"Assess" and "analyze" mean nearly the same thing. Both terms refer to the process of gaining information and drawing conclusions from it, usually with the goal of improving a practice, product, or business. In the realm of risk management however, the terms 'risk assessment' and 'risk analysis' are related, but not the same. Instead, one is an element of the other.
Risk assessment is a practice that involves multiple steps of analysis and conclusions that will deliver a solid risk management plan to any business. Risk analysis is one of those steps. Think of it like making a hamburger. If risk assessment is the whole process of assembling a burger, risk analysis is like grilling the burger. You might do the grilling once for a single patty burger or twice for a double cheeseburger. The analysis is a vital part of the process that can deliver important information on its own, but the assessment is the whole thing.
The goal of risk assessment is to identify and understand everything that poses a risk to your organization. Risk assessment is divided into two main phases:
There are different types of risk assessments. For today’s purposes, we’ll focus on security risk assessments. These seek to keep your company's data safe while ensuring it is easily accessed by authorized users and impossible to access by unauthorized individuals. Risk management teams will first identify the most important pieces of hardware, software, and data to a company's business and then create a profile for each of these assets. Different assets are treated differently. For example, a database of customers' credit card information might be a highly targeted asset for hackers, while the CSS for your company's website layout might not need the same level of protection.
Security risk assessments help your company map any connections between different technology assets, prioritize which assets need to be protected, and come up with plans to keep bad actors out without getting in the way of legitimate business use. They'll also include plans about what to do in the event of an attempted or successful security breach and plans for keeping your security precautions up-to-date in a changing digital world.
Risk assessment isn't just a good idea, it's also required under the law for some companies, and by standards organizations for others.
The first phase of a risk assessment involves experts in a field trying to come up with as many plausible “bad” scenarios as they can. Examples of these scenarios include things like:
Once plausible risks are named, it's time to score them. Risk analysis involves carefully considering each risk and assigning the priority of the risk to them. Prioritization is determined using quantitative and qualitative methods.
Using quantitative scoring, the amount each risk could cost your company is multiplied by the likelihood of a risk occurring in a given year. This is a quick way of generating easy-to-understand numbers that you can use to compare risks and figure out what resources your company should devote to preventing them, but it relies on having a good estimate of both the cost of the risk and the likelihood of it occurring.
Qualitative scoring uses a subjective rubric to assign multiple numbers to each risk.
These numbers are a bit more difficult to understand at a glance, but they can shed more light on what specific precautions your business should take about each risk. Proper analysis relies on your team being able to make knowledgeable, honest assessments about how your business would interact with each risk and how likely a risk is to occur.
Risk assessment teams break down identified risks into three categories: high, medium, and low priority.