When assessing the IT risks in your business, you should avoid spending too much time and money reducing risks that may pose little or no threat to your business.
Instead, you should focus on the most serious risks, based on:
- the likelihood of the risk happening
- the cost or impact if it does happen
This is known as the quantitative risk assessment.
Types of IT risk assessment methodologies
Generally speaking, there are two main types of risk assessment:
- qualitative risk assessment
- quantitative risk assessment
A quantitative assessment combines the probability of risk occurring and the costs of impact and recovery. For example, if you assess a risk to have a high probability of happening and a potential of high cost/impact to your business, you will deem it high risk. Those that are unlikely to happen or will cost little or nothing to remedy, will fall under the category of low risk.
Quantitative measures of risk like this are only meaningful when you have good data. You may not always have the necessary historical data to work out probability and cost estimates on IT-related risks, since they can change very quickly.
A more practical approach may be to use a qualitative assessment. This relies on using your judgement to decide if the probability of occurrence is high, medium or low. For example, you might classify as 'high probability' something that you expect to happen several times a year. You do the same for cost/impact in whatever terms seem useful, for example:
- low - would lose up to half an hour of production
- medium - would cause complete shutdown for at least three days
- high - would cause irrevocable loss to the business
You might then decide to rank risks according to the significance to your business. Once you establish what the risks are and how important they are to your business, you will be able to decide whether to accept the risks, or manage them – see more on IT risk management process.