Risk Assessment Models (RAM)

In order to effectively manage a ongoing "culture of self-improvement" or "culture of self-assessment", leading organizations have proven to benefit from designing and implementing a Risk Assessment Model (RAM) that ensures consistency in risk evaluation variables as well as formal risk assessment conclusions.  The RAM is typically a web-based, intranet application that is used to consistently analyse and evaluate the risks identified during risk assessment processes as follows:

• Assess the business impacts upon the organization that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets.
• Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented.
• Estimate the levels of risks.
• Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established during the RMP.

Note:  The RAM does not necessarily need to be an automated software application but should involve pre-defined templates for assigning levels of vulnerability and impact.  Successful organizations have utilized spreadsheet models that work well as long as the RMP is well defined and spreadsheet controls are also implemented.