week 12

K1.12 The process of risk management:

Risk management is the process of identifying, assessing, and controlling risks that could affect an organisation’s information systems, people, assets, or business operations.

The purpose is to reduce the chance of something bad happening or reduce the impact if it does.

The Risk Management Process

Risk management follows a step-by-step process to ensure risks are understood, prioritised, and addressed effectively.

Identification

What it is:

Spotting possible risks, threats, or vulnerabilities that could harm the organisation.

Examples:

• Weak passwords (vulnerability)

• Malware infection (threat)

• Power outage affecting the server room (risk)

This step creates a list of potential issues that need to be monitored or controlled.

Probability

What it is:

Estimating how likely each risk is to occur.

Categories often used:

• High (almost certain to happen)

• Medium (may happen occasionally)

• Low (unlikely but possible)

Example:
There’s a high chance staff will forget to lock their computers when leaving desks.

This step helps identify the most urgent risks to focus on.

Impact

What it is:

Evaluating how much damage the risk could cause to systems, data, reputation, finances, or people.

Factors to consider:

• Value of the asset at risk

• Sensitivity of the data

• Importance of the system or service

Example:
Losing access to payroll software could delay staff payments and create serious financial and reputational issues.

Impact is often measured as:

• High

• Medium

• Low

Prioritisation

What it is:

Using both probability and impact to determine which risks should be dealt with first.

A risk with high probability and high impact is a top priority.

Includes:

• Assigning risk owners (the people responsible for managing each risk)

• Planning how to reduce or accept the risk

Example:
If phishing attacks are both likely and damaging, then they get top priority and are assigned to the IT security team to manage.

Mitigation

What it is:

Putting in place measures or controls to reduce the probability of the risk occurring or the impact if it does.

Types of mitigation:

• Preventative (e.g. firewalls, staff training)

• Detective (e.g. monitoring, logs)

• Corrective (e.g. backups, disaster recovery)

Example:
To mitigate the risk of data loss:

• Backups are taken daily

• Only trained staff can delete files

• Backup recovery is tested monthly

Mitigation is ongoing – risks must be monitored and controls updated regularly.

Example Risk Matrix with RAG Ratings

🔴 Red – High Risk → Immediate action required

🟠 Amber – Medium Risk → Plan to control or reduce risk

🟢 Green – Low Risk → Monitor regularly

Risk Scoring Grid

Example Risk Entries Using the Matrix

Review and Reflect

Working in small groups to look at an existing risk matrix, explore probability, impact and RAG ratings.

Manage the Risk

Scenario:
You're helping a local business review its IT security. You’ve identified the following possible risks:

Staff using weak passwords
Fire in the server room
Public Wi-Fi access by visitors

Your Task:
1. For each risk, estimate the probability and impact (High/Medium/Low).
2. Prioritise the risks from most to least critical.
3. Suggest one mitigation method for each.

Extension:
Create a visual heat map showing probability vs. impact for each risk.

Last Updated
2025-07-14 08:59:04