risk assessment [English]


Other Languages

Syndetic Relationships

InterPARES Definition

n. ~ A process of determining the relative likelihood and impact of risks.

General Notes

NIST considers risk analysis and risk assessment as synonymous. However, some distinguish risk assessment from risk analysis, the latter focusing on identification of risks. A part of risk management, risks assessment considers the impact of threats, vulnerabilities, and mitigations, as well as any existing risk mitigation controls to determine the level of risk and whether additional or improved controls are needed.

Other Definitions

  • NIST Risk Assessment 2012 (†482 p. B-9): The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

Citations

  • CNSS-4009 (†730 p.61): The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated, potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF). (†1746)
  • IRM 2002 (†491 p. 5): Risk Assessment is defined by the ISO/IEC Guide 73 as the overall process of risk analysis and risk evaluation. (†750)
  • ISACA Glossary (†743 s.v. risk assessment): A process used to identify and evaluate risk and its potential effects. Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage the project delivery and project benefit risk. (†1800)
  • Law 2011 (†581 s.v. risk assessment): The determination of the level of risk in a particular course of action. Risk assessments are an important tool in areas such as health and safety management and environmental management. Results of a risk assessment can be used, for example, to identify areas in which safety can be improved. Risk assessment can also be used to determine more intangible forms of risk, including economic and social risk, and can inform the scenario planning process. The amount of risk involved in a particular course of action is compared to its expected benefits to provide evidence for decision making. (†1120)
  • NIST 2013 (†734 p. B-19): The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. (†1821)
  • Structured Approach 2010 (†492 p. 5): Risk assessment involves the identification of risks followed by their evaluation or ranking. (†751)
  • WHO/FAO 2009 (†534 p. 26): The main principles of a risk assessment apply equally anywhere along the qualitative to quantitative risk assessment continuum. These include identification of the hazard, defining the risk question, outlining the steps of the risk pathway, gathering data and information, including information on uncertainty and variability, combining the information in a logical manner, and ensuring all is fully referenced and transparent. It follows from this that many of the activities are the same, up to and including the gathering of the data. Therefore it is frequently the case that a Risk Profile, or qualitative (or semi-quantitative) risk assessment is undertaken initially, with the intention of following up with a quantitative risk assessment if it is subsequently thought to be necessary or useful, and feasible. (†864)