Welcome » IT Booklets » Information Security » Information Security Risk Assessment » Key Steps » Assign Risk Ratings
After completing the inventory of information and systems, assessing the likelihood and exposure of identified threats and vulnerabilities, and evaluating control effectiveness, the institution should assign risk ratings to the information and information systems. The key to assigning risk ratings is to organize the information and information systems within a logical framework.
The framework should recognize that not all threats and risks are equal and acknowledge that financial institutions have finite managerial and financial resources. As with credit or interest rate risk, reasonably foreseeable risks should be prioritized and rated according to the sensitivity and importance of the information.
The probability or likelihood of an event occurring, and the impact the event would have on a financial institution should be considered in determining the appropriate risk rating for information. The probability of an event occurring, and its impact on the institution, is directly influenced by a financial institution's business profile and the effectiveness of its controls. Typically, the result is expressed in differing levels of risk, for example, "High," "Medium," or "Low" ratings. The specific risk rating is judgmentally determined and assigned in relation to the level of exposure and the threat likelihood, taking into consideration the adequacy of related internal controls. Where controls are inadequate or found not to exist, the risk assessment should include an action plan to improve the controls.
Once the risks associated with threats and vulnerabilities have been assessed, probabilities assigned, and risks rated, risks should be segregated into those the financial institution is willing to accept and those that should be mitigated. Guidance from the board of directors should be used for that segregation. Once the institution identifies the risks to mitigate, it can begin to develop its risk mitigation strategy.