Step 4: Conduct a Risk Assessment
Understand Your Risks & Take Action
You can't protect what you don't understand
Why a risk assessment is non-negotiable
A risk assessment identifies the critical assets within your organization and evaluates the threats, vulnerabilities, and potential business impact if something goes wrong.
Whether you’re pursuing HIPAA, SOC 2, ISO 27001, or NIST CSF, a risk assessment is foundational. It’s not just a compliance checkbox—it’s your strategic blueprint for security.
Risk Assessment Warning Signs
They treat risk like a one-time Excel exercise
They don't properly grade “likelihood” and “impact”
They neglect to involve leadership or business owners
They run risk in isolation from their compliance program
Anatomy of a High-Impact Risk Assessment
Quantifiable
Scores each threat by likelihood and impact to drive prioritized action.
Accountable
Connects risks to controls, policies, and evidence - then scores and ownership.
Collaborative
Not just owned by IT, but involving HR, legal, ops, etc.
Integrated
Directly tied into your GRC platform, not buried in a spreadsheet.
Dynamic
Something you can update when systems, vendors, or regulations change.
Evidence-based
Supports your audit with clear logic on why your controls exist.
Steps to a Successful Risk Assessment
Choose a Risk Methodology
Start with a simple framework like NIST CSF and scale from there.
Inventory
Your Assets
What systems, data, and processes are critical to your business and customer trust?
Identify Threats & Vulnerabilities
What could go wrong — human error, third-party failures, ransomware, etc.?
Evaluate Likelihood
& Impact
Score each risk based on potential damage and how likely it is to happen.
Map to
Controls
Link each risk to specific controls (existing or missing) across your framework.
Assign Ownership
& Review
Assign accountability for each risk. Then review least annually or when changes occur.
Your Risk Management Starter Kit
Grab these core documents to kickstart your risk management program:
Pro Tip: Don’t just slap on your logo - customize these documents to reflect your risks, roles, and reality. Need help? Book a call with an Ostendio professional services expert!
Sample Risk
Management Plan
Outlines how to structure your organization’s approach to managing risk.
Sample Risk
Assessment Report
Shows how to document and communicate the results of a risk assessment clearly.
List of
Common Risks
List of risks most organizations face, designed to jumpstart your risk identification process.
Identify the Gaps
Once you understand your risks, it’s time to see how your current security controls measure up.
Your next step is to evaluate where your program stands against your chosen framework(s) and build a prioritized remediation plan.
What We Hear Most Often...
Kevin Brown
ISO & Director of Professional Services
Is a risk assessment required by frameworks?
Yes—almost every major framework (SOC 2, ISO 27001, HIPAA, NIST, etc.) requires a documented risk assessment.
Risk assessments are one of the first things an auditor will ask for, as it sets the foundation for the rest of your security and compliance program.
What common methods of risk assessments should I use?
Some teams use simple qualitative ratings (e.g., Low/Medium/High risk), while others use quantitative scoring (i.e., impact × likelihood = risk score).
What matters most is that you apply a consistent approach and document your rationale clearly.
Can I use any risk assessment template for my organization?
Not quite. A good template gives you a head start, but it needs to reflect your unique environment—your systems, vendors, data types, and business priorities.
Ostendio has a structured template (free) you can tailor with input from your security, IT, and leadership teams.