Enterprise risk assessments should be conducted on a regular basis—ideally at least once per year—to identify or update your organization’s exposure to both established and emerging risk scenarios. This procedure enables the determination of the potential impact associated with each assessed risk scenario. Risk assessment outcomes that are older than one year may no longer accurately reflect risks relevant to your organization. In the absence of current risk assessment findings, the ability to identify threats to operations, assets, and personnel is significantly reduced. Conducting annual risk assessments is not only considered best practice but also demonstrates to external stakeholders that your organization systematically monitors relevant risks and implements appropriate mitigation or treatment strategies.

Effective Risk Assessment Programs

An effective risk management program requires a systematic and well-documented approach to identifying risks. This process typically involves evaluating the full inventory of information systems and data essential for business operations, as well as defining potential threats to organizational systems and processes. The intent of risk identification is not to catalogue every possible operational risk, but rather to concentrate on those that are most significant to the organization’s business objectives. There are various methodologies available for identifying operational risks.

Sample Cybersecurity Risk Assessment Tools include:

  • Using questionnaires and surveys
  • Interviewing managers, system owners, and subject matter experts
  • Collecting input from asset and service stakeholders
  • Reviewing internal and external historical data
  • Acquiring external consultative expertise


During the collection and compilation of this information, it is essential to identify any security risks relevant to your organization. After these potential risks are recognized, they should inform the scope of items addressed during the risk assessment process, allowing for adjustments as needed.

Cybersecurity Risk Assessment Framework

Risk assessments should address threats, vulnerabilities, likelihood, and potential impact on organizational operations, information assets, individuals, other organizations, and, in certain cases, the Nation. These assessments should be revised as significant changes take place within the organization or operational environment. Conducting risk assessments annually and following major changes helps ensure alignment with shifts in environment, emerging threats, evolving trends, and advancing technologies. The outcomes of risk assessments are relevant to control selection processes, particularly when applying control tailoring guidance.

Third-Party Risk Assessment Protocol

Risk assessments must encompass potential risks arising from external entities. This includes contractors, third-party personnel carrying out tasks on behalf of the organization, individuals with access to information systems, and service providers. Comprehensive assessments should integrate findings from a robust third-party risk management program, which is discussed in later chapters.

Risk assessments may utilise either quantitative or qualitative methodologies; however, it is essential to maintain consistency and comparability across all evaluations. Such uniformity facilitates effective prioritization of resources for managing identified risks. All assessment results should be thoroughly documented and reviewed following each evaluation. Reports must be distributed to relevant stakeholders and securely retained, providing necessary evidence for subsequent assessments, audits, or reviews of the organization’s risk management procedures.

Pro Tip:

It is not necessary to initiate the annual risk assessment process from the beginning each year. There are solutions available that preserve your risk assessment results indefinitely, enabling real-time updates and ensuring that assessment outcomes remain current.

Risk assessment results at the organizational, business process, or system levels should be employed to inform risk management decisions where appropriate. Establishing benchmarks or target performance metrics is recommended to demonstrate progress or identify regression in the organization’s risk profile over time.

The risk assessment process should include an evaluation of both the likelihood and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information systems. This encompasses data that is processed, stored, or transmitted by these systems. Additionally, risks associated with employing end-of-life (EOL) software or hardware components, which lack support from original vendors or manufacturers, must be considered. A comprehensive risk assessment should measure likelihood and severity, and calculate overall risk (risk = likelihood x severity) across environmental, human-made, business, and IT domains.

Pro Tip:

The risk factor list below, together with the related risk assessment questions, may be utilized to perform an initial risk evaluation for your organization. This process can be streamlined through portal-based solutions that automatically calculate risk scores. Any third-party solution selected should provide calendar reminders to support timely updates of responses and remediation actions.

It is important to note that not all listed risk factors will pertain to every organization or each location in which your organization operates. Preparing these responses demonstrates that all recognized scenarios have been thoughtfully considered and the respective risks thoroughly assessed.

Enterprise-Wide Risk Assessment Template:

  • Brand Recognition: Are there strategies in place to address decreases in brand recognition or the overall perceived value of the organization? Has the organization recently experienced a drop in perceived value, and if so, how was this managed?
  • Breach of Confidentiality: Does your organization handle sensitive customer data? What measures are implemented to protect against confidentiality breaches?
  • Business Strategy: Is the organization’s three-to-five-year business strategy reviewed and updated regularly? What processes exist for updating this strategy?
  • Cash Liquidation Problems: How stable is the organization’s financial position? If stability is threatened, what marketing or communication strategies are employed to counteract negative rumors?
  • Cheaper Alternatives or Products: What level of competition does your organization face in the market? Are research and development initiatives sufficient to maintain competitiveness?
  • Credit Risk: Is the organization currently carrying debt or at risk of obtaining a poor credit rating? How might a negative credit rating affect relationships with suppliers?
  • Critical Component Failure: Which operational components are considered critical for your organization? How dependent is the organization on them, and what contingency or recovery plans exist if they fail?
  • Customer Satisfaction: What methods are used to assess customer satisfaction? How does the organization respond to negative customer experiences or incidents that could damage customer relationships?
  • Customer Service Downtime: To what extent does the organization depend on customer service operations? What would be the consequences if customer service became unavailable?
  • Demand for Products and Services: Does the organization actively monitor demand for key products and services? What steps are taken when demand for important offerings declines?
  • Employees Not Paid on Time: If the primary payroll system fails, what backup plans are in place to ensure employees are paid promptly? How many payroll systems are utilized, and what risks could delay payroll?
  • Employee Onboarding: Are there established procedures for interviewing and hiring based on skills, experience, and education? Are hiring managers properly trained, and are new hires screened according to relevant laws and regulations?
  • Espionage or Trespass: Is there a program in place to manage insider threats? Does the organization have a policy for foreign travel, and what controls are implemented to prevent unauthorized access to facilities?
  • Exchange Rate Risk: What portion of the organization’s business is conducted internationally? Does the organization work with overseas partners or suppliers, and how much revenue comes from international sales?
  • Failed Business Strategies: Are any strategic initiatives currently in progress or being planned? What is the projected financial or asset loss if a strategy fails?
  • Failure of a Major Project: What significant projects are ongoing? Are there project management frameworks in place, and have there been any notable project failures in the past?
  • Failure to Manage Change: Does the organization have formal change management processes? How well are these followed, and have there been any issues or unauthorized changes in the past?
  • Fraud or Embezzlement: Which systems are most susceptible to embezzlement, and who has access to them? What monitoring controls are in place to detect or prevent fraud?
  • Government Action or Policy: Is the organization in a highly regulated industry? Are applicable regulations identified, and compliance requirements clearly defined?
  • Human Error – Maintenance: Have there been instances of maintenance mistakes? Are there procedures for vendor check-in and escorting during maintenance work?
  • Human Error – Operations: Have there been cases where critical business operations were incorrectly performed? What was the impact, and what corrective actions were taken?
  • Ineffective or Outdated SLAs: How frequently are service level agreements reviewed and updated?
  • Ineffective Supplier Evaluation: How many suppliers support the organization’s operations? Are there dedicated personnel for managing supplier contracts, and are backup suppliers available for critical needs?
  • Interest Rate Risk: Do fluctuations in interest rates affect the organization’s debt obligations or future capital investments?
  • Lack of Documented Procedures: Are all essential processes documented and kept current, particularly following process changes? Does the organization have access to technical writing support?
  • Lack of Formal Budget Process: Does the organization maintain a yearly budgeting process and official budget? How is this budget developed, reviewed, and approved?
  • Lack of Innovation: In industries where design is crucial, such as software or manufacturing, does the organization invest sufficiently in innovation to remain competitive?
  • Legal and Regulatory Risk: Does the organization have a dedicated legal department that monitors and addresses current and emerging litigation and regulatory changes?
  • Liability of Products or Services Delivered: What are the key operational components relied on for product or service delivery, and what backup or recovery plans are in place if they fail?
  • Libel or Slander: What is the organizational culture regarding reputation management? Have there been past incidents involving libel or slander, and how were these managed?
  • Loss of Critical Customer: Does a significant portion of revenue depend on key customers? How many customers does the organization serve, and what plans exist to address the loss of a major customer?
  • Loss of Hard Copy Documents: Are essential processes dependent on physical documents? What recovery plans exist if these documents are destroyed or become inaccessible?
  • Loss of Key Personnel or Skill Set: Are some roles critical to the organization’s success? Is cross-training practiced regularly, and are succession plans and role documentation in place to ensure continuity?
  • Merger & Acquisition Targeting: Is the organization a potential acquisition target? If so, what steps are taken to prevent or manage rumors?
  • Misuse of Resources: Are there controls to prevent improper use of company resources, such as vehicles, computers, or credit cards, by employees?
  • Over-Reliance on a Single Sales Channel: What distribution channels are used for products and services? Are there regular reviews to assess channel performance and revenue diversity?
  • Personnel Security: Is the management of employment lifecycles compliant with all relevant laws and regulations?
  • Price War: Who are the primary competitors, and are the organization’s offerings priced competitively? Have industry changes introduced new competition?
  • Raw Materials or Process Materials: What materials are vital to business operations, and do any have volatile supply or pricing? Who are the primary suppliers, and are contingency plans in place for supply disruptions?
  • Recession: How would an economic downturn affect operations, and what safeguards are in place to minimize its impact?
  • Sales Forecasting: Are sales and revenue forecasts conducted regularly? What are the consequences of missing targets, such as layoffs or other operational impacts?
  • Share Price Slump: What is the organization’s history of stock performance, and what precautions are in place to prevent declines in share price?
  • Single Points of Failure: Are there critical hardware or personnel whose absence would disrupt operations? Is there redundancy or documented procedures to address single points of failure?
  • Workplace Safety: Are safety requirements and protocols thoroughly documented, regularly updated, and are employees trained on workplace safety practices?


ENVIRONMENTAL RISKS:

  • Avalanches: Are any company sites situated in regions with heavy snowfall? Do these buildings border hills or mountains, and has there ever been an avalanche in these areas?
  • Cyclones: Are cyclones a frequent risk at any facility locations? If so, what protocols are followed during such events? Are your buildings designed to handle strong winds, equipped with adequate window coverings, and stocked with flooding prevention materials like sandbags and shovels?
  • Droughts: Are droughts a recurring issue in any areas where your organization operates? If so, where does the city source its water? In case of supply disruption, is an alternate water source available with formal service agreements?
  • Earthquakes: Are any facilities located near fault lines? If so, do these buildings meet seismic safety codes? Is essential equipment securely fastened, and does your organization hold earthquake insurance?
  • Electrical Storms: Do lightning storms occur regularly in any areas where you have facilities? How have such events impacted operations historically? Are your sites equipped to remain functional during power outages caused by lightning?
  • Extreme Heat: What are the average summer temperatures at your facility locations? How have heat waves previously affected your operations? Have there been power failures or threats to HVAC systems due to high temperatures?
  • Flooding: Do any facilities experience heavy rainfall or sit near water sources like rivers, dams, or reservoirs? Are any facilities in designated flood plains? For sites at risk, is data center equipment elevated to avoid water damage?
  • Freezing Temperatures or Ice: What are the typical winter temperatures in your facility areas? How have extreme cold events impacted operations, such as frozen water pipes?
  • Hail: Do any facility locations experience frequent hailstorms? If so, what measures are taken to mitigate risks associated with hail?
  • High Winds: Are persistent strong winds common in any areas where your organization is present? What precautions are in place to protect both people and property from wind damage?
  • Hurricanes: Are hurricanes a potential threat to any facilities? If so, what procedures are followed during a hurricane? Are buildings constructed to withstand hurricane-force winds, with suitable window coverings and flood prevention materials available?
  • Land Subsidence: Are any facilities near wells, mines, or aquifers? Is there pumping of water, oil, or gas nearby? Have there been cases of ground subsidence in these regions?
  • Landslides: Do any company sites border hills, mountains, or cliffs? If so, what steps are taken to safeguard assets and staff in the event of a landslide? Are these areas prone to earthquakes, heavy rainfall, or runoff?
  • Pandemic or Epidemic: Are any facilities located in densely populated areas? Is it possible to enforce social distancing during outbreaks? Does your organization maintain a sufficient supply of personal protective equipment (PPE) for all staff?
  • Rodents: Have any facilities or nearby buildings experienced rodent issues? Are cables protected against rodent damage?
  • Sandstorms: Are facilities located in sandy regions, and are sandstorms common? If so, what protective measures are in place?
  • Tornados: Is tornado activity a risk at any locations? If so, what actions are implemented during tornado events? Are there shelters for employees, and are buildings constructed to resist high winds? Are windows properly protected, and is tornado insurance in place?
  • Tsunamis or Tidal Waves: Are any facilities close to the ocean, and are tsunami or tidal wave threats common? Do these sites also face risks from earthquakes or underwater disturbances? Are windows covered, and are flood prevention materials available?
  • Typhoons: Are typhoons a concern for any facilities? If so, what actions are taken during typhoon events? Are buildings built to withstand strong winds, and do windows have protective coverings? Is flooding prevention equipment maintained?
  • Volcanic Activity: Are any sites near a volcano? If so, has the volcano shown activity? Are there formal response procedures for volcanic eruptions?
  • Wildfires: Are any facility locations at risk for wildfires? Have wildfires previously affected these sites? Does the company have insurance for wildfire-related damages?
  • Winter Storms or Blizzards: Are winter storms or blizzards a regular threat to facilities? Have these events ever caused work stoppages or loss of essential services like power, water, or fuel?


HUMAN-MADE RISKS:

  • Active Shooter: Has your organization ever dealt with an active shooter incident? Are employees trained on proper response procedures during such events?
  • Air Pollution: What is the prevailing air quality in the regions where your facilities are located? Are any buildings situated adjacent to manufacturing plants?
  • Aircraft Crash: Which airports are located near your facilities, and what types of aircraft frequent those airports? Do flight paths pass directly above any of your buildings?
  • Ancillary Equipment Failure (HVAC or Temperature Issues): How many HVAC units are necessary to maintain minimum temperature standards in the data center? What is the current utilization rate of these HVAC systems?
  • Arson: What type of fire suppression system is installed in your data center (such as FM 200)? What monitoring measures are in place to detect fires, and are there established fire prevention protocols?
  • Bomb Threats: Has your organization ever received a bomb threat? Are employees trained on procedures for bomb threat situations? Have neighboring buildings ever encountered bomb threats?
  • Building Defects or Collapses: Is there any protection for the data center in case of building collapse? What are the existing backup and recovery plans if such an event occurs?
  • Civil Unrest or Riots: Are any of your buildings located near universities or government offices? Has your organization experienced workplace disputes or riots in the past?
  • Explosion (Accidental): What preventative measures exist to reduce the risk of explosions involving generators, electrical systems, or combustible materials?
  • Extortion: Has your organization ever been impacted by extortion attempts?
  • Labor Disputes or Strikes: Is your workforce unionized? How would you describe the organizational culture and environment?
  • Mass Casualty Events: Do groups of employees routinely travel together? Do most staff members use the same mode of transportation, such as public transit, to get to work?
  • Neighboring Business Risk: What kinds of businesses are located near your facilities? Are any of these businesses involved in manufacturing or handling chemicals and hazardous materials?
  • Power Outages: What measures are in place to address risks related to power surges, outages, internal failures, or faulty power supplies? How frequently do these issues occur?
  • Radioactive Contamination: Are any of your facilities positioned close to a nuclear power plant? What is the distance to the nearest one?
  • Sabotage (External or Internal): What is the organization’s work culture and environment? Has there been any history of sabotage or workplace violence? What security measures are in place to protect information systems and infrastructure?
  • Social Engineering: Have there been successful social engineering attacks such as phishing or pretexting? Is employee training provided to prevent such incidents?
  • Terrorism or Bioterrorism: Are any of your facilities situated in areas with a high risk of terrorism, like major cities or near prominent landmarks?
  • Toxic Contaminations: Does your organization handle toxic substances? What policies or procedures are implemented to prevent contamination?
  • Utility Outage or Shortage – Fuel: Do any operations rely on natural or refined gas, such as generators? Are service level agreements (SLAs) in place for fuel replenishment, and what do those agreements specify?
  • Utility Outage or Shortage – Power: Are any facilities located in regions with frequent power interruptions? Is there a backup power supply, such as a generator, and how much coverage does it provide?
  • Utility Outage or Shortage – Water: Where does the facility’s city source its water? If the supply is disrupted, are alternative water sources available with established SLAs? Does the data center use water-cooled racks, and do these have independent water systems? In case of evacuation due to water shortage, can critical operations continue remotely?
  • Vandalism: Has your organization experienced vandalism in the past?
  • Vehicle Accident – Airport: Are airports essential for your business operations or continuity planning? If an airport becomes inaccessible, what backup or recovery strategies are in place?
  • Vehicle Accident – Highway: Are any facilities close to major highways? How would a traffic accident or hazardous spill affect your building? Do most employees commute by car?
  • Vehicle Accident – Railway: Are any facilities situated near major railways? Are hazardous materials transported along these routes?
  • Vehicle Accident – Waterway: Are any of your facilities near significant waterways or harbors? Are toxic substances transported on these waterways?
  • War or Invasion: Is there an active war or imminent threat affecting any locations where your organization operates? Does conflict impact your suppliers or business continuity?
  • Water Leaks or Plumbing Failures: What is the age of your facilities’ plumbing systems? Are they routinely inspected and maintained? Do pipes run through critical areas of the data center? Is there a leak detection system in place?
  • Water Pollution: Are any facilities located in regions frequently affected by water pollution? If a building is rendered unusable by contamination, can essential activities be conducted elsewhere?
  • Workplace Violence: How would you characterize the organization’s culture and environment? Has there been a history of workplace violence, and does the organization offer training to prevent harassment, discrimination, and violence?


IT RISKS:

  • Backup Process or Media Failures: Are your backup routines and restoration methods clearly documented? Do you rotate backup media on a regular schedule and store them in controlled environments?
  • Consistent Capacity Shortfalls: Do you actively monitor communication lines for performance issues? What monitoring solutions do you use, and are they configured for real-time or passive observation?
  • COTS Software Failures: What steps are taken to install and manage commercial off-the-shelf software? Are there written procedures for addressing failures in third-party applications?
  • Cyber Crime: Which cybersecurity measures—such as antivirus, antispam, firewalls, intrusion detection/prevention, and filtering—protect your organization? Is cybersecurity insurance in place?
  • Database Failures: Is there a comprehensive security strategy for databases? Do privileged users need multi-factor authentication, and are database protections outlined in official procedures?
  • Data Integrity: Are there established controls and processes to maintain the accuracy and reliability of your data?
  • Data Theft: What security measures protect sensitive databases and critical financial information from theft?
  • Denial of Service Attacks: How do you monitor system uptime and connectivity to spot denial of service threats? Are the configurations of these monitoring tools documented?
  • Email Downtime: Is a backup email system available? If you use an outsourced provider, do they offer failover support, and is email downtime a common issue?
  • Frequent Equipment Failures (Platform and Network Devices):Are equipment settings and configurations documented to speed up restoration and rebuilding efforts?
  • Frequent Need for Emergency Fixes: How are urgent repairs tracked, and what process monitors changes made in the production environment?
  • Hard Drive Failures:What backup strategies are in place to protect against data loss from hard drive issues?
  • Help Desk Loss of Personnel: Is high staff turnover a problem in your help desk department?
  • High Number of Production Changes: How do you document and monitor changes to production environments? Are system configurations logged and tracked?
  • Human Errors – Programmers: What testing protocols are followed before deploying code to production, and are rollback procedures documented?
  • Human Errors – Users: How is separation of duties managed, and are user access rights reviewed regularly?
  • Inadequate Backup Procedures: What is your backup process, and do you routinely test restoration procedures? Are these processes formally documented?
  • Internally Developed Application Failure: Do you follow a change control process and a system development life cycle? Are changes validated through user testing before deployment?
  • Internet Access (Local ISP Connectivity) Failure: Is there an independent secondary communication line available to your facilities?
  • Lack of an Asset Inventory: Is there an asset management program in place, and is a comprehensive inventory maintained, reviewed, and updated regularly?
  • Lack of SLAs: Are service level agreements created and reviewed with providers, and is there a vendor management program?
  • Lack of System Recovery Strategy: Are backup and restoration procedures documented? Do you have business continuity plans, and are they tested annually? Are system configurations updated as part of change control?
  • Local Area Network Failure: What redundancy measures exist in your network, and are hardware configurations for communication devices documented?
  • Local Storage Failure: Are critical storage units regularly backed up and is backup data stored off-site and restored at alternate locations?
  • Local Security Vulnerabilities: What security and monitoring solutions are in place? Do you use intrusion detection or prevention systems, vulnerability scanning tools, and supporting processes?
  • System Configurations Not Documented: Do you update system configurations whenever changes are made?
  • Technology Selection: Are there procedures to guide the selection of information systems and technology to support business needs?
  • Telecommunications Failure – Data: Is there a backup communications circuit fully independent from the primary line, and are hardware configurations for network devices documented?
  • Telecommunications Failure – Voice: Do you have a secondary, independent voice communication line and backup circuits, with documented hardware configurations?
  • Theft of Physical Assets: What measures restrict access to your buildings or facilities, and are they monitored continuously by video or security personnel to prevent asset theft?


Your organization may wish to supplement this list of items to better align with specific requirements. For organizations operating across multiple offices or sites, it is advisable to perform individual assessments for each location to address differences in the expected likelihood and impact of identified risks within distinct geographical areas.

The advantages of conducting risk assessments extend beyond enhancing your overall risk management strategy. The results should also be utilized to inform business impact analyses as a component of your business continuity planning.

For further guidance on risk assessment practices applicable to enterprise organizations, please consult Cybantage Cybersecurity experts.