A risk assessment should be conducted on every business case proposing the development of a new system or material change to an existing system, or a process. Organizations should define their risk assessment process and circulate it internally so that it is known throughout the organization. For any risk identified in a risk assessment, mitigation strategies should be established.
There are various ways of managing risks; transfer the risk to a third-party, avoid the risk by not engaging in the activity, accept the risk if it falls within the organization’s tolerance, or reduce the risk with internal controls. Risk should be rated as part of the risk assessment process; risks are rated by multiplying the likelihood by the impact. Typically, there are four risk ratings; Critical, High, Medium, and Low.
Process documented and followed with signoff on risk assessments and stored on file.