What is a Risk Assessment?


Ever wondered what a risk assessment is? Ever been confused by all the seemingly overwhelming terms and definitions? Well, welcome my friend to techtalksbynoah.com, and this post on risk assessments. In this post, I will detail what a risk assessment is, the different types of risk assessments, and how risk assessments are used in the real world.

What is risk management?

Risk management is a process of identifying and evaluating risk to bring the risk level associated with business assets and practices to a level that is within a company’s risk tolerance (or risk appetite). Risk management is done through a series of documents such as a risk assessment, vulnerability assessment, business continuity plan, disaster recovery plan, etc. While this article focuses specifically on risk assessments, know that there is far more to the risk management process as a whole than just a risk assessment.

What is a risk assessment?

A risk assessment is a document procured by the information technology team, addressing the risks, vulnerabilities, and threats to an asset or business function as well as a quantitative and/or qualitative determination of the impacts to critical business infrastructure and functions should those threats be realized. Risk assessments are a vital part of any risk management process and should only be completed with the full support of senior management. Without the support of senior management any risk assessment, no matter how detailed, is doomed to fail.

There are two main types of risk assessments, qualitative and quantitative. The easiest way to discern between the two is that qualitative risk assessments are more of expert opinion and quantitative risk assessments typically have a dollar value attached to them. A good resource for more detail is the NIST SP 800-30.

Qualitative Risk Assessments

Qualitative risk assessments are based on expert opinion and assigned an arbitrary scale in cooperation with those subject matter experts. A qualitative risk assessment is typically conducted in conjunction with a quantitative risk assessment as qualitative risk assessments do not provide an objective dollar value, but rather a subjective evaluation. A team of subject matter experts will gather together and review the results of the most recent vulnerability assessment. Together, these professionals set a scale (typically consisting of the values low, medium, and high) by typically using a format such as the Delphi method. Once a scale has been established, the group then decides the level of risk associated with different assets and business functions.

Quantitative Risk Assessments

Quantitative risk assessments have a quantifiable dollar value attached to them. This makes it easier to identify where money, time, and human capital need to be spent to mitigate risks. There are a couple of key terms to know and understand when it comes to a quantitative risk assessment. The first is the asset value (AV). The asset value is simply the determined fiscal value it would cost to replace that asset should it be adversely affected by a risk. For example, a new Cisco router could cost 1,000 USD. The asset value of that router would then be 1000 USD. The next term is the single loss expectancy (SLE). The SLE is determined by multiplying the asset value times the exposure factor (EF). The exposure factor is the subjective, potential percentage of loss to a specific asset if a specific threat is realized. For example, if a company has a server rack with 6 servers, 2 switches, and 1 router for a total Asset Value of 15,000 USD, and the exposure factor is 25%, then the SLE would be AV * EF = SLE or 15,000 * 0.25 = 3,750 USD. Therefore, the single loss expectancy is 3,750 USD. The final two terms you need to know are ARO and ALE. ARO is the annual rate of occurrence and is used in calculating the ALE or annual loss expectancy. The SLE is multiplied by the ARO to receive the ALE. The equation is in the form of SLE * ARO = ALE. Following our example above, if the annual rate of occurrence of a power surge that damages 25% of our $15,000 server rack is twice a year, then the ALE is calculated as follows: SLE * ARO = ALE or 3,750 * 2 = $7,500. If we install a $7,500 UPS that lasts 5 years, then we will reach 100% ROI within one year.


So in this article, we defined risk management, risk assessment, and the two types of risk assessments. Thank you for reading, and as always remember to be an inspiration to those around you. Stay tuned for more content!

Posted in ,