Risk management helps to understand the potential risks to an organization. In this video, you’ll learn about risk assessments, ad hoc assessments, and recurring assessments.
Most organizations have some level of risk management that allows them to identify where risks might be and be able to address them before they become a much larger problem. This is an important part of any organization. And as an organization grows larger, the risk grows larger as well. So it’s important to understand where those risky areas may be. The risk management in most organizations is there to identify and manage any potential risk. The threats to an organization may come from the inside or the outside. And risk management allows the organization to qualify those risks.
There are different ways to perform a risk assessment. And every organization has a different requirement and different concerns regarding threats. An organization could perform a one time risk assessment. This is often related to some other project that may be going on, and the risk assessment is specifically designed to address any concerns with that project. For example, a company may be acquiring another organization. And they may want to perform a risk assessment to see what that acquisition might bring to the company.
Or perhaps the organization is installing new equipment or new software and wants to understand the risks in installing that brand new technology. And in some organizations, this risk assessment is an ongoing process. We see this very often with the change control process. One of the steps of change control is understanding what the risk may be for implementing that change. And this is a process that occurs for every change that is put through the change control process.
Ad hoc is a Latin phrase that means for this. We use it as for this purpose only. So when we’re performing an ad hoc risk assessment, we’re performing it for one specific purpose. For example, your CEO may have returned from a conference, where he’s learned about a new attack type that has attacked other companies that attended the same conference. And he wants to determine if your organization is susceptible to this specific risk.
To perform that study, an ad hoc assessment will be created that will look at just this specific attack type and see how it may apply to your organization. The way this would commonly proceed is the company may create a committee and perform a risk assessment of that specific threat. Once the assessment has been completed, the reports have been generated, and the presentation has been made to the CEO, that particular committee can be disbanded. And since the scope of this particular assessment was relatively narrow it’s unlikely that you would need to have another risk assessment about this specific threat.
Some organizations will perform risk assessments on a standard schedule. So you may be asked to perform an assessment every three months, every six months, or every year, for example. For some organizations, this assessment is done internally without the need to go out to an external third party. For example, your internal assessment team may request updates every three months and keep an ongoing set of documentation regarding this ongoing assessment.
There may also be risk assessments required as part of a mandate. For example, if your organization keeps credit card numbers on file, they may be required to perform an annual risk assessment by the Payment Card Industry Data Security Standard, or the PCI DSS.