Analyse the risks to an information system
Carry out impact and likelihood assessments, listing the existing controls, to find the risk ratings for an information system.
Using risk scales and matrices for your organisation
Use your organisation’s approved risk scales and matrices — if they’re in development or do not exist, use our examples to help in their development and approval.
Assess the impacts of risks happening
Examples of simple and detailed impact scales — the business owner decides which is appropriate to use.
Assess the likelihood of risks happening
Example of a likelihood scale and how the business owner and stakeholders can use quantitative information in assessing each risk’s likelihood.
Find the initial risk ratings
Use a risk matrix to add together the impact and likelihood assessments to find each risk’s initial rating — also called an overall or a gross rating.
List the existing controls for each risk
Run a workshop with the right stakeholders to identify the existing controls for an information system.
Find the final risk ratings
Using the list of existing controls, see how they do or do not affect the initial risk ratings. You’ll get the final risk ratings — also called residual or net ratings.