« Return to Blog Listing

5 Key Tasks in a Risk Assessment [Infographic]

by Tim Wynkoop on Apr 11, 2017 11:00:04 AM

Here’s something I’ve learned using the FAIR model (and the RiskLens application) to help companies understand and measure their cyber risks: A successful risk analysis depends not just on software but the soft skills of clear thinking and clear communication.

In the infographic below, I named five of those skills that successful risk-aware companies develop.  They may sound basic, but you’d be surprised at how difficult they can be to put into practice.

For instance, #1 “Find a Common Language” for discussing risk: The typical corporate Top 10 Risks list isn’t really a list of risks but a mixed bag of technologies (like cloud computing), threats (like hack attacks) and concerns (like organizational change). You can’t manage what you can't measure, and you can’t measure what isn't defined.  The process of FAIR analysis solves this common problem.  

Five Key Tasks in a Risk Assessment - RiskLens.jpg

Download a PDF version of the infographic

5 Key Tasks in a Risk Assessment

Based on the FAIR Model

  1. FIND A COMMON LANGUAGE

    You wouldn’t fly on a plane if aerospace engineers couldn’t agree on how to measure speed or velocity. The same should apply to risk analysis. Your organization needs to agree on a standard definition of risk.

  1. CALL IN THE EXPERTS

    When you measure the risk associated with anything within your organization, you can’t assume you will know all the answers. Find the SME's with data specific to what you are measuring. Get the right people around the table to help.

  1. DOCUMENT ASSUMPTIONS

    Always make the assumptions behind your analysis clear. Not only will it ensure everyone is on the same page, it will help you defend your conclusions.

  1. KNOW POSSIBLE FROM PROBABLE

    Yes, anything could happen but not everything will happen to your organization. Determine if your industry should even be worried about a particular threat event. You're likely more at risk from general hackers than rogue nations. . .

  1. COMMUNICATE CLEARLY

    When you are presenting the results of your risk assessment, know your audience. Don’t use too much technical jargon. Stick to the common language of business: dollars and cents.

 

Talk to a Risk Expert
This post was written by Tim Wynkoop

Tim Wynkoop is a Risk Consultant at RiskLens.

Connect with Tim