Aller au contenu principal

Step 6: Assess the Target risk

Target Risk refers to the desired level of risk an organisation aims to achieve after implementing all planned risk mitigation measures and controls. It reflects the organisation's risk appetite, tolerance levels, and alignment with strategic goals, compliance requirements, and risk management policies.


Target Risk Statement

A Target Risk Statement provides a concise summary of the desired state of the risk after all planned controls and mitigation measures have been fully implemented. It outlines the acceptable likelihood and impact of the risk, serving as a clear benchmark for evaluating risk management effectiveness.


Example:

"All systems, including legacy platforms, are protected by multi-factor authentication (MFA), reducing the risk of unauthorised access to an acceptable level."


Target Risk Weakness

Target Risk Weakness highlights potential challenges or barriers that might hinder the achievement of the desired risk level. It focuses on identifying resource limitations, technical constraints, or operational obstacles that could prevent full implementation of planned controls.

Example:

"Resource and budget constraints may delay the full rollout of multi-factor authentication (MFA) across all systems."


Target Risk Opportunity

A Target Risk Opportunity identifies potential benefits or positive outcomes that could arise from achieving the desired risk state. It focuses on how reaching the target risk level might improve operational efficiency, enhance resilience, or deliver strategic advantages.

Example: "Achieving full MFA implementation across all systems will strengthen compliance with regulatory requirements and enhance customer confidence."


Target Risk Summary Table

TermFocusPurposeExample
Target Risk StatementDescription of the desired risk state after mitigationDefine acceptable risk levelsSystems fully protected with MFA and monitoring
Target Risk WeaknessChallenges in achieving target controlsHighlight barriers to achieving target riskResource constraints delaying MFA implementation
Target Risk OpportunityPositive outcomes from achieving target riskStrategic and operational advantagesEnhanced compliance and client trust.

Impact type

Understanding the impact type is essential for assessing how a risk could affect various areas of your organisation. Risks can manifest across multiple dimensions, including financial loss, operational disruption, legal implications, reputational damage, or data breaches.

By defining and selecting the impact type, you can:

  • Clarify the potential consequences of a risk materialising.
  • Prioritise risk responses based on the most critical impact areas.
  • Develop targeted mitigation strategies tailored to specific impact dimensions.
  • Facilitate stakeholder communication by providing a clear picture of potential outcomes.

As described during the inherent risk and current risk analysis, you can now select the relevant impact type from your predefined catalogues to ensure a structured and consistent approach to assessing and managing risks. This selection will also help in aligning risk responses with your organisation's strategic objectives and risk appetite.

By categorising risks based on their impact, you enable more focused decision-making and ensure that resources are allocated effectively to address the most significant threats.


Risk matrix

After defining the Impact Type, it’s time to determine your Inherent Risk Level using the Risk Matrix. This step involves evaluating the Likelihood and Impact to quantify the risk accurately.


1. Likelihood Level

Begin by defining the Likelihood of the risk materialising.

  • As a reminder:

    Likelihood = Threat Level × Vulnerability

    This calculation combines the threat's severity with the system's susceptibility, providing a measurable likelihood score.

    Likelihood_Level_Matrix-2.png


Once the Likelihood Level is defined, proceed to the Risk Exposure Matrix.


2. Risk exposure

  • As a reminder:

    Risk = Likelihood x Impact.

    So, select the impact. Risk level will be defined automatically on the matrix.

    Risk_Level_Matrix-2.png

    📌 Note: Likelihood Level and Risk Exposure matrix model and process taken from NIST 800-161r1, “section D.4.1.7. Risk Response Analysis” page 227 (extended from 4 levels to 5 levels).