In the context of ISO 27001, determining the inherent level of a risk involves a combined assessment of both the likelihood of the risk occurring and the consequences if it does. The inherent level of risk provides a baseline from which to work before considering the effectiveness of current controls. Using a scale of Low, Medium, High, and Extreme helps categorise risks and guides decision-making on the allocation of resources towards risk treatment. This article outlines a structured approach to determining the inherent level of risk.
Steps to Determine Inherent Risk Level
1. Define the Rating Scale
Begin by clearly defining each category—Low, Medium, High, and Extreme—for both likelihood and consequences. Ensure that these definitions are understood and consistently applied across the organisation to maintain objectivity in the risk assessment process.
Likelihood
Low: Unlikely to occur within the next year.
Medium: Could occur once in the next year.
High: Likely to occur multiple times in the next year.
Extreme: Almost certain to occur in the near future.
Consequences
Low: Minimal impact with negligible consequences.
Medium: Moderate impact that can be managed within routine operations.
High: Significant impact that could jeopardize business functions.
Extreme: Severe impact with potential catastrophic consequences.
2. Assess Consequences and Likelihood
For each identified risk, independently assess both the consequences and likelihood using the predefined scales. Document the ratings in de.iterate's Risk Register, along with any relevant details or assumptions that support the assessment.
3. Combine Ratings to Determine Risk Level
Use a risk matrix to combine the likelihood and consequence ratings to determine the overall level of risk. The matrix allows for a visual representation of where each risk falls on the scale from Low to Extreme. Here’s how to interpret combinations:
Low Risk: Low likelihood with low consequences.
Medium Risk: Medium likelihood and/or medium consequences.
High Risk: High likelihood with medium consequences, or medium likelihood with high consequences.
Extreme Risk: High or extreme likelihood with high or extreme consequences.
4. Document the Overall Risk Level
Record the overall risk level in your Risk Register. Ensure that each risk’s level is supported by a clear rationale based on the combined assessments of likelihood and consequences.
5. Review and Update Regularly
The environment in which the organisation operates is dynamic, with new risks emerging and existing risks evolving. Regularly review and update the inherent risk levels to reflect any changes in the external and internal context of the organisation.
Example of Determining Inherent Risk Level
Here’s an example of how the inherent level of risk might be determined:
Risk: Data breach due to inadequate firewall protection.
Likelihood Assessment: High (frequent attempts of unauthorised access observed).
Consequence Assessment: High (potential for significant data loss and legal repercussions).
Risk Matrix Outcome: Combine High Likelihood with High Consequences = Extreme Risk.
Documentation: Record in the Risk Register that this risk is rated as Extreme, with notes on the observations supporting the high likelihood and potential consequences.