Risks

Overview

The Risks component is a fundamental part of the Risk Management module, designed to help organizations identify, document, assess, and monitor security risks. This component provides a structured approach to understanding your organization's risk landscape and making informed decisions about risk treatment.

Risk identification and assessment are the foundation of an effective security program, enabling you to focus resources on the most significant threats to your organization. The Risks component integrates with other elements of the Risk & Compliance Suite to provide a comprehensive approach to risk management.

Key Features

Risk Identification and Documentation

• Risk Register - Maintain a centralized inventory of identified risks

• Risk Categories - Organize risks by type, source, or affected assets

• Risk Library - Access pre-defined common security risks as templates

• Custom Risk Attributes - Define organization-specific risk properties

• Risk Ownership - Assign responsibility for risk assessment and treatment

Risk Assessment

• Inherent Risk Evaluation - Assess risks before considering controls

• Risk Scoring - Calculate risk levels based on likelihood and impact

• Risk Factors - Consider multiple dimensions in risk assessment

• Qualitative and Quantitative Assessment - Support different assessment methodologies

• Risk Visualization - View risks in matrices and heat maps

Risk Treatment

• Treatment Strategies - Select from accept, mitigate, transfer, or avoid

• Control Mapping - Link risks to security controls that mitigate them

• Residual Risk Assessment - Evaluate remaining risk after controls are applied

• Treatment Tracking - Monitor the implementation of risk treatments

• Risk Status Management - Track the current state of each risk

Getting Started

Accessing the Risks Component

1. Log in to your AskInfosec account

2. Navigate to the main dashboard

3. Select "Risk Management" from the main navigation menu

4. Click on "Risks" in the submenu

5. You will be directed to the Risks dashboard

Risks Dashboard

The Risks dashboard provides an overview of your organization's risk landscape, including:

• Risk Summary - Visual representation of risk levels and statuses

• Risk by Treatment - Distribution of risks across treatment strategies

• Risk by Status - Breakdown of risks by current status

• Risk by Assignee - Risks grouped by responsible individuals

• Risk Heat Map - Visual representation of risks by likelihood and impact

• Recent Activity - Latest changes to risk assessments and treatments

Managing Risks

Creating a New Risk

To add a risk to your risk register:

1. From the Risks dashboard, click the "Add Risk" button

2. Enter basic risk information:

   • Risk Name

   • Description

   • Category

   • Owner/Assignee

3. Click "Create" to add the risk to your register

4. You will be directed to the risk details page to complete the assessment

Risk Details

The risk details page contains comprehensive information about a specific risk:

1. Basic Information - Name, description, category, and ownership

2. Risk Assessment - Inherent and residual risk scores

3. Risk Treatment - Selected strategy and mitigation actions

4. Related Items - Associated controls, policies, and other elements

5. Activity History - Record of changes and assessments

Assessing Risks

To assess a risk's inherent level:

1. Navigate to the risk details page

2. In the Inherent Risk section, click "Assess Risk"

3. For each risk factor (e.g., likelihood, impact):

   • Select the appropriate rating

   • Provide justification for your selection

   • Add supporting notes or evidence

4. The system calculates an overall risk score based on your inputs

5. Save the assessment

Risk Treatment

To define how a risk will be addressed:

1. Navigate to the risk details page

2. In the Risk Treatment section, select a treatment strategy:

   • Accept - Acknowledge the risk without further action

   • Mitigate - Implement controls to reduce the risk

   • Transfer - Shift the risk to a third party (e.g., insurance)

   • Avoid - Eliminate the risk by changing activities

3. Provide justification for the selected strategy

4. If mitigating, create mitigation tasks (see Mitigations guide)

5. Save the treatment plan

Assessing Residual Risk

After defining risk treatments:

1. Navigate to the risk details page

2. In the Residual Risk section, click "Assess Residual Risk"

3. Consider the effect of implemented or planned controls

4. Rate each risk factor based on the post-treatment state

5. Provide justification for your ratings

6. The system calculates the residual risk score

7. Save the assessment

Risk Library

The Risk Library provides pre-defined common security risks that can be added to your risk register.

Using the Risk Library

To add risks from the library:

1. From the Risks dashboard, click "Risk Library"

2. Browse risks by category

3. Select risks relevant to your organization

4. Click "Add to Risk Register"

5. The selected risks will be added to your register for assessment

Risk Categories

Risks are organized into categories such as:

• Information Security - Risks related to data protection and security controls

• Operational - Risks affecting business operations and processes

• Compliance - Risks related to regulatory requirements

• Strategic - Risks affecting long-term objectives

• Reputational - Risks to the organization's reputation and brand

• Financial - Risks with direct financial impact

• Third-Party - Risks associated with vendors and partners

Risk Integration

Linking Risks to Controls

To connect risks with security controls:

1. Navigate to the risk details page

2. Select the "Controls" tab

3. Click "Link Controls"

4. Search for and select relevant controls

5. Define the relationship (e.g., mitigates, partially mitigates)

6. Save the associations

Connecting Risks to Policies

To associate risks with security policies:

1. Navigate to the risk details page

2. Select the "Policies" tab

3. Click "Link Policies"

4. Search for and select relevant policies

5. Save the associations

Linking Risks to Mitigations

To connect risks with specific mitigation tasks:

1. Navigate to the risk details page

2. Select the "Mitigations" tab

3. Click "Add Mitigation Task" or "Link Mitigations"

4. Create a new mitigation task or select existing ones

5. Save the associations

Risk Reporting

Standard Reports

The system provides several standard risk reports:

1. Risk Register - Complete inventory of all risks

2. Risk Heat Map - Visual representation of risks by likelihood and impact

3. Risk Treatment Status - Progress in addressing identified risks

4. Risk by Owner - Risks grouped by responsible individuals

5. Risk Trends - Changes in risk levels over time

Custom Reports

To create a custom risk report:

1. Navigate to the Reports section

2. Click "Create Custom Report"

3. Select report type (Risk)

4. Choose filtering and grouping options

5. Select display columns and sorting

6. Generate the report

7. Export to PDF, Excel, or CSV format

Best Practices

Risk Identification

• Be comprehensive - Consider risks from multiple perspectives

• Use multiple sources - Gather input from various stakeholders

• Consider context - Evaluate risks in light of your specific environment

• Be specific - Clearly define each risk and its potential impact

• Review regularly - Identify new risks as your environment changes

Risk Assessment

• Use consistent criteria - Apply the same standards across all risks

• Document assumptions - Record the basis for your assessments

• Consider multiple factors - Look beyond just likelihood and impact

• Involve experts - Engage subject matter experts in assessments

• Challenge assessments - Review and validate risk ratings

Risk Treatment

• Prioritize effectively - Focus on high-risk areas first

• Consider cost-benefit - Ensure treatments are proportional to the risk

• Define clear actions - Specify concrete steps for risk mitigation

• Assign ownership - Ensure clear responsibility for treatment activities

• Set deadlines - Establish timeframes for implementing treatments

Risk Monitoring

• Establish review cycles - Regularly reassess risks and treatments

• Track key indicators - Monitor metrics that signal changes in risk levels

• Document changes - Record modifications to risk assessments and treatments

• Report effectively - Communicate risk status to relevant stakeholders

• Learn and improve - Use risk history to enhance future assessments

Troubleshooting

Common Issues

• Inconsistent assessments - Establish clear assessment guidelines

• Incomplete information - Ensure all required fields are completed

• Duplicate risks - Check for existing risks before creating new ones

• Orphaned risks - Verify all risks have assigned owners

• Stalled treatments - Follow up on overdue mitigation tasks

Getting Support

If you encounter issues with the Risks component:

1. Check the in-app help documentation

2. Contact your organization's system administrator

3. Submit a support ticket through the AskInfosec support portal

Conclusion

Effective risk identification and assessment are essential for protecting your organization's assets, meeting regulatory requirements, and optimizing security investments. The Risks component provides the tools and structure needed to identify, assess, treat, and monitor security risks in a consistent, comprehensive manner.

By following the processes outlined in this guide, you can establish a robust risk management program that helps your organization make informed decisions about security priorities and resource allocation, ultimately strengthening your overall security posture.