Introduction
A risk assessment can assist you with making effective and timely decisions about the management of risk in your organisation. This can help to increase the likelihood of you achieving your organisational objectives and ensuring public safety, even if you are caught up in a terrorist attack.
This guidance will help you to plan and implement an effective risk assessment in your organisation across three core sections:
- 1. Context and leadership
This section will help you to set the scene for your assessment and establish the necessary organisational roles and responsibilities required to implement the risk management process.
- 2. Planning a risk assessment
This section introduces the core components of a risk assessment alongside key considerations in the planning process, such as the selection of a risk assessment approach and the setting of risk criteria. The ProtectUK approach to assessing risk is also presented here for consideration, alongside additional information that will help you to understand and adapt the RMP to suit your organisational needs and context.
- 3. Risk assessment process (ProtectUK approach)
This section provides a step-by-step breakdown of the ProtectUK approach to assessing risk, including risk identification, analysis and evaluation and risk treatment. These activities are broken down across 5 distinct stages with supporting resources provided where relevant.
It is highly recommended that you review all sections of this guidance before undertaking your risk assessment.
Key Terms
risk
effect of uncertainty on objectives
risk scenario
sequence or combination of events leading from the initial cause to the unwanted consequence
risk owner
person or entity with the accountability and authority to manage a risk
risk source
element which alone or in combination has the potential to give rise to risk
risk criteria
terms of reference against which the significance of a risk is evaluated
risk appetite
amount and type of risk that an organisation is willing to pursue or retain
threat
potential cause of an information security incident that can result in damage to a system or harm to an organization
vulnerability
weakness of an asset or control that can be exploited so that an event (3.1.11) with a negative consequence occurs
event
occurrence or change of a particular set of circumstances
likelihood
chance of something happening
consequence
outcome of an event affecting objectives
level of risk
significance of a risk, expressed in terms of the combination of consequences and their likelihood
control
measure that maintains and/or modifies risk
residual risk
risk remaining after risk treatment
risk management process
systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk
risk assessment
overall process of risk identification, risk analysis and risk evaluation
risk identification
process of finding, recognizing and describing risks
risk analysis
process to comprehend the nature of risk and to determine the level of risk
risk evaluation
process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its significance is acceptable or tolerable
risk treatment
process to modify risk
risk acceptance
informed decision to take a particular risk
risk sharing
form of risk treatment involving the agreed distribution of risk with other parties
risk retention
temporary acceptance of the potential benefit of gain, or burden of loss, from a particular risk
Source: ISO Guide 73:2009; ISO 31000:2018; ISO 27005:2022