Oskars Podziņš, Andrejs Romānovs

Last modified: 05.06.2017


There are numerous methods for risk identification and risk assessment phases. Which for risk identification includes historical and systematic approach and inductive or theoretical analysis. One of the main reasons why risk identification is very helpful is that it provides justification in many cases for any large IT investment and other large undertakings. Without it organization probably wouldn’t be able to come to conclusion. Also in this phase business recognize the threats, vulnerabilities, and assets associated with its IT systems. Together with risk assessment phase risk management specialist is responsible for determining asset value, what's the value of the asset business is protecting, and risk acceptance level.

Risk assessment on the other hand examines impact or consequence, as well as examines and evaluates the likelihood or probability of that adverse event happening. Risk assessment includes methods like Bayesian analysis, Bow Tie Analysis, brainstorming or structured interviews, business impact analysis, cause and consequence, cause-and-effect analysis, Delphi method, event tree analysis, fault tree analysis, hazard analysis, hazard and operational studies, and finally structured what if technique or SWIFT process. Risk assessment has two distinctive assessment types- quantitative and qualitative assessment. Quantitative assessment tries to put a monetary value on all risks. Qualitative assessment on the other hand rather look at it from a range of values like low, medium, high. The results of these phases are going to be documented in the risk assessment report and reported to senior management.


IT risk; risk identification methodology; risk assessment methodology; risk practitioner; qualitative risk; quantitative risk


[1] National Research Council, (2005) The Owner's Role in Project Risk Management pp.32-33, ISBN:978-0-309-09518-1

[2] Harold F. Tipton, Micki Krause, Will Ozier,  Information security management, volume- Risk analysis and Assessment, (2000), pp. 247-285, ISBNm1-8493-9829-0

[3] Anthony Mills, (2001) "A systematic approach to risk management for construction", Structural Survey, Vol. 19 Iss: 5, pp.245 – 252

[4] Heather Douglas, Philosophy of Science, Inductive risk and values in science, 67 (December 2000) pp. 559-579. 0031-8248/2000/6704-0001

[5] Pluralsight course, Risk management Information systems control risk assessment, (2016)

[6] ISO/IEC 27005:2011 second edition, Information technology Security techniques  Information security risk management, (2011), pp.17

[7] NIST Special Publication 800-30 Revision 1, Guide for conducting Risk Assessment, (2012), pp 4-37

[8] ISACA, The risk IT framework (2009) Ppp.75-76

ERDF co-funded project "Funding of international projects in research and innovation at Rezekne Academy of Technologies" No.