodology for complex systems since it offers a logical depiction of risks and their causes.

The fault tree consists of two critical elements: events and logic gates.

The steps in a fault tree analysis are:

• Define the undesirable events or risks;
• Construct the fault tree by connecting lower-level events with logic gates and moving up towards higher-level events;
• Evaluate the fault tree;
• Identify appropriate corrective measures.
• Implement these measures to protect against the identified risks.

The logic gates connect events so you can identify an undesired event’s cause (or fault). This top-down risk assessment approach aims to pinpoint the root causes of the lower-level, basic events on the tree that result in the high-level problem. Root cause identification is crucial to take suitable action to avoid the fault or mitigate its harm.

Attack Trees

An attack tree is a type of fault tree. It provides a systematic way to understand the organization’s security based on an analysis of how, when, and why an attack may happen and with what probability.

For example, if an attack tree is built to assess cybersecurity risk, the top of the tree (or its “root node”) represents the cyberattacker’s ultimate goal. The other nodes and branches in the tree show the various ways the attacker might accomplish that goal.

So if the attacker’s goal is to steal your organization’s sensitive data, that would be the top node. The branches and leaf nodes could be:

• Brute force attacks;
• Phishing;
• Spidering;
• Keystroke loggers;
• Social engineering;
• Shoulder surfing.

Here’s how to build an attack tree:

• Identify the various threat actors that pose a risk to the organization.
• If there’s more than one threat actor, create one attack tree for each actor.
• Explore the possible goal of each threat actor and assign that objective to the root node.
• Identify the possible ways the attacker could attain the goal and assign them to the second-level goals under the root node.
• For each second-level goal, consider whether there are any sub-goals and assign them to the third-level, fourth-level, and so on.
• Continue the process until each leaf node specifies a single attack method.
• Evaluate each attack path to determine the likelihood of its use and to assess the business impact if the attacker attains the ultimate goal.
• Identify and implement countermeasures to stop the attack.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

OCTAVE defines a risk-based strategic assessment and planning methodology for security. It is a flexible, customizable, and self-directed risk assessment methodology, which means the organization assumes responsibility for setting its security strategy. Using OCTAVE, your company can:

• Direct and manage information security risk assessments;
• Identify the unique risks applicable to your organization;
• Protect key assets;
• Effectively communicate important security information to all relevant stakeholders.
• Improve risk decision-making.

The OCTAVE team generally consists of members from the company’s operational or business units and the IT department. These members collaborate and work together to address the organization’s security needs. To do this, they:

• Gather knowledge from the organization’s stakeholders;
• Define the current state of security;
• Identify risks to business-critical assets;
• Define and implement a security strategy.

Operational risk and security practices drive the OCTAVE approach to risk assessment rather than technology. The methodology is based on eight processes across three phases:

• Phase 1: Develop the initial security strategy.
• Phase 2: Identify infrastructure vulnerabilities.
• Phase 3: Analyze risks; develop the final security strategy and risk management plan.

NIST Risk Assessment Framework

The NIST (National Institute of Standards and Technology) risk assessment framework is a valuable way to understand your business’s risks, threats, and vulnerabilities. The framework provides tools to assess the impact, the likelihood of occurrence, and determine ways to mitigate the risks.

This assessment methodology consists of a set of procedures explained in Special Publication (SP) 800-30. In this document, the NIST breaks down the risk assessment process into four steps or components:

• Prepare for risk assessment;
• Conduct risk assessment;
• Communicate assessment findings to key stakeholders;
• Maintain risk assessments over time.

In the preparation stage, you should identify the assessment purpose and scope. You also define constraints, assumptions, sources of information, and your preferred analytic approach.

In Step 2, you conduct the risk evaluation by:

• Identifying threats and threat sources;
• Predicting what events could occur if one or more vulnerabilities are exploited;
• Determining all potential negative impacts of these events;
• Determining the relative likelihood of each possible scenario.

At the end of the assessment, you will have a set of findings and data that you can share with all stakeholders who might be affected by the identified risks and scenarios.

In the final step of the NIST risk assessment methodology, you will conduct ongoing risk assessments by monitoring previously identified risk factors and scanning for new ones. You will also update risk management procedures to reflect any changes to the risk landscape and the organization’s risk exposure.

What Is the Best Risk Assessment Methodology for My Organization?

Many risk assessment methodologies have emerged over the years. It’s essential to choose suitable methods for your organization and define rules and best practices. These definitions will help standardize assessments throughout the organization. Without them, different parts of the organization may use different approaches, which may cause confusion.

A standardized risk assessment methodology will also provide reasonable assurance to the board, customers, senior management, security management, and other stakeholders that all relevant risks are being taken into account for risk management. It will also help streamline risk communications and risk response.

The methodology you choose would depend on several factors, including your organization’s size, industry, business type, and risk landscape. Also consider the larger context, particularly:

• Legal, regulatory, and contractual obligations;
• Strategic objectives;
• Stakeholder needs and expectations.

These factors will generate their own demands and should factor into your choices.

When choosing a methodology, ask yourself some key questions:

• What are you hoping to learn with the assessment?
• Do you need concrete data? Then do a quantitative assessment.
• Are you looking for information about risk probability and impact? Then a qualitative assessment could be more helpful.
• Do you need an overview of the risks affecting the entire organization or just one department or business unit?

Asking these questions can narrow down your options and determine which methodology (or combination of methodologies) will best suit your needs. Further, some assessment methodologies are time-consuming and require a fair investment of funds and resources.

Others may require technological investments (such as software or automation) or the support of external consultants. When deciding which risk assessment methodology to employ in your firm, make sure to think about all these aspects – and when necessary, conduct a cost-benefit analysis.

Assess and Manage Risks With ZenRisk

Ongoing risk assessments and effective risk management are critical to protecting your organization. Reciprocity ZenRisk can help you to assess and manage risks throughout the organization, ensuring its continuity and longevity.

With this single, centralized tool for integrated risk management, you can examine vulnerabilities and threats in real-time. You can also see where risks are changing and leverage this information to implement robust controls.

If you’re looking for a world-class, visually-rich solution to mitigate business exposure and maintain a strong security profile, try ZenRisk. Schedule a demo today.