Why It Matters
Risk assessment is the starting point of all compliance work. You can't protect against risks you haven't identified, and you can't allocate resources effectively without understanding which risks matter most. Every major regulation — GDPR, NIS2, SOX, AML, HIPAA — requires some form of risk assessment. Regulators evaluate whether risk assessments are thorough, current, and actually influence decision-making.
The Risk Assessment Process
1. Identify Risks
- Brainstorming with stakeholders across departments
- Historical analysis of past incidents and near-misses
- Regulatory requirements — what do applicable laws require?
- Industry benchmarks — what threats are common in your sector?
- Threat intelligence — current and emerging threats
- Asset inventory — what are you trying to protect?
2. Analyze Risks
For each identified risk, evaluate:
- Likelihood — how probable is this risk materializing? (rare, unlikely, possible, likely, almost certain)
- Impact — how severe would the consequences be? (negligible, minor, moderate, major, catastrophic)
- Velocity — how quickly would the risk materialize?
- Existing controls — what measures are already in place?
3. Evaluate and Prioritize
Use a risk matrix to plot risks by likelihood and impact:
| Negligible | Minor | Moderate | Major | Catastrophic | |
|---|---|---|---|---|---|
| Almost certain | Medium | High | High | Critical | Critical |
| Likely | Low | Medium | High | High | Critical |
| Possible | Low | Medium | Medium | High | High |
| Unlikely | Low | Low | Medium | Medium | High |
| Rare | Low | Low | Low | Medium | Medium |
4. Treat Risks
For each risk, choose a strategy:
- Mitigate — implement controls to reduce likelihood or impact
- Accept — acknowledge the risk and monitor (for low-priority risks)
- Transfer — shift the risk to a third party (insurance, outsourcing)
- Avoid — stop the activity that creates the risk
5. Document and Monitor
- Record the assessment in a risk register
- Assign risk owners
- Define review frequency
- Update when circumstances change
Types of Risk Assessments
| Type | Focus | Required By |
|---|---|---|
| DPIA | Data protection risks of specific processing | GDPR Article 35 |
| Cybersecurity risk assessment | IT and information security risks | NIS2, ISO 27001, NIST |
| AML risk assessment | Money laundering and terrorism financing risks | EU AML Directives, FATF |
| Compliance risk assessment | Regulatory non-compliance risks across all areas | DOJ guidelines, ISO 37301 |
| Operational risk assessment | Business process and operational failures | Basel III (banking), ISO 31000 |
| Third-party risk assessment | Risks from vendors and suppliers | GDPR Article 28, NIS2, DORA |
Qualitative vs Quantitative
- Qualitative: uses descriptive scales (high/medium/low) — simpler, faster, subjective
- Quantitative: uses numerical values (probability %, financial impact in €) — more precise, data-intensive
- Most organizations use a hybrid — qualitative for initial screening, quantitative for top risks
Key Regulation
- GDPR Article 35 — DPIA for high-risk processing
- NIS2 Article 21 — risk-based cybersecurity measures
- ISO 31000:2018 — risk management guidelines
- NIST SP 800-30 — Guide for Conducting Risk Assessments
- COSO ERM — enterprise risk management framework