Step 4: Assess the Current Risk
Current Risk refers to the level of risk that remains after existing controls and mitigation measures are applied. It represents the residual risk in the current operating environment, taking into account the effectiveness and maturity of implemented controls, policies, and measures.
Current Risk Statement
A Current Risk Statement provides a concise summary of the risk scenario in its present state, considering the existing controls and mitigation measures in place. It outlines the remaining likelihood and impact of a risk materialising after current defences are considered. The purpose is to articulate the residual risk clearly and provide a foundation for evaluating further mitigation actions.
Example: "While multi-factor authentication (MFA) has been implemented on most critical systems, some legacy systems remain unprotected, posing an ongoing risk of unauthorised access."
Current Risk Weakness
Current Risk Weakness highlights deficiencies or gaps in the existing controls, processes, or practices that prevent the full mitigation of the risk. It focuses on identifying remaining vulnerabilities or shortcomings in the current risk management approach. The purpose is to pinpoint areas requiring improvement or enhanced controls to further reduce risk exposure. Example: "Insufficient monitoring and alerting mechanisms reduce the ability to detect unauthorised access attempts in real-time."
Current Risk Opportunity
A Current Risk Opportunity identifies potential benefits or positive outcomes that could arise from further improving or optimising existing controls. It focuses on how enhancing current risk management measures could create value, improve resilience, or align better with strategic objectives.
Example: "Enhancing real-time monitoring and implementing advanced analytics could improve threat detection and reduce incident response times."
Current Risk Summary Table
| Term | Focus | Purpose | Example |
|---|---|---|---|
| Current Risk Statement | Description of the risk scenario with existing controls | Understand the risk's residual state | Legacy systems still lack MFA protection. |
| Current Risk Weakness | Gaps or deficiencies in existing controls | Identify limitations in current controls | Insufficient real-time monitoring |
| Current Risk Opportunity | Positive outcomes from improving controls | Enhance resilience and value | Improved threat detection through analytics. |
Impact type
Understanding the impact type is essential for assessing how a risk could affect various areas of your organisation. Risks can manifest across multiple dimensions, including financial loss, operational disruption, legal implications, reputational damage, or data breaches.
By defining and selecting the impact type, you can:
- Clarify the potential consequences of a risk materialising.
- Prioritise risk responses based on the most critical impact areas.
- Develop targeted mitigation strategies tailored to specific impact dimensions.
- Facilitate stakeholder communication by providing a clear picture of potential outcomes.
As described during the inherent risk analysis, you can now select the relevant impact type from your predefined catalogues to ensure a structured and consistent approach to assessing and managing risks. This selection will also help in aligning risk responses with your organisation's strategic objectives and risk appetite.
By categorising risks based on their impact, you enable more focused decision-making and ensure that resources are allocated effectively to address the most significant threats.
Risk matrix
After defining the Impact Type, it’s time to determine your Inherent Risk Level using the Risk Matrix. This step involves evaluating the Likelihood and Impact to quantify the risk accurately.
1. Likelihood Level
Begin by defining the Likelihood of the risk materialising.
-
As a reminder:
Likelihood = Threat Level × VulnerabilityThis calculation combines the threat's severity with the system's susceptibility, providing a measurable likelihood score.
Once the Likelihood Level is defined, proceed to the Risk Exposure Matrix.
2. Risk exposure
-
As a reminder:
Risk = Likelihood x Impact.So, select the impact. Risk level will be defined automatically on the matrix.
📌 Note: Likelihood Level and Risk Exposure matrix model and process taken from NIST 800-161r1, “section D.4.1.7. Risk Response Analysis” page 227 (extended from 4 levels to 5 levels).