Modern app icon of browser business concept
Modern app icon of browser business concept

How to Do a Risk Analysis – a Step-by-step Guide (Free Template)

Joanna Kwong

In this blog post, we discuss what risk analysis is, why it is relevant for your company organisation, and provide you with a quick start guide on how to get started with our very own template.

What is a risk analysis? 

Risk analyses are a useful tool for any organisation who wants to anticipate incidents and plan on how to mitigate the risks. It involves identifying and analysing potential events that may negatively affect individuals, assets, or the organisation. We use risk analyses to make judgements on the tolerance of the risks so that we can better anticipate them. And most importantly, it makes it possible for us to prioritise our security activities.

At CyberPilot, we use this template to help organisations do a risk analysis of information security. It is free and you can download it here:

A risk analysis can benefit your organisation with the following:

It can also connect theoretical risks and understand the probability of it happening in real life.

That way, you can better understand how to allocate resources to prevent them. We will give you two examples below.

Risk 1:

A tornado hits company headquarters and damages all the IT equipment.

While this is certainly a risk that could happen and have a big negative impact, it is unlikely to happen if your area has no history of experiencing tornados. Therefore, you could spend your efforts in thinking of solutions for other risks.

Consequence: HIGH

Likelihood: LOW

Risk 2:

A staff member travels with company IT equipment and it gets damaged on the baggage carousel.

While losing the IT equipment of one staff member is not catastrophic for the company, it is more likely to happen if staff travel regularly. And maybe the consequence for losing the specific equipment is not only the cost of the laptop, smartphone etc., but could also lead to potential data loss.

Consequence: MEDIUM

Likelihood: MEDIUM

We would suggest spending some time on mitigating this risk.

Ultimately, risk analyses can help you weather any storm, or at least be better prepared for it.

Risk analysis for information security

For information security, we can start by looking at potential events that can negatively affect your organisation. Some examples include:
You can ask yourself:

In the next session, we will discuss how you create your own risk analysis with our free template.

How to create a risk analysis

You can download our template here and follow along.

risk analysis
A snippet from out template // Click to enlarge

Step 1:

Create a scale for the risk assessment matrix

First, we determine the scales that we use for our risk assessment. On our template, you can access it on the first tab.

scale
Click to enlarge

In the template, we categorise the risk levels as low, medium, or high. One way of thinking of risk level is how severe the consequences can be for your organisation. Below, we define what each risk level could mean in terms of IT systems.

Low risk 

Medium risk

High risk

Additionally, you can also take this opportunity to discuss with your organisation about how many resources must be used to fix these issues if they ever occur. Our template provides you the opportunity to fill the time and monetary consequences, but you can also think of how much time must be put into fixing the issue.

As the risks and consequences differ from organisation to organisation, we highly recommend adapting this section according to your needs. For example, if you are part of a company whose revenue comes solely from the e-shop on the website, then the website crashing is considered a much higher risk. In contrast, if your website serves just as a landing page without much functionality or effect to your day-to-day operations, then the website crashing is a lower risk because the consequences are lower.

Step 2 - start by listing your assets :

Fill in the risk assessment

To complete the risk assessment, we provide different columns fill:

Asset

When we talk about assets in this context, we mostly mean assets related to the IT in your organisation. This can include hardware, such as laptops and mobile devices. Additionally, it can include the IT services provided by your organisation such as internal communication systems (e.g., Microsoft Teams of Slack) or customer-facing services like the company webpage. Other than IT assets, we included staff as an asset, as they have a lot of influence over the state of your information security. We discuss this in our e-book if you want to read more.

Finally, if you have performed asset management, then it is very easy to use that document as a reference. You don’t have to list all of the assets, but you can choose the most important or commonly used ones to start with.

Short description

Although self-explanatory, this column can be very useful for defining what you mean when you listed the asset. For example, when we list staff as an asset, we can define it as both full-time and part-time employees. You can also define who is not included, for example, consultants, who act as external advisors to the organisation but are not officially part of the organisation.

Department

Defining which department is advantageous because it prepares the company for when the problems must be fixed. First, it can give you a better understanding or a refresher of each department or subdepartment’s responsibilities. Second, it helps the organisation react faster when there is a risk.

However, we don’t recommend spending too much time on this column, as it can easily overlap between departments and change over time. We recommend getting a general understanding and being flexible for when the time comes to fixing the issue.

Step 3 - list threats and vulnerabilities

Threat 

The threat is a potential harm that can be done to an asset, which can have effects on the organisation.  If there have been any security breaches or incidents in the past, you can list them in this column. For example, ransomware or unauthorised access to confidential data could be considered a threat. Next, we discuss vulnerabilities that coincide with these threats.

For example, the threat of ransomware is present when staff are browsing websites for their work. They may unsuspectedly stumble upon a fake website and accidentally install ransomware, therefore locking access to the organisation’s files and computer until they pay the cybercriminals.

Vulnerability 

Vulnerabilities could be described as the reason for the threats to occur. When it comes to ransomware, it could, for example be because staff could have unsuspectedly stumbled upon a fake website and accidentally install ransomware. When it comes to unauthorised access to confidential data, it could be that somebody has forgot to close some windows during a video call and accidentally showed the customer some internal communications.

This section is not to place blame, but rather think of theoretical scenarios and the reasons why a threat could occur. By understanding how the threats occur, we can a) understand how big the threat is, b) the probability of it happening, and c) think of ways to proactively avoid them.

Performed actions 

In this section, you write whether you have currently done anything to mitigate this rise. For example, if you have experienced losing important files before and have enforced using a cloud storage for back-up, that is a performed action.

Step 5 - evaluate risks

Consequence

After writing about the threats, you can better assess how big the consequences are in case of threats being realised with this asset. This is obviously a subjective assessment, but it should be discussed with colleagues and often you will find that there can be different perspectives on consequences. Perhaps the marketing department will put a ‘HIGH’ consequence on something happening to the company website, since that can affect sales. But the IT department would not see it in the same way, as it would not affect the day-to-day operation of the company. That’s why it is important to get a lot of different perspectives.

Probability

Not all risks are created equal. Some could probably happen a few times a month, while some may only happen once every few years. By assessing the probability of threat, you can understand how to prioritise them, and perhaps leave some out which are not realistic to be tackled.

Suggestions for increased security

After filling in the other sections, you will have gained a better understanding of each asset and the risks associated with them. From that, you can use this section for writing suggestions for increased security.

Your risk assessment is complete!

When every section is filled with the assets and the threats you can think of, you will have a better overview of the risks. From the risk analysis, you will be able to see which threats are more likely to happen and its consequences if they occur. Of course, you can keep this document handy and keep it updated.

We hope that this blog has helped you understand what a risk analysis is and how to do one yourself. As a matter of fact, we use this template to help many organisations who want to have a better understanding of the risks involving the information security of their IT assets.

If you would like to get some help with putting together your risk assessment, we are happy to have a talk about it. Download our template here and you can contact us at info@cyberpilot.io.

Subscribe to our newsletter

Receive updates containing free templates, tools, and news from CyberPilot.

Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.

Top