Risks

Conducting Risk Assessments

title: Conducting Risk Assessments description: Learn how to perform systematic risk assessments and effectively treat risks in Tidal Control sidebar_position: 2

Conducting Risk Assessments

What is a risk assessment?

A risk assessment is a systematic process to identify, evaluate and prioritize potential risks that could affect your organization. It involves analyzing threats, vulnerabilities and potential impact to effectively manage risks.

The process consists of five main steps:

  1. Identify risks - Map threats and vulnerabilities
  2. Analyze risks - Determine likelihood and impact
  3. Determine treatment - Accept, avoid, reduce or transfer
  4. Evaluate residual risks - Compare with acceptance criteria
  5. Monitor and adjust - Monitor effectiveness and adapt
Info

Risk assessment frequency: Perform a complete risk assessment at least annually, or more frequently when there are significant changes in organization, technology, or business environment.

Performing risk assessment

Starting an Assessment

  1. Go to the Risks page via the main menu
  2. Click on a risk name to open the details
  3. Select the "Rating" tab in the interface
Risk assessment interface

Assessing inherent risk

Estimating likelihood and impact

Setting Likelihood:

  1. Select the Likelihood dropdown
  2. Choose from available options:
    • 1 - Remote - Rarely or never occurring (<1% chance per year)
    • 2 - Unlikely - Improbable but possible (1-10% chance per year)
    • 3 - Possible - Reasonable chance of occurring (11-50% chance per year)
    • 4 - Likely - Probable within foreseeable time (51-90% chance per year)
    • 5 - Very likely - Almost certain to happen (>90% chance per year)

Determining Impact:

  1. Select the Impact dropdown
  2. Assess potential damage:
    • 1 - Insignificant - Negligible consequences
    • 2 - Minor - Limited impact on organization
    • 3 - Moderate - Significant but manageable consequences
    • 4 - Major - Serious impact on business operations
    • 5 - Extreme - Critical threat to organization

Automatic risk score:

  • Tidal automatically calculates: Likelihood × Impact = Risk Score
  • Score 1-6: Low risk (green)
  • Score 7-15: Medium risk (orange)
  • Score 16-25: High risk (red)

Adding comments

Supporting your assessment:

  1. Use the Comments field to justify your estimation
  2. Describe specific factors that influence likelihood
  3. Explain what impact is expected from this risk
  4. Reference concrete examples or historical incidents

Using AI support:

  • Click "Ask TidalBot" or the TidalBot icon (3 stars) for automated risk assessment
  • AI analyzes organizational context and generates realistic assessment
  • Review and adjust based on specific circumstances
Tip

Consistent assessment: Use the same criteria for all risks. Document your assessment methodology to ensure consistency between different assessors.

Determining Treatment Plan

Selecting treatment options

After assessing inherent risk, you must determine how the risk will be treated:

Reduce - Most commonly used option:

  • Implement controls to decrease likelihood or impact
  • Example: Install firewall against cyber attacks
  • Suitable for: Medium to high risks that can be influenced

Accept:

  • Consciously accept the risk without additional measures
  • Example: Low financial risk that's more expensive to mitigate
  • Suitable for: Low risks or where mitigation isn't cost-effective

Transfer:

  • Shift risk to another party (insurance, outsourcing)
  • Example: Purchase cyber insurance for data breach risks
  • Suitable for: Financial risks or specialized expertise

Avoid:

  • Completely stop the activity causing the risk
  • Example: Not using certain technology
  • Suitable for: Very high risks where alternatives exist

Chosen Reduce? Then also link Controls

Selecting controls:

  1. Choose "Reduce" as treatment
  2. Review relevant controls if controls are already linked to the risk
  3. Add relevant controls by selecting the Controls field and searching or selecting from the list
  4. Multiple controls possible per risk

Effective control mapping:

  • Preventive controls - Prevent risk from occurring
  • Detective controls - Detect when risk occurs
  • Corrective controls - Restore after risk incident
  • Compensating controls - Alternative protection

Notes (Comments):

  • Explain why you chose this treatment
  • Describe how controls mitigate the risk
  • Mention any limitations of chosen approach

Assessing Residual Risk

Estimating residual risk

After treatment, you must assess the remaining risk:

New likelihood and impact:

  1. Consider effect of linked controls
  2. Set new Likelihood (usually lower due to preventive controls)
  3. Determine new Impact (possibly lower due to detective/corrective controls)
  4. Automatic recalculation of Residual Risk score

Realistic estimation:

  • Controls aren't 100% effective - Account for implementation gaps
  • Human factor - Procedures may not always be followed correctly
  • Technical limitations - Systems can fail or be bypassed
  • New threats - Risks evolve despite current controls

Assessing acceptability

Testing risk appetite:

  • Compare residual risk with organizational risk appetite
  • High residual risk may require additional controls
  • Acceptable residual risk can be approved by management
Warning

Residual risk >= Inherent risk: If residual risk is higher than inherent risk, check your risk assessment. This can happen with poor control implementation or new threats.

Using AI support

Deploying TidalBot

Automatic assessment:

  1. Click "Ask TidalBot" in Comments section
  2. AI analyzes:
    • Organizational context and sector
    • Available asset information
    • Similar risks in database
    • Industry best practices

Using AI output:

  • Review generated assessment critically
  • Adjust for specific context of your organization
  • Add organization-specific factors
  • Use as starting point for stakeholder discussion

AI limitations:

  • May miss recent developments
  • Requires human validation and contextual knowledge

Best practices for assessment

Objective assessment

Ensuring consistency:

  • Use standard criteria for likelihood and impact scores
  • Involve multiple stakeholders for broader perspective
  • Document assumptions and starting points
  • Review assessments periodically with "fresh eyes"

Evidence-based approach:

  • Reference historical data where available
  • Analyze similar organizations and their experiences
  • Use industry statistics for sector calibration
  • Add expertise such as expert assessments by risk specialists

Assessment validation (optional)

Peer review process:

  • Second assessor checks assessment
  • Management review for high risks
  • Subject matter expert input for technical risks
  • Cross-functional feedback for business impacts

Quality controls:

  • Logical consistency between likelihood and impact
  • Realistic treatment options chosen
  • Adequate control coverage for treating risks with controls
  • Proportional effort relative to risk level

Next steps

After conducting risk assessment, you can:

  • Implement controls to reduce risks
  • Verify asset scope for complete risk coverage
  • Generate risk reporting to keep management informed
  • Plan periodic reviews to monitor risk developments
Tip

Start with high-impact risks: Begin your assessment with risks that have the greatest potential impact on your organization. This provides the best results for your risk management.

Next
Creating and editing risks