Risk Assessment

A risk assessment is a systematic process that identifies, analyses and evaluates risks so you can prioritise your measures and protect what matters most. It is the basis for informed risk management and a requirement in most compliance regimes.

Back to Dictionary

What is a risk assessment?

A risk assessment is your organisation's method for understanding which threats you face and how serious they are. You identify risks, assess the likelihood of them occurring and estimate the consequence if they do. The result is a prioritised overview that guides where you allocate your resources.

Risk assessment is at the core of most compliance frameworks. GDPR is built on a risk-based approach, ISO 27001 requires risk assessment as the foundation for your ISMS, and NIS2 sets explicit requirements for risk analysis.

Without risk assessment, you are working blind. You do not know whether your controls address the right risks, and you cannot justify your priorities to management or supervisory authorities.

The process step by step

A risk assessment typically follows these steps:

Context: Define what you are assessing. Is it the entire organisation, a specific system, a processing activity or a supplier? The context determines the scope and level of detail.
Identification: Map the assets you want to protect (data, systems, processes), the threats that could affect them (cyber attacks, errors, natural events) and the vulnerabilities that make you exposed.
Analysis: Assess the likelihood of each risk occurring and the consequence if it does. Use a consistent scale (e.g. 1-5 for both parameters).
Evaluation: Calculate the risk level (typically likelihood x consequence) and compare it with your organisation's risk appetite. Which risks are acceptable? Which require action?
Treatment: For each unacceptable risk, choose a strategy: reduce (implement controls), transfer (insurance, outsourcing), avoid (stop the activity) or accept (document the decision).

Document the entire process. The risk assessment must be traceable so that you can show supervisory authorities how you arrived at your decisions.

Regulatory requirements

GDPR is built on a risk-based approach. Article 32 requires security measures that are appropriate to the risk. This presupposes that you have assessed the risk. Article 35 requires a data protection impact assessment (DPIA) for processing that is likely to result in high risk.

ISO 27001 (clauses 6.1 and 8.2) requires a formalised risk management process with identification, analysis, evaluation and treatment of information security risks. Risk assessment under ISO 27001 has specific requirements for methodology and documentation.

NIS2 requires essential and important entities to carry out risk analyses and implement appropriate measures. Management must approve risk assessments and can be held liable for deficiencies.

DORA sets detailed requirements for ICT risk assessment for financial undertakings, including assessment of third-party risks and resilience testing.

Risk assessment in practice

Start simply. A basic likelihood/consequence matrix is better than no risk assessment at all. You can always refine the methodology as the organisation matures.

Involve the right people. IT knows the technical vulnerabilities, the business knows the consequences and management knows the risk appetite. A risk assessment carried out by one department alone will miss important perspectives.

Use your record of processing activities as a starting point for assessing data protection risks. For each processing activity: what happens if the data is leaked, deleted or becomes unavailable?

Link the risk assessment to your controls. Each risk you want to reduce should have one or more associated measures. These might include encryption, logging, access control or security training.

Review the risk assessment regularly. Threats change, systems are replaced and new regulations are introduced. An annual review is the minimum, and significant changes should trigger a reassessment.

Frequently Asked Questions about Risk Assessment

What is the difference between a risk assessment and an impact assessment?

A risk assessment is a broad analysis of an organisation's risks. A data protection impact assessment (DPIA) is a specific GDPR assessment of processing that is likely to result in high risk to data subjects' rights and freedoms. A DPIA is a type of risk assessment with a specific data protection focus.

How often should you carry out a risk assessment?

At least once a year and whenever there are significant changes in the organisation, the system landscape or the threat environment. ISO 27001 requires regular risk assessment, and GDPR presupposes ongoing assessment of risks associated with processing activities.

Who is responsible for the risk assessment?

Management has overall responsibility for risk management. In practice, the risk assessment is often facilitated by a security officer, DPO or compliance officer with input from the departments that know the risks best.

Which method should you use for risk assessment?

There is no legally mandated method. Likelihood/consequence matrices, ISO 27005 and the NIST Risk Framework are popular choices. Choose a method that suits the organisation's size and use it consistently.