Working with risk assessments and risk management is a challenging job. Everyone has an opinion, and there is no single outcome. Things change over time, and changing threat landscapes will influence the assessment and make it necessary to revisit the assessment again.
The area of risk assessments is covered by multiple theories and frameworks, which are no doubt scientifically well-founded but, at the same time, are difficult to make operational in a changing environment. We cannot gather all relevant stakeholders to update assessments quarterly.
What we can do is focus efforts on the critical assets top-down and keep these in mind when vulnerabilities and threats are identified. We can also make ad hoc assessments using the bottom-up methods when involved in projects and when asked to comment on new initiatives.
Of course, the methods should be formalized to make this repeatable and minimize reliance on single individuals. But the final delivery (risk assessment) is a snapshot in time and will, to some degree, always be the interpretation of multiple factors. Adherence to a cumbersome methodology will slow down the response time and, in the end, make the assessment inflexible. The risk landscape is diverse and so the response possibilities should be too.
Read Mette Brottmann, Klaus Agnoletti, Morten Als Pedersen, Ronnie Lykke Madsen, Michael Rosendal Krumbak and Thor Ahrends’s recent Journal article:
“Real-life Risk Theory,” ISACA Journal, volume 6, 2015.