Security Process
Security Planning
03 Identify, Assess, Mitigate Risks

Identify, Assess, Mitigate Risks

How to Identify, Assess, and Mitigate Potential Risks, Opportunities, and Adverse Effects

Knighthood works with our customers to help them choose the level that best suits their needs. We assess the potential risks, opportunities, and adverse effects, and help them devise strategies to mitigate them.

Enhanced

  • Your people and relevant service providers actively contribute to identifying, managing, and reporting on protective security risks
  • Well-defined, best-practice, and efficient risk identification and assessment processes are accepted and integrated into business functions across your organisation. These processes cover vulnerabilities and threats
  • Security leaders engage continuously with business units to support them in following best practice and improving risk measures
  • Your business processes are designed to reduce security-related risks with security considerations embedded into change management processes

Managed

  • You have fit-for-purpose security risk management measures in place that align to the standards set out in the PSR, and to your organisation’s broader risk management approach
  • You periodically review your protective security risks and threats, including scanning the environment for emerging risks
  • Protective security risks are overseen and actively managed as part of your strategic or enterprise risk management framework
  • The most appropriate business units take ‘hands on’ ownership of individual security risks and issues
  • Your security leaders coordinate risk management plans and ensure measures are applied consistently across different areas affected by the same types of risks
  • Your people understand and accept security risk management is an important part of protecting them and the continuity of your business functions
  • Your security risk management requirements are effectively, consistently, and verifiably met by your service providers
  • You are proactive in identifying and assessing protective security risks before issues occur, which your people perceive as adding value
  • You have requirements in place to consider security risks and issues in the design phase for all processes and systems

Basic

  • You have some understanding of the threats, risks, and vulnerabilities that affect the protection you need for your people, information, and assets
  • You have some security risk mitigations and other measures in place; however, they’re not yet comprehensive, well documented, or tracked over time
  • Your security risk definitions are often generic and not analysed in enough detail to be useful
  • Your focus is mainly on mitigating a few high profile security risks
  • There is at least some relationship between your protective security functions and wider risk management functions
  • You occasionally update your risk assessments, but this may be viewed as simply a compliance requirement
  • You consider security risks and issues when designing and redesigning key business processes and systems; however, it’s not compulsory

Informal

  • You have no structured or consistent mechanisms in place for identifying, assessing, monitoring, or reporting on protective security threats and risks, so you can’t be confident you understand them
  • You have no planned measures in place to mitigate protective security risks
  • Your people’s awareness of protective security threats and risks is generally poor
  • Protective security functions are neither linked to, nor integrated with, your organisation’s overall risk management framework
  • You have no processes for ensuring your security risks and issues are considered when designing or reviewing processes