Skip to main content
Getting started with Risk Assessment
Jane Baik avatar
Written by Jane Baik
Updated over a week ago

Learn more about Risk Assessment at Risk Assessment overview.

Step 1: Identify

The first step of risk assessment is to identify risks.

Drata’s risk assessment supports an event-based risk assessment process. In an event-based approach, risks are identified and assessed through an evaluation of threats and vulnerabilities and then organized into risk scenarios. These risk scenarios outline a potential event or situation that could adversely affect an organization's objectives. Risk scenarios typically include information about the context, the factors contributing to the risk, the potential consequences, and the conditions under which the risk might occur.

Example risk scenario:

An attacker installs malware that is specifically designed to take control of internal organizational information systems, identify sensitive information, exfiltrate the information back to the attacker, and conceal these actions.

Risk scenarios can be determined by interviewing top management or personnel involved in business processes and asking: what could go wrong? Additionally, risk scenarios can be identified through analysis of legal and contractual requirements, the internal and external context of the organization and emerging technologies.

The resulting output of this initial identification phase is a register of risk scenarios, which we call Risk Register.

To assist you in identifying risk scenarios, Drata’s risk assessment module includes a comprehensive library of over 200 risk scenarios covering from standard processes like access management to emerging technologies such as artificial intelligence. The library was built by Drata’s GRC team using industry references such as NIST 800-30, HIPAA SRA tool, and ISO 31000.

Step 2: Analyze

Once there are identified risks in the register, the next step is to assess the impact a risk would have on the business, and the likelihood of the risk occurring.

Drata’s risk assessment offering supports a quantitative approach to risk analysis based on a 5 x 5 scale (impact x likelihood) where 1 is lowest. The multiplication of these two factors outputs an inherent risk score. In the simplest terms, the higher the score, the more critical the risk.

Step 3: Treat

When a risk’s impact and likelihood have been scored, a decision needs to be made as to what to do about the risk. This is known as risk treatment. There are 4 treatment options within Drata:

  • Accept

    • This status is generally reserved for risks that have a low inherent risk score.

    • They pose little risk to the business, so the company accepts the risk as a part of doing business and does not implement additional mitigating factors.

  • Avoid

    • If a risk is deemed too high, then you simply avoid the activity that creates the risk.

    • For instance, if implementing a new technology introduces critical risks to your organization, you may decide not to implement the technology and completely avoid the risk. Another example would be hiring an individual whose references would not recommend rehiring him — by not hiring him, you avoid the risk that he would not be an asset to your company.

  • Transfer

    • In many instances, you can transfer the risk to another party.

    • For instance, acquiring cyber insurance to transfer the risk of monetary loss arising from a cyber incident. You can also outsource the process in which the risk is present to another provider, thereby transferring the risk to the outsource provider.

  • Mitigate

    • Mitigating the risk is implementing controls to reduce its likelihood or the impact, until the residual risk score is deemed acceptable. An example of this would be implementing a security awareness training control to train your staff on how to identify a phishing email, or on best practices involving login credentials and password hygiene, to reduce the risk of compromise

Step 4: Plan

Now that risks are identified, scored, and designated a treatment type, the next step is to identify a risk treatment plan for every risk to be mitigated.

A risk treatment plan is a plan to modify risk such that it meets the organization’s risk acceptance criteria (such as a project plan). It may include:

  • The rationale for the selected plan activities

  • The proposed actions

  • The resources required

  • The performance indicators

  • The expected completion dates or timelines

  • Required reporting and monitoring and performance indicators

  • The individuals responsible for implementation

After all steps are conducted, you can download a risk assessment report from Drata to evidence the performance of the risk assessment activities. You can download this risk assessment report after selecting the Download button. This report breaks down each risk in the register, with all the associated data.

Note: There are additional sections of the report that must be completed manually to finalize the document, which will be highlighted, such as the participants involved in the risk assessment process and company information.

Did this answer your question?