Welcome » IT Booklets » Information Security » Information Security Risk Assessment » Key Steps » Assign Risk Ratings
After completing the inventory of information and systems,
assessing the likelihood and exposure of identified threats and
vulnerabilities, and evaluating control effectiveness, the
institution should assign risk ratings to the information and
information systems. The key to assigning risk ratings is to
organize the information and information systems within a logical
The framework should recognize that not all threats and risks
are equal and acknowledge that financial institutions have finite
managerial and financial resources. As with credit or
interest rate risk, reasonably foreseeable risks should be
prioritized and rated according to the sensitivity and importance
of the information.
The probability or likelihood of an event occurring, and the
impact the event would have on a financial institution should be
considered in determining the appropriate risk rating for
information. The probability of an event occurring, and its
impact on the institution, is directly influenced by a financial
institution's business profile and the effectiveness of its
controls. Typically, the result is expressed in differing
levels of risk, for example, "High," "Medium," or "Low"
ratings. The specific risk rating is judgmentally determined
and assigned in relation to the level of exposure and the threat
likelihood, taking into consideration the adequacy of related
internal controls. Where controls are inadequate or found not
to exist, the risk assessment should include an action plan to
improve the controls.
Once the risks associated with threats and vulnerabilities have
been assessed, probabilities assigned, and risks rated, risks
should be segregated into those the financial institution is
willing to accept and those that should be mitigated.
Guidance from the board of directors should be used for that
segregation. Once the institution identifies the risks to
mitigate, it can begin to develop its risk mitigation strategy.