- IT departments are tasked with implementing new projects or initiatives, but are often unsure how to assess the risk with these.
- Often, stakeholders will have an informal discussion regarding any risks and make a final decision based on that.
Our Advice
Critical Insight
- Informal, ad hoc discussions do not allow for informed risk assessments, which can affect how the organization as a whole manages risk.
- Even for companies looking to adopt formal risk management, there are numerous frameworks and assessment techniques that offer best-practice advice but no clear methodology on how to complete a threat and risk assessment.
- When evaluating risk, standardize your risk assumptions. There will be a need to establish clear definitions for frequency and impact of potential threats, and this will be useful across future risk assessments and across your risk environment.
Impact and Result
- Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project.
- Determine the scope of the assessment and build frequency and impact definitions in order to have a repeatable process.
- Make informed risk treatment decisions based on the results – whether to accept, transfer, mitigate, or terminate the risk.
- Connect your threat and risk assessment results to your wider risk management program. Doing this can inform the organization as to the macro level of risk that it faces.