List the causes of each risk and the impacts if they happen
Making these lists helps to give your risk assessment team a clear view of the risks facing your organisation.
Causes of risks
Putting all of the causes together in a list, separate from the risk scenarios, gives another angle for seeing where risks to your organisation’s information system are coming from.
Examples of risk causes
- The information system is deployed as an internet-facing service.
- The information system is an attractive target to criminals or hacktivists.
- Patches may not be applied in a timely manner.
- Default accounts and passwords are not changed or removed.
- When a staff member leaves the organisation, their user accounts are not disabled or removed in a timely manner.
Impacts of the risks happening
Putting all of the impacts together, separate from the risk scenarios, gives a clear overview of the negative consequences your organisation faces with its information system’s risks.
For clarity across stakeholders, state the impacts in business terms — not technical terms.
Examples of the impacts of the risks happening
- There is reputational damage to the organisation.
- IN-CONFIDENCE information is disclosed to an unauthorised party.
- There is a breach of the Privacy Act 2020.
- Service delivery is impacted due to a loss of productivity.
- There is a loss of confidence in the service by key stakeholders.
Utility links and page information