Monday, September 24, 2007

The Basics of Risk Assessment

While every business knows that it is important for a variety of reasons to protect its assets, many business owners and managers do not know how to perform the risk assessment that will identify the specific threats to be guarded against. While a professional security consultant is frequently the best and most cost-effective way for a thorough risk assessment to be conducted, here are the basic steps that should be used to determine a sound security strategy:

· identify/itemize all assets that need to be protected (physical, human and intellectual)

· identify every conceivable threat/risk that may be encountered – be sure that everything bad that could happen is given at least cursory consideration

· determine/prioritize the likelihood of occurrence of each of the identified threats/risks – the bad things most likely to occur should be given the highest priority

· determine/prioritize the business impact if/when each of the identified threats/risks should occur – some risks have a potentially greater impact than others

· identify/itemize all security measures currently in place – are current protective measures adequate to counter all the identified threats/risks

· implement a sound security strategy that is adequate to protect the organization and its most vital assets

Even in industries in which security standards have been recommended or promulgated, the above outline forms the basis of the process that is recognized by both security professionals and the Courts as being adequate, sufficient, and legally defensible.