Risk Assessment Framework (RAF)

What is Risk Assessment Framework (RAF)?

A Risk Assessment Framework (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.[1]

Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.

Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:[2]

  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
  • Factor Analysis of Information Risk (FAIR)
  • NIST Risk Management Framework (RMF)
  • Threat Agent Risk Assessment (TARA), a recent creation

Risk Assessment Template Best Practices

Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:

  • Adopt a uniform numerical scale: Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
  • Define objective evaluation criteria: Often, one person’s 9 is another person’s 7. You need to provide a clear definition of what each of the 5 buckets is, in unambiguous terms. You can choose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations, and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.
  • Calibrate assessment criteria: Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.
  • Use universal business elements: Break down risk assessments into basic elements like business processes and resources that are standardized across business silos or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc.
  • Link risk assessment templates: Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities. Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture of the combination of products services and vendors used by a processes owner. The result is a single overall summary score for each business process that combines the individual scores for each resource and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.

See Also