Assessment Details Completion Guidance Risk Assessment Title:
Short, descriptive title
Risk Assessment Scope:
Version:
Describe the scope of the risk assessment e.g. service, location, process, assets Describe the general environment in which the assessment is carried out and internal and external factors affecting it Set out the factors which will make a risk acceptable and therefore not require treatment Start at Version 1
Dated:
Date the assessment was carried out
Risk Assessor(s):
Approval:
Name and title of person(s) carrying out the risk assessment Names and titles of people contributing to the risk assessment Name and title of approver
Date Approved:
Date the assessment was approved
Context of Risk Assessment:
Risk Acceptance Criteria:
Risk Assessment Participants:
Risk Owner
Risk Level
(blank)
Post-treatment R...
Calculated
Calculated
Risk Assessment and Treatment Tool Start with the risks that are felt to have the highest likelihood and impact combination first. Risk Description Ref.
Risk Summary
Risk Description
Pre-Treatment Risk Owner
Existing Controls
Likelihood
Likelihood Rationale
Impact
Impact Rationale
Risk Score
Risk Level
1
Select…
Select…
Calculated
Calculated
2
Select…
Select…
Calculated
Calculated
3
Select…
Select…
Calculated
Calculated
4
Select…
Select…
Calculated
Calculated
5
Select…
Select…
Calculated
Calculated
6
Select…
Select…
Calculated
Calculated
7
Select…
Select…
Calculated
Calculated
8
Select…
Select…
Calculated
Calculated
9
Select…
Select…
Calculated
Calculated
10
Select…
Select…
Calculated
Calculated
11
Select…
Select…
Calculated
Calculated
12
Select…
Select…
Calculated
Calculated
13
Select…
Select…
Calculated
Calculated
14
Select…
Select…
Calculated
Calculated
15
Select…
Select…
Calculated
Calculated
16
Select…
Select…
Calculated
Calculated
17
Select…
Select…
Calculated
Calculated
18
Select…
Select…
Calculated
Calculated
19
Select…
Select…
Calculated
Calculated
20
Select…
Select…
Calculated
Calculated
Note – Not all columns shown.
Example Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. Threat Category Human
Threat Malicious outsider Malicious insider Loss of key personnel Human error Accidental loss
Example Someone launches a denial of service attack on your ecommerce website An employee or trusted third party accesses information in an unauthoried manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes the customer database A manager loses a memory stick with customer bank details on it
Natural
Fire Flood Severe weather Earthquake Lightning
Your main office burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main office is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building
Technical
Hardware failure Software failure Virus/Malicious code
A key server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your data
Physical
Sabotage Theft Arson
A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find all of your PCs have been stolen Someone with a grudge against your organisation starts a fire during the night
Environmental
Hazardous waste Power failure Gas supply failure
A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off
Process error Crime scene
Your new data transfer procedure doesn't cater for unexpected circumstances and data is lost or sent to the wrong destination A crime happens in or near your office and the area is sealed off by police
Operational
Likelihood The following table should be used to decide upon the most appropriate likelihood for a particular threat. Likelihood 1 2 3 4 5
Description Improbable Unlikely Likely Very Likely Almost certain
Summary Has never happened before and there is no reason to think it is any more likely now There is a possibility that it could happen, but it probably won't On balance, the risk is more likely to happen than not It would be a surprise if the risk did not occur either based on past frequency or current circumstances Either already happens regularly or there is some reason to believe it is virtually imminent
Impact The following table should be used as guidance to help to decide upon the correct impact rating for a particular threat.
Impact Level Impact Rating 1
General Description Negligible
2
Slight
3
Moderate
4
High
5
Very High
Impact Areas Legal, contractual and organisational Compliance No implications
Effect on Customers No effect
Financial Cost Very little or none
Health and Safety Very small additional risk
Damage to Reputation Negligible
Some local disturbance to normal business operations Can still deliver product/service with some difficulty Business is crippled in key areas Out of business; no service to customers
Some
Within acceptable limits
Slight
Small risk of not meeting compliance
Unwelcome but could be borne
Elevated risk requiring immediate attention
Moderate
In definite danger of operating illegally
Severe effect on income and/or profit Crippling; the organisation will go out of business
Significant danger to life
High
Operating illegally in some areas Severe fines and possible imprisonment of staff
Real or strong potential loss Very High of life
Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
Risk Impact
4
5