Insights

Performing Enterprise Risk Assessments

Written by James Morgenstein | Apr 15, 2023

Enterprise risk assessments need to be performed regularly (e.g., at least annually) to identify or update your organization’s susceptibility to an array of defined and new risk scenarios. This process should result in the determination of the potential impact of each risk scenario being assessed. Risk assessment results that are more than a year old may not be an accurate representation of risks that could impact your organization today. Without valid risk assessment results, your organization will likely have no way to determine risks to operations, assets, and individuals. Annual risk assessments are not only a best practice, but they also provide validation to external entities that your organization routinely monitors applicable risks and applies appropriate risk treatment or mitigation.

Effective Risk Assessments Programs

To be effective, your risk management program should include a documented process to identify risks. Risk identification generally assesses an inventory of information systems and data that are required for business operations and defines the potential threats to the organization’s systems and operations. The risk identification process is not intended to identify every conceivable operational risk. It should be an exercise that focuses on risks that are most important to your organization’s operational business needs. There are many different ways operational risks can be identified.

Sample Cybersecurity Risk Assessment Tools include:

  • Using questionnaires and surveys
  • Interviewing managers, system owners, and subject matter experts
  • Collecting input from asset and service stakeholders
  • Reviewing internal and external historical data
  • Acquiring external consultative expertise

Throughout the process of collecting and compiling this information, be sure to include potential security risks that apply to your organization. Once potential risks have been identified, they can be leveraged to expand or reduce the items that are addressed as part of the risk assessment process.

Cybersecurity Risk Assessment Framework

Risk assessments should consider threats, vulnerabilities, likelihood, and impact on your organization’s operations, information assets, individuals, other organizations, and in some cases the Nation. They should also be appropriately updated when major changes occur within your organization or operational environment. Performing risk assessments at least annually and when significant changes occur allows you to keep up to date with your environmental changes as well as evolving threats, trends, and technologies. Risk assessment results may play an important role in your control selection processes, particularly when control tailoring guidance is applied.

Third-Party Risk Assessment Protocol

Risk assessments should address risks from external organizations. Contractors or other third-party personnel that perform functions on behalf of your organization, individuals that access your information systems, and service providers should all be included in the items addressed during risk assessments. You will likely find useful risk-related information within the output from an effective third-party risk management program, addressed later in this book.

Risk assessments may be either quantitative or qualitative. Regardless of the type you select, be sure that they are consistent and comparable. This helps to ensure the prioritization of resources required to manage identified risks can be determined. Risk assessment results need to be documented and reviewed after each assessment. Risk assessment reports should be delivered to appropriate stakeholders. Reports should also be retained to serve as evidence for future assessments, audits, or examinations of your organization’s risk management controls.

Pro Tip:

You do not need to start the annual risk assessment process from scratch every year. There are solutions available that will maintain your risk assessment results in perpetuity. This provides the ability to make updates or changes in real-time as they occur and have risk assessment results that are always current.

Assessment results at the organization level, business process level, or system level should be integrated with risk management decisions whenever possible. Benchmarks or target performance metrics should be established to demonstrate improvement or regression of your organization’s risk posture over time.

Generally, the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of information systems should be included in the risk assessment process. This includes the data processed, stored, or transmitted by information systems. This process should also include the risks associated with using end-of-life (EOL) software or hardware components that are no longer supported by the original vendor or manufacturer. When completing a comprehensive risk assessment, the likelihood, and severity, along with the resulting risk (likelihood x severity = risk) should be assessed for environmental, human-made, business, and IT risks.

Pro Tip:

You can use the list of risk factors below, along with the associated risk-related questions, to complete an initial risk assessment for your organization. This can be automated by leveraging portal-based solutions to calculate risk scores. Any third-party solution you decide to use should include calendar reminders to ensure responses and remediation items are appropriately updated and calculated.

Not all of the risk factors below are going to apply to every organization, or to all geographical locations where your organization maintains offices or facilities. Developing these responses will provide evidence that you have considered all well-known scenarios and assessed the associated risks for your organization.

Enterprise-Wide Risk Assessment Template:

  • Brand Recognition: Are processes in place to respond to a decline in brand recognition or overall perceived value of the organization? Has there been a recent reduction in perceived value? If so, how has the organization responded?
  • Breach of Confidentiality: Does the organization deal with sensitive customer information? What safeguards are in place to prevent breaches of confidentiality?
  • Business Strategy: Does the organization update the three to five-year business strategy? If so, what procedures are in place to refresh the strategy?
  • Cash Liquidation Problems: What is the financial viability of the organization? If unstable, what marketing or other tools have been administered to combat rumors?
  • Cheaper Alternatives or Products: What is the market competition for your organization? Does the organization have adequate research and development (R&D) efforts to compete in the marketplace?
  • Credit Risk: Is the organization in debt? Does the organization already have or risk having a poor credit rating? How would supplier relationships be affected by a bad credit rating?
  • Critical Component Failure: What are your organization’s critical operational components?  What reliance does the organization have on them? If they were to fail, what is the backup or recovery procedure?
  • Customer Satisfaction: How is customer satisfaction measured? What happens when a customer has a negative experience, or an event hurts the relationship with a customer?
  • Customer Service Downtime: How much reliance is placed on customer service? What would be the effect on the organization if customer service became unavailable?
  • Demand for Products and Services: Is the demand for critical or flagship products and services monitored? What happens when there is a reduced need for critical products or services?
  • Employees Not Paid on Time: If the main payroll system were to go down, what is the backup procedure to pay employees? How many payroll systems does the organization use? What risks affect payroll expediency?
  • Employee Onboarding: Are processes defined for the interviewing and hiring of employees based on skills, experience, and education? Are hiring managers trained on organizational requirements? Is screening performed for new hires by applicable laws and regulations?
  • Espionage or Trespass: Does the organization have an insider threat management program in place?  Do you have a foreign travel policy in place? What controls are in place to protect against trespassing within organization-controlled facilities?
  • Exchange Rate Risk: What business operations, or percentage of business, is performed overseas? Does the organization have international partners or suppliers? What percentage of sales revenue is generated overseas?
  • Failed Business Strategies: Are there strategic projects underway or about to begin? What is the expected level of revenue or asset loss in case of a failed strategy?
  • Failure of a Major Project: What projects are currently underway? Does the organization have project management procedures in place? Have there been any significant project failures in the past?
  • Failure to Manage Change: Does the organization have change management processes and procedures in place? How well are they followed? Have there been any issues with change management in the past? Have there been occurrences of unauthorized changes?
  • Fraud or Embezzlement: What systems within the organization are susceptible to embezzlement? Who has access to these systems? What monitoring controls have been implemented to pinpoint or prevent financial fraud?
  • Government Action or Policy: Is the industry of the organization highly regulated (e.g., pharmaceutical, food, consumer packaged goods, manufacturing)? Have regulations that impact the organization’s compliance requirements been defined?
  • Human Error – Maintenance: Have there been any instances of human maintenance errors in the past? Are there procedures in place to check in and escort vendors while they perform maintenance work in your organization’s facilities?
  • Human Error – Operations: Have there been any instances where someone wrongly executed a core business operation? Did the results have a large impact? If so, what corrective measures have been implemented?
  • Ineffective or Outdated SLAs: How often are SLAs reviewed and updated?
  • Ineffective Supplier Evaluation: How many suppliers does the organization rely on to support operations? Does the organization have defined personnel in charge of supplier or vendor contract management? Does the organization maintain secondary suppliers for critical parts and services?
  • Interest Rate Risk: Do fluctuating interest rates impact debt payments or future infrastructure investment?
  • Lack of Documented Procedures: Are key processes documented? Are procedures updated regularly and when needed as a result of a process change? Does the organization have access to a technical writer?
  • Lack of Formal Budget Process: Does the organization have an annual budgeting process and a formal budget? How is the budget formed? Who reviews and approves the budget?
  • Lack of Innovation: Is the organization in a design-intensive industry (e.g., software, manufacturing, pharmaceutical)? Does the organization have adequate design efforts to compete in the marketplace?
  • Legal and Regulatory Risk: Does the organization have a legal department? Is the legal department able to focus on common, new, and changing litigation areas? Does the legal department monitor applicable regulations for changes that may impact the organization?
  • Liability of Products or Services Delivered: What are your organization’s critical operational components?  What reliance does the organization have on them? If they were to fail, what is the backup or recovery procedure?
  • Libel or Slander: What is the culture and environment of the organization? Have libelous or slanderous statements been made in the past? If so, how was the reputation of the organization impacted?
  • Loss of Critical Customer: Does the organization rely on certain customers for a large percentage of revenue? How many customers does the organization have? What customer grosses the highest revenue percentage? What is the revenue growth plan if this customer is no longer available?
  • Loss of Hard Copy Documents: Does the organization rely on hard copy documents for key processes and procedures? What is the backup or recovery plan if the hard copies were to be destroyed or otherwise no longer available?
  • Loss of Key Personnel or Skill Set: Are any positions critical to the successful business operations of the organization? Does functional cross-training take place regularly? Are key positions documented sufficiently so that, in the case of an absence, someone could fill in for key positions? Does the organization maintain a succession plan for personnel?
  • Merger & Acquisition Targeting: Is the organization going to be acquired shortly? If so, what procedures are in place to prevent rumors?
  • Misuse of Resources: Are there any resources owned by your organization that are made available to personnel (e.g., company cars, computers, credit cards, etc.)? What controls are in place to prevent the misuse of these resources?
  • Over-Reliance on a Single Sales Channel: What sales channels are used to market the organization’s products and services? Are there sales reviews that look at channels, avenues, and associated net new revenue?
  • Personnel Security: Is the lifecycle of employment managed by relevant laws and regulations?
  • Price War: Who are the major competitors of the organization? Are products and services competitively priced? Have any industry breakthroughs introduced a new competition for the organization?
  • Raw Materials or Process Materials: What products or materials is the organization reliant upon to do business? Do any of these product industries have volatile service or availability? Who are the key suppliers for the organization? Are there backup plans in case key suppliers are unable to meet supply demands?
  • Recession: What is the current economic makeup of the organization’s environment? What impact would a recession have on operations? What controls are in place to limit the impact of a recession may have on the organization?
  • Sales Forecasting: Are sales and revenue forecasts made regularly? What are the results of lower-than-expected sales? Have there been any occurrences of layoffs or other impacts because of missing forecasted goals?
  • Share Price Slump: What is the stock performance history of the organization? What safeguards are in place to prevent share prices from dropping?
  • Single Points of Failure: Is there any hardware that must always be available? Are there any personnel that would jeopardize operations if they became incapacitated or left the organization? If so, is there redundancy or documentation in place to respond to a single point of failure?
  • Workplace Safety: Are safety requirements and associated processes documented? Are procedures updated regularly and when needed because of a process change? Are personnel trained in workplace safety?

ENVIRONMENTAL RISKS:

  • Avalanches: Are any of your facilities located in a heavy snow area? Do these buildings back up to a hill or mountain? Has an avalanche ever occurred in any of these areas?
  • Cyclones: Are cyclone events that may impact any of your facilities common? If so, what actions are taken when a cyclone occurs? Are your facilities built to withstand high winds? Do building windows have proper covering? Are flooding materials kept on hand (e.g., sandbags, shovels, etc.)?
  • Droughts: Are drought events common for any area where your organization maintains a facility? If so, where does the city get its water supply? If the water supply is affected, is water available from an alternate source with established service level agreements (SLAs)?
  • Earthquakes: Are any of your facilities located on or near a fault line? If so, do these buildings comply with local seismic building codes? Is critical hardware bolted down for movement? Does your organization have earthquake insurance?
  • Electrical Storms: Are lightning events common for any geographic area where your organization maintains a facility? How has lightning normally affected operations in the past? Are your facilities able to sustain operations in the event of a power outage?
  • Extreme Heat: What is the average temperature in summer months for the locations in which your organization maintains facilities? How have extreme temperatures affected these locations in the past? Have buildings lost power? Was there a threat to heating, ventilation, and air conditioning (HVAC) units?
  • Flooding: Do any areas where your organization maintains facilities experience heavy rainfall? Are any facilities located near reservoirs, riverbeds, dams, etc.? Are any facilities located in a flood plain? For flood-prone areas, is data center equipment kept above ground?
  • Freezing Temperatures or Ice: What is the average temperature in winter months for the locations in which your organization maintains facilities? How have extreme temperatures affected these locations in the past? Have water pipes been routinely affected by freezing temperatures?
  • Hail: Do any areas where your organization maintains facilities experience common hail events? If so, what precautions are in place to prevent associated risks?
  • High Winds: Are sustained high winds common for any area where your organization maintains facilities? If so, what precautions are in place to prevent the risks associated with high-wind damage to personnel and property?
  • Hurricanes: Are hurricanes that may impact any of your facilities common? If so, what actions are taken when a hurricane occurs? Are your facilities built to withstand hurricane-force winds? Do building windows have proper coverings? Are flooding materials kept on hand (e.g., sandbags, shovels, etc.)?
  • Land Subsidence: Are any of your facilities located near any wells, mines, or aquifers (natural wells)? Is there water, oil, or gas pumping performed near any of your facilities? Have there been any cases of land subsidence in the area?
  • Landslides: Do any of your organization’s facilities back up to hills, mountains, or cliffs? If so, what actions are taken to protect assets and personnel in the event of a landslide? Do any areas experience frequent earthquakes, heavy rainfall, or heavy runoff?
  • Pandemic or Epidemic: Are any facilities maintained by your organization located in highly populated areas? Is social distancing able to be enforced during a pandemic or epidemic event? Does your organization maintain a suitable amount of personal protective equipment (PPE) for all personnel?
  • Rodents: Have any of your facilities, or neighboring buildings, had a problem with rodents in the past? Is cabling protected from potential damage by rodents?
  • Sandstorms: Are there plentiful amounts of sand near any of your facilities? Are sandstorm events common in these areas? If so, what protective measures have been implemented?
  • Tornados: Is tornadic activity that may impact any of your facilities common? If so, what actions are taken when a tornado occurs? Are tornado shelters available for all personnel? Are your facilities built to withstand high winds? Do your building windows have proper coverings or protection? Does your organization have insurance coverage for tornados?
  • Tsunamis or Tidal Waves: Are any of your facilities located near an ocean? Are tsunami or tidal wave events that may impact any of your facilities common? Are any of these facility locations also prone to earthquakes or other underwater movements (e.g., volcanic eruptions, landslides)? Do building windows have proper covering? Are flooding materials kept on hand (e.g., sandbags, shovels, etc.)?
  • Typhoons: Are typhoon events that may impact any of your facilities common? If so, what actions are taken when a typhoon occurs? Are buildings built to withstand high winds? Do building windows have proper coverings? Are flooding materials kept on hand (e.g., sandbags, shovels, etc.)?
  • Volcanic Activity: Are any of your facilities located near a volcano? If so, has the volcano ever been active? Are documented procedures in place to respond to a volcanic eruption?
  • Wildfires: Are any areas where your organization maintains or occupies a facility susceptible to wildfires? Has a wildfire ever impacted any of these locations? Does the organization maintain insurance coverage for wildfires?
  • Winter Storms or Blizzards: Are winter storms or blizzards that may impact any of your facilities common? Have there been occurrences of a work stoppage due to these types of storms? Has loss of power, water, or fuel ever occurred due to a winter storm or blizzard?

HUMAN-MADE RISKS:

  • Active Shooter: Has an active shooter scenario ever impacted your organization? Have personnel been trained on how to respond during an active shooter scenario?
  • Air Pollution: What is the general air quality in the areas where your organization maintains facilities? Are any buildings next to a manufacturing plant?
  • Aircraft Crash: What airports are near your facilities? What types of aircraft fly in and out of the nearby airports? Do aircraft traffic patterns cross over any of your facilities?
  • Ancillary Equipment Failure (HVAC or Temperature Inadequacy): How many HVAC units are needed to maintain minimal temperature requirements in the data center? At what utilization are HVAC units currently running?
  • Arson: What fire protection system do you use in the data center (e.g., FM 200)? What monitoring controls are in place to detect fires? Are there any fire prevention measures in place?
  • Bomb Threats: Has your organization ever experienced a bomb threat? Are personnel trained on how to respond to a bomb threat? Have any neighboring buildings ever received a bomb threat?
  • Building Defects or Collapses: Is there any protection in the data center for building collapses? If a building collapse occurs, what are the current backup or recovery procedures?
  • Civil Unrest or Riots: Are any buildings located near a college or university? Are any buildings located near government buildings? Have there been any workplace riots or disputes in the past?
  • Explosion (Accidental): What safeguards are in place to prevent explosions of generators, electrical circuits, combustible materials, etc.?
  • Extortion: Have there been any instances of extortion in the past that have impacted the organization?
  • Labor Disputes or Strikes: Is the workforce unionized? What is the environment and culture of the organization?
  • Mass Casualty Events: Do multiple employees travel together regularly? Do a majority of employees take one form of transportation to work (e.g., transit system)?
  • Neighboring Business Risk: What types of businesses neighbor your organization’s facilities? Are neighboring businesses manufacturing companies or companies that produce or handle chemicals or other hazardous materials?
  • Power Outages: What safeguards are in place to mitigate the risks associated with power surges, electrical power failures, internal power failures, or bad power supplies? Do these events occur often?
  • Radioactive Contamination: Are any of your facilities located near a nuclear power plant? How far away is the nearest power plant?
  • Sabotage (External or Internal): What is the culture and environment of the organization? Have there been any instances of workplace violence or sabotage in the past? Are information systems and infrastructure protected to prevent tampering?
  • Social Engineering: Have there been any instances of successful social engineering attacks (e.g., phishing, pretexting, baiting, quid pro quo, tailgating)? Is training provided to personnel to protect against social engineering attacks?
  • Terrorism or Bioterrorism: Are any of your organization’s facilities located in areas that are highly susceptible to terrorism (e.g., a major city, near national landmarks, etc.)?
  • Toxic Contaminations: Does your organization handle any toxic materials? If so, what controls or procedures are in place to prevent contamination?
  • Utility Outage or Shortage – Fuel: Do you have any equipment that relies on natural or refined gas (e.g., generators)? Are SLAs in place for refilling fuel? If so, what are the terms?
  • Utility Outage or Shortage – Power: Are any of your facilities in an area that experiences frequent power outages? Is there a backup power source (e.g., generator)? How much backup power is available and what does it support?
  • Utility Outage or Shortage – Water: Where does the city in which you have a facility get its water supply? If the water supply is affected, is water available from alternate sources with defined SLAs? Does the data center utilize water-cooling racks? Do these racks have a standalone water system? If the building were evacuated due to a lack of water, could key processes be conducted from a secondary or remote location?
  • Vandalism: Have there been any instances of vandalism in the past?
  • Vehicle Accident – Airport: Are airports needed for business transactions or continuity of operations? If an airport becomes unavailable, what are the backup or recovery procedures?
  • Vehicle Accident – Highway: Are any of your facilities located near a major highway or roadway? If there was a crash or a hazardous spill, would the building be affected? Do most employees travel by car to work?
  • Vehicle Accident – Railway: Are any of your facilities located near a major railway? Are toxic materials transported on these railways?
  • Vehicle Accident – Waterway: Are any of your facilities located near a major waterway or docking harbor? Are toxic materials transported on these waterways?
  • War or Invasion: Is there currently a war or an imminent threat of war in any location where your organization maintains or supports operations? Does the war or threat of war affect suppliers or business continuity processes for your organization?
  • Water Leaks or Plumbing Failures: How old is the plumbing system in your facilities? Is it checked regularly and properly maintained? Do pipes run through key areas of the data center? Is there a leak detection system in place?
  • Water Pollution: Are any facilities located in an area where water pollution is a common problem? If a building were unusable due to contaminated water, could key processes be performed from a secondary or remote location?
  • Workplace Violence: What is the culture and environment of the organization? Has there been a history of workplace violence? Does the organization provide training to prevent workplace violence, harassment, and discrimination?

IT RISKS:

  • Backup Process or Media Failures: Are backup procedures formally documented? Are restoration procedures formally documented? Are backup media rotated on a set schedule? Are media stored in a dry, cool climate?
  • Consistent Capacity Shortfalls: Are communication lines being monitored for performance? Is the monitoring active or passive? What tools are being used to monitor capacity?
  • COTS Software Failures: What procedures are in place for installing and managing third-party or commercial-off-the-shelf (COTS) software? Are processes documented for responding to software failures?
  • Cyber Crime: What type of cybersecurity protection is being used to protect the organization (e.g., antivirus, antispam, firewall, IDS, IPS, email filtering, web filtering, etc.)? Does the organization maintain cybersecurity insurance?
  • Database Failures: Does the organization have a defined, multi-layered database security defense strategy? Are privileged users required to use multi-factor authentication for database access? Are database security controls documented in a policy or procedure?
  • Data Integrity: Are processes and controls in place to ensure the continued integrity of quality data?
  • Data Theft: What security controls are used to protect databases and key financial data from theft?
  • Denial of Service Attacks: What tools are in place to monitor system availability and connectivity to detect potential denial of service attacks? Are the configurations of these tools documented?
  • Email Downtime: Does the organization have a backup email system? Is the email system outsourced?  If so, does the outsourced provider have failover capabilities? Does the organization experience frequent email system downtime?
  • Frequent Equipment Failures (Platform and Network Devices): Are equipment configurations documented to help in the restoration and rebuilding of systems?
  • Frequent Need for Emergency Fixes: How are emergency fixes documented? How are changes to the production environment being monitored?
  • Hard Drive Failures: What backup procedures are performed to ensure data is not lost due to hard drive failures?
  • Help Desk Loss of Personnel: Is there a high turnover rate for help desk personnel?
  • High Number of Production Changes: How are changes to the production environment documented? Are system configurations documented? How are changes to production systems being monitored for changes?
  • Human Errors – Programmers: What testing procedures are performed on code changes before promoting them to the production environment? Are rollbacks of changes documented?
  • Human Errors – Users: How is segregation of duties being addressed? Are user access reviews performed regularly?
  • Inadequate Backup Procedures: How are backups being performed? Are restoration tests performed regularly? Are restoration procedures formally documented?
  • Internally Developed Application Failure: Does the organization maintain change control processes and procedures? Do you follow a system development life cycle (SDLC)? Do you validate changes through user testing before placing code into production?
  • Internet Access (Local ISP Connectivity) Failure: Is there a secondary communication line into the organization’s facilities? If so, are they completely independent from the primary lines?
  • Lack of an Asset Inventory: Does the organization have an asset management program in place? Is a complete asset inventory documented by an asset management policy? How often is the asset inventory reviewed and updated?
  • Lack of SLAs: Are formal SLAs created with service and hardware providers? Are SLAs reviewed regularly? Does the organization have a vendor management program in place?
  • Lack of System Recovery Strategy: Are backup procedures formally documented? Are restoration procedures formally documented? Are Business Continuity Plans (BCPs) in place? Are BCPs tested at least annually? Are system configurations documented and updated as part of the change control process?
  • Local Area Network Failure: What redundancy is in place within the network? Are hardware configurations documented for network communication devices?
  • Local Storage Failure: Are key storage units backed up? Is backup data transferred off-site? Is that data restored at another location?
  • Local Security Vulnerabilities: What security tools are in place? Is an intrusion detection or intrusion prevention solution in place? What monitoring is in place? Is monitoring active or passive? Does the organization have vulnerability scanning tools and supporting processes in place?
  • System Configurations Not Documented: Are system configurations updated when changes to systems are made?
  • Technology Selection: Are processes in place to support the selection of appropriate information systems and other technology used to support business operations?
  • Telecommunications Failure – Data: Is there a secondary communications line into buildings? Is it completely independent from the primary line? Do you have backup telecommunications circuits in place? Are hardware configurations documented for network communication devices?
  • Telecommunications Failure – Voice: Is there a secondary communications line into buildings? Is it completely independent from the primary line? Do you have backup telecommunications circuits in place? Are hardware configurations documented for network communication devices?
  • Theft of Physical Assets: What controls are in place to limit access to organization buildings or facilities? Are buildings continuously monitored via closed-circuit video cameras or physical guards to prevent the theft of assets?

Your organization may choose to add to this list of items to best suit your needs. If your organization has more than one office or site, it may be appropriate to complete an assessment for each location to accommodate differences in the anticipated likelihood or impact of defined risks between different geographical areas.

The benefits of completing risk assessments do not end with supporting your overall risk management program. Risk assessment results should also be leveraged to support business impact analysis activities as part of your business continuity program.

Look to Vistrada Cybersecurity experts for more information on assessing risks for any enterprise organization.