Discover which risk assessment control measures should be an integral part of developing your risk management plan.
Conducting a regular risk assessment is an integral part of any organization’s overall risk management program — and sometimes even a legal requirement, depending on your industry, contractual obligations, or the number of persons you employ.
A risk assessment is the systematic process of identifying threats or hazards in your work environment, evaluating the potential severity of those risks, and then implementing reasonable control measures to mitigate or remediate the risks.
A risk assessment is essentially a thorough examination of your organization. It should be used to identify new hazards and their risk factors. This is called “hazard identification” and should include anything that could potentially cause harm to you or your employees’ health and safety.
Risk assessments also help you to analyze and evaluate the risks associated with any hazards once the hazard is identified (risk analysis and risk evaluation), and then to determine the appropriate ways to eliminate or control the threat (risk or hazard control).
When conducting a risk assessment, it’s important to understand the difference between the following:
- An accident is an unplanned event resulting in loss for your organization.
- A hazard is something that has the potential to cause harm.
- A risk is the likelihood that an accident will occur as a result of a hazard.
Typically, risk assessments involve this five-step process:
- Identifying potential hazards.
- Identifying who could be harmed or affected by those hazards.
- Evaluating risk (severity and likelihood) and establishing suitable precautions.
- Implementing control measures and recording your findings.
- Reviewing your assessment and re-assessing when necessary.
Thorough risk assessments are the primary management tool in risk management. They ultimately aim to eliminate, reduce, or control any risks to the health, wellbeing, safety and security of employees and anyone else who might be affected by a hazard or accident. This is precisely the purpose for a risk assessment: to identify hazards and evaluate the risks they present within your workplace.
Risk assessments also help you to evaluate the effectiveness of your existing control measures. This allows you to assure that additional controls are implemented any time the remaining risk is considered anything other than “low” — and especially for any risks rated as “high.”
Ultimately, a risk assessment will help you prioritize resources to assure that you, your employees, and your customers are safe from any threats you might plausibly encounter.
You should periodically review your risk assessment once it’s complete, and especially following any near misses, accidents, incidents, or ill-health events. This will help you to verify whether the control measures and level of assigned risk was appropriate, or if they need to be amended.
The type of risk assessment your organization needs will depend on the operations you conduct.
For many organizations, specific legal requirements will dictate which type of risk assessment you should conduct. For example, organizations that hold or use hazardous substances are required to complete a Control of Substances Hazardous to Health Assessment (COSHH).
Other types of risk assessments include fire risk assessments, manual handling risk assessments, display screen equipment (DSE) risk assessments, and security risk assessments.
Security Risk Assessments
A security risk assessment is a specific type of risk assessment that focuses on information security risks posed by the applications and technologies an organization uses or develops.
In cybersecurity, the terms “hazard” and “accident” are exchanged for “threat” and “vulnerability,” and their definitions are more specific to cybersecurity risk management:
- A threat typically involves a malicious act — ransomware, a virus, a denial-of-service attack, or a data breach — that aims to destroy data, inflict harm, or disrupt operations.
- A vulnerability is a weakness in a system that leaves it open to threats, or potential attacks.
- In cybersecurity, risk represents the potential harm that vulnerabilities could cause if successfully exploited.
Completing a security risk assessment is not only important for cybersecurity, but also for regulatory compliance. The Sarbanes-Oxley Act (SOX) and the Health Information Portability and Accountability Act (HIPAA) both require periodic security risk assessments.
The National Institute of Standards and Technology (NIST) Special Publication 800-53, Guide for Conducting Risk Assessments, provides a framework for the risk assessment process.
Cybersecurity risk assessment models typically consist of the following steps:
- Identify critical technology assets and the sensitive data those devices create, store, or transmit.
- Create a risk profile for each asset.
- Assess the risks for all critical assets.
- Map all the interconnections of critical assets.
- Prioritize which assets to address.
- Develop a mitigation plan with control measures for each risk.
- Prevent or minimize vulnerabilities.
- Monitor risks, threats, and vulnerabilities on an ongoing basis.
Security risk assessments are an essential component of enterprise risk management, and will help your organization to establish more effective control measures to prevent threats to your cybersecurity from coming to fruition.
What Are Risk Assessment Control Measures?
During your risk assessment, you may ask yourself, “How exactly am I going to control the risks once they’re identified?”
After all, a risk assessment is just that: an assessment. It’s up to you to assess the risk and then decide whether it’s safe to proceed.
The best way to reduce risk and prevent harm is to put control measures in place.
After you’ve identified any hazards, you’ll need to implement control measures to help bring their risks under control. A thorough risk assessment will check your existing precautions and then help you decide whether or not you need to do more to prevent harm.
Control measures usually include one or a mix of the following:
How you choose the best controls for your business will depend on the types of hazards or threats your organization faces, and the risks they pose.
For instance, if you require that your employees participate in a cybersecurity awareness training program, that’s a control measure. If you tell your team to wear safety goggles when performing a specific task, that’s another control measure.
On paper, the best control measure you can use is elimination: removing the risk from your environment. In practice, it’s not possible to eliminate every risk from every task just for safety’s sake. And so, elimination has more to do with eliminating unnecessary risks from a task.
For example, implementing anti-phishing tools will eliminate some of the risk posed by cybercriminals, without doing away with emails altogether. Or in cases where employees work at height, doing the work from ground level will eliminate the risk associated with safety hazards like working from higher levels or up in the air.
Sometimes it’s simply not possible to eliminate a risk. Using the hierarchy of risk control measures can help you decide what the best control measures are for any risk assessment your organization might need.
Effective Risk Assessment Control Measures
In an ideal world, elimination would work in every situation. There are, however, a number of other risk assessment control measures you can implement in addition to elimination. Together, these control measures make up the Hierarchy of Controls.
As we mentioned, elimination is the best control measure on paper — and it should always be the first control measure you consider. Ask yourself, can this risk be removed entirely from this activity?
Examples of elimination include using cordless equipment to cease using trailing cables, having materials delivered pre-cut to size to reduce the use of blades, or using extendable tools to eliminate work at height.
In cybersecurity, elimination might involve deciding to remove an application from company-wide use, perhaps because it posed too high of a security risk to your sensitive information.
In cases where elimination is not possible, you should consider substitution as the next best control measure available. If the risk cannot be removed entirely, it should be reduced by replacing the material, substance, or process with something less hazardous.
Examples of substitution include substituting a hazardous chemical with a safer alternative, replacing ladders with tower scaffolds, or exchanging old worn-out equipment with newer technology.
Substitution in cybersecurity could mean investing in new hardware for your organization, finding a more secure application better suited to your needs, or even migrating to more secure storage options like the cloud.
Next, examine engineering controls. These are usually temporary or permanent protective measures and can be collective (protect all workers) or individual (protect a single user). You should give priority to control measures that are collective over individual engineering controls.
Examples of engineering controls include installing guard rails for any fall hazards, using extraction machines to remove hazardous dust or fumes from the air, or enclosing dangerous machinery.
Engineering controls for cybersecurity could include implementing multi-factor authentication for all users or users with privileges, enforcing a stringent password policy for employees, or cybersecurity software like antivirus tools.
Further down in priority, but often an essential part of your control measures, are administrative controls. These are the rules and systems you put in place to carry out your operations safely — the procedures you need to do the work without anyone getting hurt.
Examples of administrative controls include banning work at height and lifting operations in bad weather, enforcing one-way traffic systems on site, or limiting the use of dangerous machinery to specific days. (Note that these controls are often policies that need to be enforced.)
Cybersecurity administrative control measures might consist of policies that enforce punishment for password sharing among employees, scoring requirements for cybersecurity awareness training assessments, or company-wide phishing tests.
Personal Protective Equipment
Finally, personal protective equipment (PPE) is the last line of defense against a health hazard. While it shouldn’t be your first choice when controlling risks, it can give the wearer added protection for any remaining level of risk, or if other controls fail.
Examples of PPE include ear mufflers when using noisy equipment, harnesses and lanyards when working at height, or hard hats when there may be falling tools or materials overhead.
For your organization’s cybersecurity, think of PPE as the security tools and software you use to protect your organization and its data from risk. Good governance, risk, and compliance (GRC) software can do just that: minimize your risks and make risk assessments and the risk management process more streamlined and less stressful for you.
Minimize Risks with ZenGRC
It’s crucial that you’re conducting regular risk assessments as part of your organization’s overall risk management program. But identifying even the most obvious hazards and assigning them risk is difficult enough as it is; add cybersecurity to the mix, and risk management can quickly become overwhelming.
A good risk management program should change in response to the risks your organization is exposed to — and cybersecurity risk management is no different.
Fortunately, there are GRC software solutions available.
ZenGRC from Reciprocity can help you implement, manage, and monitor your risk management framework as well as your remediation tasks.
Zen also lets you prioritize tasks so that everyone knows what to do and when to do it. And its user-friendly dashboards make it easy to review “To Do” and “Completed Tasks” lists.
Workflow tagging enables you to assign tasks easily for the activities involved in risk assessment, risk analysis, and risk mitigation.
And when audit time rolls around, ZenGRC’s “single source of truth” audit-trail document repository lets you quickly access the evidence you need of data confidentiality, integrity, and availability as required by law.
ZenGRC is equipped to help you minimize risks and streamline management during the entire lifecycle of all your relevant cybersecurity risk management frameworks including PCI DSS, ISO, SOX, HIPAA, and more.
Contact our team for a free demo today, and get started on the path to worry-free risk management — the Zen way.