The Road to Perform IT Risk Assessment

Best Practices to IT Risk Management

IT risk assessment defines as an examination of task, job, or process related to IT that performs in an organization. IT risk assessment will help organization to delve deeper into certain risks and control measures. Moreover, there are five common steps that could be implemented by organization when conducting an IT risk assessment: First, identify and value assets owned by organization. Next, identify known threats that might arise or encountered. Then, identify vulnerabilities that might exist. After that, identify risks faced by organization as well as determine the risk treatment as the final step.

How to Determine Asset’s Value

On previous discussion, one of the 5 steps in performing IT risk assessment is identifying asset. After the organization has successfully identified its assets, the next step that shall be taken is to value those assets by determining effective prioritization. Organization could use three general ways to determine assets which divided into Qualitative Valuation, Quantitative Valuation, and Semi-quantitative Valuation. Firstly, Qualitative Valuation is an inherent subjective way that tends to use rankings such as high, medium, or low. Secondly, Quantitative Valuation uses an objective monetary calculation such as net present value, replacement cost, or book value. Lastly, Semi-quantitative Valuation combines qualitative and quantitative valuation resulting a more compromise approach.

Two Scenario Approaches in Identifying Risk

Organization needs to do risk identification to determine risks that might prevent organization in achieving its objectives. The impact arising from the risk depends on what is affected. There are two preconditions of risk: a threat factor and another factor that reflects vulnerability. For considering threats and vulnerabilities in more detail, organization should note that risks can be identified using two scenario approaches. First, bottom-up approach. It begins with asset and consideration of some sorts negative outcomes that might befall it. Second, top down approach. It starts with a potential threat event and continues with a consideration of each asset to determine how asset might be affected by the potential threat.

Explore the Four Categories of Risk Treatment

A risk that is not handled properly could make the organization unable to achieve its goals. After identifying and evaluating risks, the next step involves the identification of actions for managing these risks that hereinafter referred as risk treatment. There are four commonly accepted categories of risk treatments namely Accept, Transfer, Avoid, and Mitigate.


There are five common steps to perform IT risk assessment: identify and value assets, known threats, vulnerabilities, risks, and determine the risk treatment. In addition, there are third general ways to determine value assets divided into Qualitative Valuation, Quantitative Valuation, and Semi-quantitative Valuation. After the asset’s value has determined, risk could be identified by using bottom-up approach and top down approach. Lastly, there are four categories of risk treatment divided into accept, risk, avoid, and mitigate.

IT & Soft Skill Training, Coaching, and Consulting Service Provider