<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=323641658531367&amp;ev=PageView&amp;noscript=1">

Step 3: Conduct a Risk Assessment

Risk Assessments Set The Stage

Contrarian Colleen_BLUE-png-3

You can't protect what you don't understand

Why a Risk Assessment is Non-Negotiable

A risk assessment identifies the critical assets within your organization and evaluates the threats, vulnerabilities, and potential business impact if something goes wrong.

Whether you’re pursuing HIPAA, SOC 2, ISO 27001, or NIST CSF, a risk assessment is foundational. It’s not just a compliance checkbox—it’s your strategic blueprint for security.

Where Organizations Go Wrong

  • They treat risk like a one-time Excel exercise 

  •  They don't properly grade “likelihood” and “impact” 

  •  They neglect to involve leadership or business owners 

  • They run risk in isolation from their compliance program 

Anatomy of a High-Impact Risk Assessment

A strong risk assessment should influence the controls you prioritize, inform your policies, and drive your compliance program. Make sure your risks assessments are:

⚖️

Quantifiable

Scores each threat by likelihood and impact to drive prioritized action. 

 

📊

Accountable

Connects risks to controls, policies, and evidence - then scores and ownership.

🙌

Collaborative

Not just owned by IT, but involving HR, legal, ops, etc.

 

🔗

Integrated

Directly tied into your GRC platform, not buried in a spreadsheet.

 

⚙️

Dynamic

Something you can update when systems, vendors, or regulations change.

 

🔍

Evidence-based

Supports your audit with clear logic on why your controls exist.

 

Steps to a Successful Risk Assessment

Audit Icon

Choose a Risk Methodology

Start with a simple framework like NIST CSF and scale from there. 

Proposal Icon

Inventory
Your Assets

 What systems, data, and processes are critical to your business and customer trust? 

Identify Threats and Vulnerabilities

Identify Threats & Vulnerabilities

What could go wrong — human error, third-party failures, ransomware, etc.? 

Evaluate Likelihood and Impact

Evaluate Likelihood
& Impact

Score each risk based on potential damage and how likely it is to happen.

Solutions Overview Icon

Map to
Controls

Link each risk to specific controls (existing or missing) across your framework.

Assign Ownership and Review

Assign Ownership
& Review

Assign accountability for each risk. Then review least annually or when changes occur.

Identify the Gaps

Once you understand your risks, it’s time to see how your current security controls measure up. 

Your next step is to evaluate where your program stands against your chosen framework(s) and build a prioritized remediation plan.

Identify the Gaps
Return to Playbook Home
Develop Your Gap Assessment
Copyright ©2025 OSTENDIO, INC. · All rights reserved · Privacy Policy · Terms Of Use · Acceptable Use Policy