Learn more about Risk Assessment at Risk Assessment overview.
Step 1: Identify
The first step of risk assessment is to identify risks.
Drata’s risk assessment supports an event-based risk assessment process. In an event-based approach, risks are identified and assessed through an evaluation of threats and vulnerabilities and then organized into risk scenarios. These risk scenarios outline a potential event or situation that could adversely affect an organization's objectives. Risk scenarios typically include information about the context, the factors contributing to the risk, the potential consequences, and the conditions under which the risk might occur.
Example risk scenario:
An attacker installs malware that is specifically designed to take control of internal organizational information systems, identify sensitive information, exfiltrate the information back to the attacker, and conceal these actions.
Risk scenarios can be determined by interviewing top management or personnel involved in business processes and asking: what could go wrong? Additionally, risk scenarios can be identified through analysis of legal and contractual requirements, the internal and external context of the organization and emerging technologies.
The resulting output of this initial identification phase is a register of risk scenarios, which we call Risk Register.
To assist you in identifying risk scenarios, Drata’s risk assessment module includes a comprehensive library of over 200 risk scenarios covering from standard processes like access management to emerging technologies such as artificial intelligence. The library was built by Drata’s GRC team using industry references such as NIST 800-30, HIPAA SRA tool, and ISO 31000.
Step 2: Analyze
Once there are identified risks in the register, the next step is to assess the impact a risk would have on the business, and the likelihood of the risk occurring.
Drata’s risk assessment offering supports a quantitative approach to risk analysis based on a 5 x 5 scale (impact x likelihood) where 1 is lowest. The multiplication of these two factors outputs an inherent risk score. In the simplest terms, the higher the score, the more critical the risk.
Step 3: Treat
When a risk’s impact and likelihood have been scored, a decision needs to be made as to what to do about the risk. This is known as risk treatment. There are 4 treatment options within Drata:
Accept
This status is generally reserved for risks that have a low inherent risk score.
They pose little risk to the business, so the company accepts the risk as a part of doing business and does not implement additional mitigating factors.
Avoid
If a risk is deemed too high, then you simply avoid the activity that creates the risk.
For instance, if implementing a new technology introduces critical risks to your organization, you may decide not to implement the technology and completely avoid the risk. Another example would be hiring an individual whose references would not recommend rehiring him — by not hiring him, you avoid the risk that he would not be an asset to your company.
Transfer
In many instances, you can transfer the risk to another party.
For instance, acquiring cyber insurance to transfer the risk of monetary loss arising from a cyber incident. You can also outsource the process in which the risk is present to another provider, thereby transferring the risk to the outsource provider.
Mitigate
Mitigating the risk is implementing controls to reduce its likelihood or the impact, until the residual risk score is deemed acceptable. An example of this would be implementing a security awareness training control to train your staff on how to identify a phishing email, or on best practices involving login credentials and password hygiene, to reduce the risk of compromise
Step 4: Plan
Now that risks are identified, scored, and designated a treatment type, the next step is to identify a risk treatment plan for every risk to be mitigated.
A risk treatment plan is a plan to modify risk such that it meets the organization’s risk acceptance criteria (such as a project plan). It may include:
The rationale for the selected plan activities
The proposed actions
The resources required
The performance indicators
The expected completion dates or timelines
Required reporting and monitoring and performance indicators
The individuals responsible for implementation
After all steps are conducted, you can download a risk assessment report from Drata to evidence the performance of the risk assessment activities. You can download this risk assessment report after selecting the Download button. This report breaks down each risk in the register, with all the associated data.
Note: There are additional sections of the report that must be completed manually to finalize the document, which will be highlighted, such as the participants involved in the risk assessment process and company information.