One of the few analyses that are overlooked in most IT departments is a comprehensive risk assessment.

A risk assessment should identify, analyze, and weigh all the potential risks, threats and hazards to a company’s internal and external business environment. 

The process of identifying risks/threats, probability of occurrence, the vulnerability to each risk/threat and the potential impact that could be caused, is necessary to prepare preventative measures and create recovery strategies.  Risk identification provides a number of other advantages to a company including: 

• Exposes previously overlooked vulnerabilities that need to be addressed by plans and procedures
• Identifies where preventative measures are lacking or need reevaluation
• Can point out the importance of contingency planning to get staff and management on board
• Will assist in documenting interdependencies and point out single points of failures

An effective risk management process is an important component of a company’s MIS department. The principal goal is to protect a company and its ability to perform its mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT, but as an essential management function of the organization.

Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This assessment provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help a company better manage IT-related mission risks.