System risk is defined as the potential of the system to fail to operate according to its specifications, at some point, due to predicted or unforeseen circumstances. Risk may be introduced as a result of the design, implementation, or routine operation of the system, including human interactions or processes.

No system is without risk, as it is impossible to predict every event that will or may occur in the future use of a system. However, an evaluation of the sources of risk, and consideration of features or operational controls that reduce any risks, is an essential part of system design, implementation, and operations.
An assessment of the system risk is based upon the system infrastructure. The purpose of the Risk Assessment is to provide a verifiable assurance that system risks are nown and reduced to the most reasonable level that balances cost, efficiency, and compliance.

Taking active steps to reduce the possible effects of risks is not indicative of pessimism, but is a positive indication of good management. Many possible options exist for addressing risk, including:

• Prevention - where countermeasures are put in place either threat or problem occurring or prevent its having any impact.
• Reduction - where the actions either reduce the likelihood of the risk occurring or limit the impact on the project to acceptable levels.
• Transference - a specialist form of risk reduction where the risk is transferred to a third party such as a contractor or insurance company
• Contingency - where actions are planned or organised which will come into force as and when the risk occurs.
• Acceptance - where the company decides to go ahead and accept the possibility that the risk might occur and is willing to accept the consequences

The essence of Risk Assessment is to

1. Determine those business functions that are supported by the IT infrastructure
2. How important those business functions are to the overall business
3. Referring to those functions that do make an overall impact
   1. Determine the component parts (data, program, hardware) of the supporting IT infrastructure
   2. Assess their recoverability and any options for duplication
4. Determine and classify the net unmitigated risks.

There are three important components to any business

• Revenue
• Costs
• Assets

The role of IT is to manage all three of these components. Just how well it does that is beyond the scope of risk assessment. Risk assessment simply aims to ask the questions

• What happens to the management of these items if various IT components fail? and
• What are those components?

• Derives revenue and the role IT plays in that
• Manages costs and the role IT plays in that
• Manages and exploits assets and the role IT plays in that

In order to derive the starting business perspective, there is an Excel spreadsheet with which to record the basic business criteria.
This spreadsheet was constructed with the basic elements of Risk Assessment in mind.

Once these basic elements have been considered, one of two models of risk assessment are applied to the findings. One of the models is to approach the findings in a quantitative manner. The other is a qualitative manner.
These approaches are not exclusive and in the final document a mixture of the two may be used, depending on circumtances.

Risk Assessment Exercise