Risk Identification

Now that you have identified your assets, it is time to consider the potential risks affecting your organization.

It may help to group risks into the following categories:

• Human - deliberate or accidental actions by people, both internal and external to the organization
• Forces of Nature - destructive natural occurrences such as floods, earthquakes, and tornadoes
• Infrastructure - loss of critical infrastructure such as power, water, or telecommunication outages
• Technology - system problems, such as hardware, software, or network failures

You will be identifying risks specific to the assets you have listed, but it may be helpful to first list general risks you feel applicable to make sure none are missed in the final analysis. The Risk Identification Form contains the categories of risks noted above along with some examples for each category. Consider whether the examples are risks for your organization and then add other risks you feel are also applicable.

For more ideas, see the Glossary, which includes definitions of a variety of different threats.

Form: Risk Identification Form