Risk Analysis Example: How to Evaluate Risks

Organizations are struggling with risks on multiple fronts, including cybersecurity, liability, investment and more. Risk analysis, or risk assessment, is the first step in the risk management process. IT risk analysis focuses on the risks that both internal and external threats pose to the availability, confidentiality, and integrity of your data. During risk analysis, a company identifies risks and the level of consequences, such as potential losses to the business, if an incident happens.

The risk analysis process involves defining the assets (IT systems and data) at risk, the threats facing each asset, how critical each threat is and how vulnerable the system is to that threat. It is wise to take a structured and project-based approach to risk analysis, such as those offered in NIST SP 800-30 or ISO/IEC 27005:2018 and 31010:2019.

Risk analysis is important for multiple reasons. IT professionals who are responsible for mitigating risks in the infrastructure often  have difficulty deciding which risks need to be resolved as soon as possible and which can be addressed later; risk analysis helps them prioritize properly. In addition, many regulatory and compliance requirements include security risk assessment as a mandatory component.

In this article, we will look at a risk analysis example and describe the key components of the IT risk analysis process.

Risk Analysis Example

The following sections lay out the key components of a risk analysis document.


This part explains why and how the assessment process has been handled. It includes a description of systems reviewed and specifies the assignment of responsibilities required for providing and gathering the information and analyzing it.


In this section, you define the purpose of a detailed assessment of an IT system. Here’s an example:

According to the annual enterprise risk assessment, <system name> was identified as a potential high-risk system. The purpose of the risk assessment is to identify the threats and vulnerabilities related to < system name > and identify plans to mitigate those risks.


In this section, you define the scope of the IT system assessment. Describe the system components, users and other system details that are to be considered in the risk assessment.

The scope of this risk assessment is to assess the use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to <system name>.

System Description

List the systems, hardware, software, interfaces, or data that are examined and which of them are out of assessment scope. This is necessary to further analyze system boundaries, functions, system and data criticality and sensitivity. Here is an example:

<system name> consists of <components, interfaces> that process <sensitive / critical / regulated> data.  <system name> is located < details on physical environment>. The system provides <core functions>.


This section includes a list of participants’ names and their roles. It should include the owners of assets, IT and security teams, and the risk assessment team.

Assessment Approach

This sections explains all methodology and techniques used for risk assessment. For example:

Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and impact to the company’s mission.

The data collection phase includes identifying and interviewing key personnel in the organization and conducting document reviews. Interviews will focus on the operating environment. Document reviews provide the risk assessment team with a basis for evaluating compliance with policies and procedures.

Risk Identification and Assessment

Here begins the core part of the information security risk assessment, where you compile the results of your assessment fieldwork.

Data Inventory

Identify and define all valuable assets in scope: servers, critical data, regulated data or other data whose exposure would have a major impact on business operations. For example:

Type of data Description Level of sensitivity (High, Moderate, Low)
Personally identifiable information Name


Social Security number

Credit card number

Financial information Credit card number

Verification code

Expiry date

Authorization reference

Transaction reference


System Users

Describe who is using the systems, with details on user location and level of access. You can use the example below:

System name User Category Access Level (Read, Write, Full) Number of users Home Organization Geographic Location
<Name of business application> Regular user Read/Write 10 ABC Group Atlanta

Threat Identification

Develop a catalogue of threat sources. Briefly describe risks that could negatively affect the organization’s operations, from security breaches and technical missteps to human errors and infrastructure failures:

Threat source Threat action
Cyber criminal
  • Web defacement
  • Social engineering
  • System intrusions (break-ins)
  • Identity theft
Malicious insider
  • Browsing of personally identifiable information
  • Unauthorized system access
  • Accidental or ill-advised actions taken by employees that result in unintended physical damage, system disruption or exposure


  • Illness, death, injury or other loss of a key individual


  • Loss of confidence from employees
  • Damage to the reputation of the company
Organizational (planning, schedule, estimation, controlling, communication, logistics, resources and budget)
  • Improper worker termination and reassignment actions


Legal and administrative actions


  • Regulatory penalties
  • Criminal and civil proceeding
  • Malicious code (e.g., virus)
  • System bugs
  • Failure of a computer, device, application, or protective technology or control that disrupts or harms operations or exposes the system to harm
  • Natural or man-made disasters


Vulnerability Identification

Assess which vulnerabilities and weaknesses could allow threats to breach your security. Here’s an example:

Vulnerability Description
Poor password strength Passwords used are weak. Attackers could guess the password of a user to gain access to the system.
Lack of disaster recovery There are no procedures to ensure ongoing operation of the system in the event of a significant business interruption or disaster.

Risk Determination

Here, you assess the probability that threats and vulnerabilities will cause damage and the extent of those consequences.

Risk Probability Determination

During this step, focus on assessing risk probability — the chance that a risk will occur.

Level Probability Definition


High The threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. Unauthorized malicious disclosure, modification, or destruction of information
Moderate The threat source is motivated or capable, but controls are in place that may impede successful exercise of the vulnerability. Unintentional errors and omissions


Low The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.


IT disruptions due to natural or man-made disasters

Impact Analysis

Perform risk impact analysis to understand the consequences to the business if an incident happens. Risk analysis can include qualitative risk assessments to identify risks that pose the most danger, such as data loss, system downtime and legal consequences. Quantitative risk assessment is optional and is used to measure the impact in financial terms.

Incident Consequence Impact
Unauthorized disclosure of sensitive information The loss of confidentiality with major damage to organizational assets.


The incident may result in the costly loss of major tangible assets or resources, and may significantly violate, harm or impede the organization’s mission, reputation or interests.

IT disruptions due to unauthorized changes to the system The loss of availability with a serious adverse effect on organizational operations.


The organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced.

Non-sensitive data is lost by unauthorized changes to the data or system The loss of integrity with a limited effect on organizational operations assets, or individuals.


The organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.


Risk Level Evaluation

During this step, the results of the risk analysis are compared to the risk evaluation criteria. The results are used to prioritize risks according to the level of risk.

Level of Impact


Risk Level Definition


High There is a strong need for corrective measures. The system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Moderate Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low The system’s owner must determine whether corrective actions are still required or decide to accept the risk.

Risk Assessment Results

List the risks in the Risk Assessment Results table. The report should describe the threats and vulnerabilities, measure the risk, and provide recommendations for control implementation.

Threat Vulnerabilities Mitigation Likelihood Impact Risk
Hurricane Power outage Install backup generators Moderate Low Low
Lack of disaster recovery plan Disaster recovery Develop and test a disaster recovery plan Moderate High Moderate
Unauthorized users can access the server and browse sensitive company files Open access to sensitive content Perform system security monitoring and testing to ensure adequate security is provided for <server name>. Moderate High Moderate


Risk analysis enables you to know which risks are your top priority. By continuously reviewing the key areas, such as permissions, policy, data and users, you can determine which threats post the highest risk to your IT ecosystem and adjust the necessary controls to improve security and compliance.