The Plain English Version
Risk assessment is the process of identifying what could go wrong with your information security, how likely it is, and how bad it would be. It helps you focus your security efforts and budget on what matters most.
You cannot protect everything equally - there is not enough time or money. Risk assessment helps you make smart decisions about where to invest.
The Basic Formula
Risk = Likelihood x Impact
A very likely event with low impact might be lower priority than an unlikely event with catastrophic impact. Risk assessment helps you weigh these trade-offs.
The Risk Assessment Process
- Identify assets - What do you need to protect? Data, systems, people
- Identify threats - What could harm those assets? Attackers, accidents, failures
- Identify vulnerabilities - What weaknesses could be exploited?
- Assess likelihood - How probable is each scenario?
- Assess impact - What would be the consequences?
- Prioritise risks - Focus on high likelihood and high impact first
- Decide response - Treat, transfer, tolerate, or terminate each risk
Why It Matters
Risk assessment is required by virtually every security framework - ISO 27001, NIST, GDPR (for data processing), Cyber Essentials Plus readiness. It is the foundation of good security management.
Without it, you are guessing. With it, you can justify security investments and demonstrate due diligence to customers, regulators, and insurers.
Common Mistakes
Treating it as a one-time exercise (risks change constantly), focusing only on technical risks (people and processes matter too), not involving the business (IT cannot assess business impact alone), and creating a document that sits on a shelf rather than driving decisions.