When we talk about risk management, we are talking about those business processes that support you in making decisions and help you protect your company assets reasonably and prudently. In doing so, you are dealing with uncertainty, or in other words, evaluate the effectiveness of your strategies by considering the various factors that may act as an inhibitor.

In modern society, where both economic and non-economic activities are based mainly on the flow and processing of information, consequently, one of the critical areas of risk management is becoming the provision of information security. Organizations are only well aware of its importance, as it is comprehensive and requires that we take into account the impact of the technology itself as well as the social aspect of management.

Think about it! In modern organizations, almost all employees deal with the technology most of their time, which is why the threats of various unauthorized interventions, intrusions, data theft or loss of intellectual property are practically innumerable are always present. All of them, however, can lead to significant business damage and loss of reputation.

As we have repeatedly pointed out in our blogs, business risks, including information risks, can never be avoided entirely. Indeed, in an increasingly relentless competition, any company must identify, evaluate and evaluate the risks within its organization, and design effective processes to help manage them.

How to deal with the identification and management of information risks?

The first step, of course, is to answer the question of what risk is. I point out two criteria:

– Existence of uncertainty: Risk exists when an event or development of a particular situation is uncertain, unexpected.
– Potential adverse effect: The risk exists if the unpredictable event causes damage or an outcome worse than expected.

There are several ways to identify risks, which we have already written about in more detail. The easiest is to ask ourselves what are the chances that might arise in our business area, and with the brainstorming technique, try to compile a list of those that are most important to us.
One possibility is to scrutinize business processes, identify the necessary resources for the operation of processes and, taking into account the probability of some threats, determine the effects on expected added value, and then combine information to get a list of risks.

To help us identify risks in the field of information security management, we can also use established international standards. Among them are the international standard ISO / IEC 27001 for information security management system or ISO / IEC 27005, which provides guidelines for risk management in the context of security management system information.

Process approach: eat a large watermelon in small pieces

Risk management is the most effective when it becomes part of everyday tasks, meaning when you incorporate it into business processes. In doing so, the complexity of the process itself usually increases with the size of the organization. Therefore, it makes sense to start with smaller, manageable steps, which, with continuous improvement in the Deming Circle1, expand our scope over time, go into more and more detail and improve the information already obtained.

The process approach is hugely suitable for identifying information risks, as it helps to identify potential risks that threaten processes through the identification of sources for information processing, the importance of resources in operations and activities, and a set of appropriate threats. In the process approach, it is also essential that process owners are involved in the identification of risks, as the latter usually have the highest quality information.

We start collecting information to determine risks in business processes. As an essential guide, you should ask yourself how the threats affect the added value which the process should create. In most cases, we can measure added value with financial impact, but this is not necessarily the case. Also, the formal existence and documentation of processes vary from organization to organization. Thus, we can also use a less precise and less detailed list of methods in risk identification, especially if we are in the initial steps of risk management. For more natural control, we can also break down the processes into smaller units or. on individual activities.

Processes and their activities need resources to a greater or lesser extent. It follows that any deviation from the expected resource operation potentially reduces the efficiency of the process operation. For this reason, when determining risks, we focus on resources and their impact on the processes.
We can make the process of identifying resources in an individual process more manageable by asking ourselves about the existence of resources within known categories or groups, for example: do we have resources that represent hardware, software, data, people, infrastructure, and the like. It is also essential to know that these resources can appear in several processes at the same time, and their impact on the operation of an individual process can vary greatly.

In the process of identifying risks, we focus on resources, or more precisely on deviations from the expected operation of resources. The factors that cause these deviations, however, can be called threats. Threats are, therefore, individual elements or properties of the environment, which can have a detrimental effect on resources and thus on the functioning of the process.
A source can be affected by one or more threats. The likelihood of a particular risk materializing also depends on how vulnerable the source in question is. Vulnerability, however, is a set of resource and protection properties that already exist for a resource.

Risk identification

The identification of risks according to the approach described so far can follow the following steps:

1. We determine the processes for which we want to identify risks
2. We divide the processes into smaller units – activities
3. We determine all the necessary resources for the activities to operate
4. For each source in an individual activity, we identify threats that make sense in terms of the environment, area and impact on the operation of the activity

From the obtained data, we compile a list of risks, which we will evaluate and classify in the next phases of the risk management process, select unacceptable ones from them and also address the latter. The goal is to bring unacceptable risks to an acceptable level in some way.

Key findings

We can summarize the following:

1. Risk identification can be approached in several ways, one of which is to ask ourselves the question: what risks can we identify based on our experience and knowledge.
2. Risk identification can also be undertaken by systematically analyzing our business processes and, on the basis of known threats, identifying risks on the basic building blocks of business.
3. The process of risk identification and overall risk management is carried out to the extent we manage and by repeating the scope we expand and improve the results.
4. Good practices and existing knowledge should help us, which is largely true in the field of information risk management; it also pays to rely on established international standards.


1Deming’s circle is an iterative method of four steps of continuous improvement: 1. Plan 2. Execute 3. Check 4. Take action; with each repetition, we improve the results and are closer to the set goal.


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.