Risk Analysis vs Risk Assessment

"Assess" and "analyze" mean nearly the same thing. Both terms refer to the process of gaining information and drawing conclusions from it, usually with the goal of improving a practice, product, or business. In the realm of risk management however, the terms 'risk assessment' and 'risk analysis' are related, but not the same. Instead, one is an element of the other.

What's The Difference? Risk Analysis vs Risk Assessment

Risk assessment is a practice that involves multiple steps of analysis and conclusions that will deliver a solid risk management plan to any business. Risk analysis is one of those steps. Think of it like making a hamburger. If risk assessment is the whole process of assembling a burger, risk analysis is like grilling the burger. You might do the grilling once for a single patty burger or twice for a double cheeseburger. The analysis is a vital part of the process that can deliver important information on its own, but the assessment is the whole thing.

What's Involved In Risk Assessment?

The goal of risk assessment is to identify and understand everything that poses a risk to your organization. Risk assessment is divided into two main phases:

1. Risk identification: Naming all of the risks that could threaten your organization
2. Risk analysis: Where you'll try to understand more about each identified risk and analyze what, if anything, should be done about them

There are different types of risk assessments. For today’s purposes, we’ll focus on security risk assessments. These seek to keep your company's data safe while ensuring it is easily accessed by authorized users and impossible to access by unauthorized individuals. Risk management teams will first identify the most important pieces of hardware, software, and data to a company's business and then create a profile for each of these assets. Different assets are treated differently. For example, a database of customers' credit card information might be a highly targeted asset for hackers, while the CSS for your company's website layout might not need the same level of protection.

Security risk assessments help your company map any connections between different technology assets, prioritize which assets need to be protected, and come up with plans to keep bad actors out without getting in the way of legitimate business use. They'll also include plans about what to do in the event of an attempted or successful security breach and plans for keeping your security precautions up-to-date in a changing digital world.

Risk assessment isn't just a good idea, it's also required under the law for some companies, and by standards organizations for others.

How Risks Are Identified

The first phase of a risk assessment involves experts in a field trying to come up with as many plausible “bad” scenarios as they can. Examples of these scenarios include things like:

• What if an employee tries to steal your database on a thumb drive?
• What if a rival company hires an industrial spy to infiltrate your office?
• What if a hacker targets your internal systems through a virus loaded to your CMS?

How Risks Are Analyzed

Once plausible risks are named, it's time to score them. Risk analysis involves carefully considering each risk and assigning the priority of the risk to them. Prioritization is determined using quantitative and qualitative methods.

Using quantitative scoring, the amount each risk could cost your company is multiplied by the likelihood of a risk occurring in a given year. This is a quick way of generating easy-to-understand numbers that you can use to compare risks and figure out what resources your company should devote to preventing them, but it relies on having a good estimate of both the cost of the risk and the likelihood of it occurring.

Qualitative scoring uses a subjective rubric to assign multiple numbers to each risk. 

• A likelihood score to represent the chance of a risk occurring
• A velocity score to represent how quickly your company would feel the impact of the risk
• An impact score to represent how hard the hit would be, and 
• A materialization score which is the average of velocity and impact

These numbers are a bit more difficult to understand at a glance, but they can shed more light on what specific precautions your business should take about each risk. Proper analysis relies on your team being able to make knowledgeable, honest assessments about how your business would interact with each risk and how likely a risk is to occur.

Prioritizing Risks

Risk assessment teams break down identified risks into three categories: high, medium, and low priority. 

• High priority risks are things that would immediately impact your ability to do business. This might include things like zero-day hacks and ransomware attacks. 
• Medium priority risks are less likely and less immediate. These might include a smaller-scale data breach when an ex-employee takes some work documents on a thumb drive. 
• Low priority risks are both unlikely and non-threatening. A janitor leaving a supply closet unlocked and having all cleaning products stolen would be considered a low-priority risk. While the odds of leaving the closet unlocked could be medium to high, it’s quite unlikely someone would steal all the cleaning supplies, and if they did, it wouldn’t do much damage to the company.