Risk Assessment Policy
Let’s talk about some documentation you need to have in order to prove that you have a good risk management framework in place for your organization. You should put together a risk assessment policy. This policy is really what governs what you’re doing when it comes to risk assessment. A policy would discuss the framework you’ve put into place, the methodology that you’re utilizing in order to conduct your risk assessment. You’ll reference third-party resources such as NIST or ISO in order to choose a framework that you’re going to be utilizing as the underpinning of your risk assessment. You will want to have a responsibility assigned. Who is the person who is responsible for conducting this risk assessment? What happens with the results? Does it go to the board of directors? Who are the team members who are involved in the risk assessment? Are their certain department heads or other employee types who are going to participate in this? A policy is just really going to say why you are conducting a risk assessment, whereas maybe a separate document known as your procedure would get into more how you are conducting your risk assessment. Your procedure around identifying assets, and ranking your risks, and whether you’re using a quantitative or qualitative approach, the documentation that you expect to come out of that and where the results actually go and how and how often they get communicated. So, these are two important elements to have a policy and a procedure that governs how you conduct risk assessment in your organization.