Overview
Risk assessment is the systematic process of identifying potential threats to your organization, evaluating their likelihood and impact, and determining appropriate risk treatment strategies.Risk = Likelihood × Impact Understanding both components helps prioritize
which risks need immediate attention.
Risk Assessment Process
1
Identify Risks
Discover potential threats to your organization
2
Analyze Risks
Assess likelihood and impact of each risk
3
Evaluate Risks
Determine risk severity and prioritization
4
Treat Risks
Decide on mitigation, acceptance, transfer, or avoidance
5
Monitor Risks
Track risk status and effectiveness of controls
Risk Categories
FigoRisk organizes risks into common categories:Cybersecurity Risks
Threats to information security Examples: - Data breaches - Ransomware
attacks - Phishing campaigns - Unauthorized access - DDoS attacks
Operational Risks
Threats to business operations Examples: - System failures - Process
breakdowns - Human errors - Supply chain disruptions - Equipment failures
Compliance Risks
Regulatory and legal threats Examples: - Regulatory violations - Data
privacy breaches - Contract non-compliance - Audit failures - Legal
penalties
Financial Risks
Threats to financial stability Examples: - Fraud - Budget overruns -
Revenue loss - Investment failures - Currency fluctuations
Strategic Risks
Threats to business strategy Examples: - Market changes - Competitive
threats - Technology disruption - Reputation damage - Leadership changes
Third-Party Risks
Threats from external parties Examples: - Vendor failures - Partner
breaches - Supplier issues - Contractor problems - Outsourcing risks
Creating a Risk Assessment
Manual Risk Creation
1
Navigate to Risks
Click Risk Management in the main navigation
2
Click Add Risk
Click + Add Risk button
3
Describe the Risk
Basic Information: - Risk Title: Clear, concise description (e.g.,
“Ransomware attack on production servers”) - Risk Category: Select
appropriate category - Description: Detailed explanation of the risk
Example:
Title: Data breach through compromised employee credentials Category: Cybersecurity Description: Unauthorized access to customer database through phishing attack targeting employees with weak passwords4
Link Affected Assets
Select assets that would be impacted: - Search and select from your asset
inventory - Multiple assets can be linked - Asset criticality influences
risk score
5
Assess Likelihood
How likely is this risk to occur? | Level | Description | Frequency |
|-------|-------------|-----------| | Very High | Almost certain to
occur | More than once per year | | High | Likely to occur | Once per
year | | Medium | Possible | Once every 2-3 years | | Low | Unlikely
| Once every 5 years | | Very Low | Rare | Less than once every 5 years
| Select the appropriate likelihood level.
6
Assess Impact
What would be the impact if this risk occurred? | Level | Description |
Business Impact | |-------|-------------|-----------------| | Critical |
Catastrophic | Business closure, major financial loss, severe reputation
damage | | High | Severe | Significant financial impact, compliance
violations, major disruption | | Medium | Moderate | Financial loss,
operational disruption, customer complaints | | Low | Minor | Small
financial impact, temporary inconvenience | | Very Low | Negligible |
Minimal or no real impact | Consider impact on: - Financial (monetary loss)
- Operational (business disruption) - Reputational (brand damage) - Compliance (regulatory penalties) - Safety (physical harm)
7
Review Risk Score
FigoRisk automatically calculates risk score: Risk Score = Likelihood ×
Impact Risk levels: - Critical: 20-25 (Immediate action required) -
High: 15-19 (Action required soon) - Medium: 10-14 (Monitor and
plan) - Low: 5-9 (Accept or monitor) - Very Low: 1-4 (Accept)
8
Assign Ownership
- Risk Owner: Person responsible for managing the risk - Department: Owning department - Due Date: Target date for risk treatment
9
Save Risk
Click Create Risk
Risk Treatment Strategies
After assessing a risk, choose how to address it:- Mitigate
- Accept
- Transfer
- Avoid
Reduce likelihood or impact When to use: - Risk is too high to
accept - Cost of controls is reasonable - Controls are feasible to implement
Actions: - Implement security controls - Add redundancy - Improve
processes - Train employees - Deploy monitoring Example: Risk: Phishing
attacks Mitigation: Deploy email filtering, conduct security awareness
training, enable MFA
Risk Treatment Plan
For risks requiring mitigation, create a treatment plan:1
Open Risk
Navigate to the risk details page
2
Click Treatment Plan
Click Create Treatment Plan button
3
Define Controls
List specific actions to reduce the risk: Example controls: - Implement
multi-factor authentication - Deploy intrusion detection system - Conduct
quarterly security training - Establish incident response plan - Perform
regular vulnerability scans
4
Assign Responsibilities
For each control: - Assign responsible person - Set target completion date -
Define success criteria - Estimate budget required
5
Track Progress
Monitor implementation: - Mark controls as “Not Started”, “In Progress”,
“Completed” - Update notes and findings - Document any issues or delays
6
Reassess Risk
After implementing controls: - Reassess likelihood and impact - Calculate
residual risk score - Determine if further action needed
Key Risk Indicators (KRIs)
Monitor risk levels with measurable indicators:Setting Up KRIs
1
Navigate to KRIs
Go to Risk Management → Key Risk Indicators
2
Create KRI
Click + Add KRIFill in:
- KRI Name: e.g., “Failed Login Attempts”
- Description: What this measures
- Related Risk: Link to risk
- Unit: Count, Percentage, Days, etc.
- Measurement Frequency: Daily, Weekly, Monthly
3
Set Thresholds
Define alert levels:
- Green (Normal): < 10 failed logins/day
- Yellow (Warning): 10-50 failed logins/day
- Red (Critical): > 50 failed logins/day
4
Assign Owner
Who monitors this KRI and responds to alerts?
5
Save KRI
Click Create KRI
Common KRIs by Category
Cybersecurity KRIs
Cybersecurity KRIs
- Number of security incidents per month - Percentage of systems with critical vulnerabilities - Time to patch critical vulnerabilities - Failed login attempts - Phishing email click rate - Systems without current antivirus
Operational KRIs
Operational KRIs
- System uptime percentage - Mean time to recovery (MTTR) - Number of process exceptions - Training completion rate - Backup success rate - Change success rate
Compliance KRIs
Compliance KRIs
- Open compliance findings - Days overdue on compliance tasks - Policy acknowledgment rate - Audit findings severity - Control test failures - Regulatory change backlog
Third-Party KRIs
Third-Party KRIs
- Vendors without current assessments - Critical vendor SLA breaches - Vendor security incidents - Contract renewal deadlines approaching - Third-party audit findings
Risk Register
The risk register is your central repository of all identified risks:Viewing the Risk Register
1
Access Register
Go to Risk Management → Risk Register
2
Review Risks
See all risks with key information: - Risk title and description - Risk
score and severity - Owner and status - Treatment strategy - Last review
date
3
Apply Filters
Filter by: - Severity: Critical, High, Medium, Low - Category:
Cybersecurity, Operational, etc. - Status: Open, In Treatment,
Mitigated, Accepted - Owner: Specific person or department - Assets:
Risks affecting specific assets
4
Sort View
Sort by: - Risk score (highest first) - Last review date - Due date -
Creation date
Risk Register Reports
Generate comprehensive risk reports:- Executive Summary
- Detailed Register
- Department View
- Heat Map
High-level overview for leadership Includes: - Total risks by severity -
Top 10 critical risks - Risk trend analysis - Treatment plan status - Budget
vs actual spend Best for: Board meetings, executive reviews
Risk Review Process
Regular risk reviews ensure risks remain current:Periodic Risk Review
1
Schedule Reviews
Set review frequency based on risk level: - Critical/High: Monthly -
Medium: Quarterly - Low: Semi-annually
2
Open Risk for Review
Navigate to risk details and click Review Risk
3
Assess Changes
Consider: - Has the threat landscape changed? - Are controls still
effective? - Has asset criticality changed? - Are there new vulnerabilities?
- Has business context changed?
4
Update Risk
If needed: - Update likelihood or impact - Adjust treatment plan - Add new
controls - Change ownership
5
Document Review
- Add review notes - Record decisions made - Set next review date - Mark review as complete
Risk Scenarios
Common Risk Assessment Examples
Ransomware Attack
Ransomware Attack
Risk Description: Ransomware encrypts critical business systems,
demanding payment for decryption keys Assessment: - Likelihood: High
(frequent attacks) - Impact: Critical (business shutdown) - Risk Score: 25
Treatment: - Mitigate through: - Email filtering and anti-phishing
training - Regular offline backups - Network segmentation - Endpoint
detection and response (EDR) - Incident response plan
Insider Threat
Insider Threat
Risk Description: Disgruntled employee exfiltrates sensitive customer
data Assessment: - Likelihood: Medium (possible but not common) -
Impact: High (compliance violations, reputation damage) - Risk Score: 15
Treatment: - Mitigate through: - Data loss prevention (DLP) tools -
Access controls and monitoring - Background checks - Exit procedures - User
behavior analytics
Cloud Provider Outage
Cloud Provider Outage
Risk Description: Primary cloud provider experiences extended outage
Assessment: - Likelihood: Low (rare but possible) - Impact: High
(service disruption) - Risk Score: 12 Treatment: - Mitigate through: -
Multi-region deployment - Disaster recovery plan - Regular backup testing -
SLA monitoring - Accept: Some downtime acceptable given low likelihood
Data Privacy Violation
Data Privacy Violation
Risk Description: Accidental disclosure of personal data violates
NDPR/GDPR Assessment: - Likelihood: Medium (human error possible) -
Impact: Critical (regulatory fines, reputation) - Risk Score: 20
Treatment: - Mitigate through: - Data classification and handling
procedures - Privacy training for all staff - Data access controls - Privacy
impact assessments - Incident response procedures - Regular compliance
audits
Risk Dashboard
Monitor your risk posture at a glance:Dashboard Widgets
Risk Overview
Distribution of risks by severity: - Critical: X risks - High: X risks -
Medium: X risks - Low: X risks
Risk Trends
Risk changes over time: - New risks this month - Mitigated risks - Risk
score trends
Top Risks
Your highest priority risks: - Ordered by risk score - Quick view of
treatment status - Days since last review
Overdue Items
Items requiring attention: - Overdue risk reviews - Overdue treatment
actions - KRIs in red status
Best Practices
Risk Assessment Best Practices
Risk Identification: - Involve multiple stakeholders - Use past incidents
as learning opportunities - Consider industry trends and threats - Review
risks from similar organizations - Don’t forget “black swan” events Risk
Assessment: - Use consistent criteria across all risks - Document
assumptions and rationale - Consider both inherent and residual risk - Involve
subject matter experts - Update regularly as context changes Risk
Treatment: - Prioritize based on risk score - Balance risk reduction with
cost - Implement controls in phases - Test effectiveness of controls -
Document all decisions Risk Monitoring: - Review risks at least quarterly
- Track KRIs consistently - Report to management regularly - Adjust as business changes - Learn from realized risks
Integration with Other Modules
Risk assessments connect to:- Assets: View risks affecting specific assets
- Compliance: Link risks to compliance requirements
- Incidents: Convert incidents to risks
- Controls: Track control effectiveness