Risk Assessment and Analysis

What Risk Assessment Actually Comprises

In ISACA terminology, risk assessment is the overall process containing three steps: risk identification (what could go wrong), risk analysis (how likely and how damaging), and risk evaluation (how it ranks against criteria so management can decide). The assessment informs the decision; it does not make the decision — that distinction is heavily tested.

Risk analysis comes in two flavors:

Many enterprises use a risk heat map (likelihood on one axis, impact on the other) to present qualitative results to executives — a useful communication tool, but the underlying ratings still need defensible justification.

The Quantitative Formulas You Must Know

CISM expects fluency with these formulas:

• Exposure Factor (EF) = percentage of asset value lost in a single event.
• Single Loss Expectancy (SLE) = Asset Value (AV) x EF.
• Annualized Rate of Occurrence (ARO) = expected number of events per year.
• Annualized Loss Expectancy (ALE) = SLE x ARO.

Worked Example

A customer database is valued at $2,000,000. A ransomware event is estimated to destroy 30% of that value (EF = 0.30), and such an event is expected once every four years (ARO = 0.25).

• SLE = $2,000,000 x 0.30 = $600,000
• ALE = $600,000 x 0.25 = $150,000 per year

A proposed control costs $80,000 per year and is expected to cut the ARO in half (to 0.125), reducing ALE to $75,000. The annual risk reduction is $150,000 - $75,000 = $75,000, which is less than the $80,000 control cost. On pure cost-benefit, the control is not justified — though the manager may still recommend it if regulatory or reputational factors apply.

Inherent Versus Residual Risk

• Inherent risk is the risk level before any controls are applied.
• Residual risk is what remains after controls.

The manager compares residual risk against the enterprise's risk appetite (how much risk it is willing to pursue) and risk tolerance (acceptable variation around appetite). When residual risk exceeds appetite, treatment is required. Common trap: comparing inherent risk — not residual risk — to risk appetite, or assuming a control that reduces likelihood also reduces a fixed compliance obligation.

Appetite, Tolerance, and the Evaluation Step

CISM treats risk appetite and risk tolerance as distinct and heavily tested:

• Risk appetite is the broad amount and type of risk the enterprise is willing to pursue to meet its objectives. It is set by the board and senior management.
• Risk tolerance is the acceptable variation around that appetite for a specific risk or objective — a tactical boundary, often expressed numerically (for example, "no more than 4 hours of downtime per quarter").

Appetite is strategic and stable; tolerance is operational and measurable. The manager does not set appetite — that is a governance decision — but applies it when evaluating whether a residual risk is acceptable.

Why Evaluation Is Separate From Analysis

Risk analysis produces a level (a dollar figure or a High/Medium/Low rating). Risk evaluation compares that level against criteria and ranks risks so management can decide what, if anything, to do. CISM separates these because a risk can be analyzed correctly yet evaluated differently by two enterprises with different appetites — the same $150,000 ALE may be tolerable to a large bank and unacceptable to a startup.

Worked Scenario

An analysis shows a system's residual risk at a Medium rating, and the enterprise's stated appetite accepts Medium for non-customer-facing systems but not for customer-facing ones. The system is customer-facing. The correct conclusion is that residual risk exceeds appetite and treatment is required — even though the rating itself did not change. Common trap: stopping at the Medium rating and accepting it without checking the appetite criteria that apply to this asset class. The evaluation step is what converts a number into a decision.

One more tested subtlety: quantitative results carry false precision risk. An ALE expressed to the dollar can imply more certainty than the underlying estimates of asset value, exposure factor, and occurrence rate actually support. The manager should present quantitative figures as ranges or with stated assumptions, and avoid letting a single point estimate override judgment. Conversely, qualitative ratings are fast but subjective, so their criteria must be documented so two assessors reach comparable results.

The strongest assessments pair a defensible method with transparent assumptions and route the ranked, evaluated risks to the owner who will decide treatment.