Risk Assessment

Risk assessment is the second phase of the risk management lifecycle, where identified risks are analyzed, measured, and evaluated to support informed decision-making. It transforms raw risk data into actionable intelligence, enabling organizations to prioritize threats and allocate resources efficiently.

Unlike risk identification, which focuses on _what could go wrong_, risk assessment answers deeper questions about probability, impact, and business consequences.

Definition and Purpose

Risk assessment is a structured process that combines:

  • Risk Identification
  • Risk Analysis
  • Risk Evaluation
  • Establishing the organizational risk context

Core Objectives

  • Determine which risks matter most
  • Measure likelihood and impact
  • Identify acceptable vs unacceptable risks
  • Enable risk-based decision-making

Key Questions Answered

  • What are the most critical risks?
  • How likely are they to occur?
  • What damage could they cause?
  • Which risks require immediate action?

Risk Assessment in the Lifecycle

Risk assessment acts as the bridge between identification and response.

txt 

Risk Identification    
        |    
        v    
+----------------------+    
|   Risk Assessment    |    
+----------------------+    
        |    
        v    
Risk Response -> Monitoring -> (Repeat)

Key Insight

  • The output of risk assessment becomes the input for risk treatment
  • It ensures that mitigation efforts are prioritized and cost-effective

Foundation: Asset Identification and Valuation

Before analyzing risks, organizations must understand what they are protecting.

Step 1: Identify and Value Assets

  • Information systems
  • Data (customer, financial, intellectual property)
  • Infrastructure
  • People and processes

Determine for Each Asset

  • Business value
  • Criticality
  • Sensitivity

Why This Matters

  • High-value assets receive stronger protection
  • Prevents wasting resources on low-impact risks

Phases of Risk Assessment

Risk assessment is structured into three core phases:

txt 
+---------------------+    
| Risk Identification |    
+----------+----------+    
           |    
           v    
+---------------------+    
| Risk Analysis       |    
+----------+----------+    
           |    
           v    
+---------------------+    
| Risk Evaluation     |    
+---------------------+

Phase 1: Risk Identification (Within Assessment)

This step refines previously identified risks and prepares them for analysis.

Key Elements Identified

  • Assets
  • Threats
  • Vulnerabilities
  • Existing controls

Outcome

A structured dataset describing:

Asset + Threat + Vulnerability + Control

Phase 2: Risk Analysis

Risk analysis determines the severity of risk by combining:

  • Likelihood → Probability of occurrence
  • Impact → Business damage if it occurs

Risk Analysis Model

txt 
Threat + Vulnerability    
        |    
        v    
   Likelihood    
        |    
        v    
   Impact    
        |    
        v    
       Risk

Types of Risk Analysis

txt 
+------------------------+    
|   Risk Analysis Types  |    
+-----------+------------+    
            |    
   +--------+--------+    
   |                 |    
   v                 v    
Qualitative     Quantitative

Both approaches are complementary, not competing.

Qualitative Risk Analysis

Qualitative analysis uses expert judgment instead of numerical data.

Characteristics

  • Fast and simple
  • No precise calculations
  • Based on experience
  • Ideal when data is limited

Scales Used:

Likelihood

  • Very Likely
  • Likely
  • Possible
  • Unlikely
  • Very Unlikely

Impact

  • Negligible
  • Minor
  • Moderate
  • Significant
  • Severe

Qualitative Risk Matrix

Likelihood \ ImpactNegligibleMinorModerateSignificantSevere
Very LikelyLowModerateHighExtremeExtreme
LikelyLowModerateHighHighExtreme
PossibleLowModerateModerateHighHigh
UnlikelyLowLowModerateModerateHigh
Very UnlikelyLowLowLowLowLow

Example

  • Likelihood: Very Likely
  • Impact: Significant

    • Result: High Risk

Why Qualitative Analysis Matters:

  • Quickly identifies critical threats
  • Simplifies communication with management
  • Forms the foundation for deeper analysis
7. Semi-Quantitative Risk Analysis

A hybrid approach that introduces numeric scoring.

Formula:

Risk Score = Likelihood × Impact

Example Scenarios:

Scenario 1: Customer Data Theft

  • Likelihood = 4
  • Impact = 5

    • Risk = 20

Scenario 2: Source Code Theft

  • Likelihood = 2
  • Impact = 2

    • Risk = 4

Insight:

  • Risk 20 > Risk 4 → prioritize data protection
  • Values are relative, not absolute
Quantitative Risk Analysis

Quantitative analysis uses financial metrics to measure risk.

Purpose

  • Translate risk into monetary value
  • Support investment decisions
  • Enable cost-benefit analysis

Key Metrics

Asset Value (AV)

  • Total value of an asset

Exposure Factor (EF)

  • % of loss per incident

Single Loss Expectancy (SLE)

SLE = AV × EF

Annualized Rate of Occurrence (ARO)

  • Frequency per year

Annualized Loss Expectancy (ALE)

ALE = SLE × ARO

Quantitative Risk Flow

txt 
Asset Value    
     |    
     v    
Exposure Factor    
     |    
     v    
Single Loss Expectancy (SLE)    
     |    
     v    
Annualized Rate of Occurrence (ARO)    
     |    
     v    
Annualized Loss Expectancy (ALE)

Worked Example

Given:

  • AV = $10,000
  • EF = 0.75
  • ARO = 0.5

Step 1: SLE

SLE = 10,000 × 0.75 = 7,500

Step 2: ALE

ALE = 7,500 × 0.5 = 3,750

Interpretation

  • Single incident loss = $7,500
  • Annual expected loss = $3,750

Helps determine if a control costing less than $3,750/year is justified.

Phase 3: Risk Evaluation

Risk evaluation determines whether a risk is acceptable.

txt 
Analyzed Risk    
      |    
      v    
+----------------------+    
| Acceptable Level?    |    
+----------+-----------+    
           |    
     Yes   |    No    
           |     
           v    
    Accept Risk     Move to Risk Response

Outcomes:

Acceptable Risk

  • Within risk appetite
  • No immediate action required
  • Documented and monitored

Unacceptable Risk

  • Exceeds tolerance
  • Requires treatment:
  • Mitigation
  • Transfer
  • Avoidance

Decision-Making Based on Risk

Risk assessment directly supports management strategy.

**Enables**

  • Risk prioritization
  • Control selection
  • Budget allocation
  • Strategic planning

Risk Assessment Output

The final output is a structured risk profile:

  • Ranked list of risks
  • Likelihood and impact values
  • Risk severity levels
  • Recommended actions

    • txt 
    
Risk Assessment Output    
        |    
        v    
Risk Response (Mitigation / Acceptance / Transfer / Avoidance)

    Qualitative vs Quantitative Comparison

AspectQualitativeQuantitative
NatureSubjectiveObjective
ValuesHigh / Medium / LowNumeric / Monetary
SpeedFastSlower
AccuracyApproximateMore precise
BasisExpert judgmentData-driven

Key Differences

Qualitative

  • Scenario-based
  • Fast and simple
  • Useful in early stages

Quantitative

  • Financially driven
  • Supports ROI decisions
  • Aligns with budgeting

Key Takeaways

  • Risk assessment is the core decision engine of risk management
  • Combines analysis + evaluation to prioritize risks
  • Qualitative → Semi → Quantitative is a common progression
  • SLE and ALE are fundamental for financial risk measurement
  • The ultimate goal is to reduce risk to an acceptable level efficiently

Final Insight

A mature organization does not rely on a single method. Instead, it integrates:

Qualitative → Semi-Quantitative → Quantitative

to achieve balanced, accurate, and actionable risk intelligence.