23.2 Risk Assessment

	Assessing risks is to know which assets are vulnerable and require protection.
	By assessing risks at your organization, you can determine the most effective set of controls for assets protection.
	The main role of risk assessment is to determine the level of risk to the firm.
	There are risks that cannot be anticipated and also measured, but most businesses will be able to obtain understandings of the risks they face such as the value of information assets, points of vulnerability, and the potential for data destruction.
	As an example, table 23.2 illustrates sample results of a risk assessment for an online order processing system that processes 30,000 orders per day.

		The likelihood of each exposure occurring over a one-year period is expressed as a percentage.
		The next column shows the highest and lowest possible loss than could be expected each time the exposure occurred an average loss calculated by adding the highest and lowest figures together and dividing by two.
		The expected annual loss for each exposure can be determined by multiplying the average loss by its probability of occurrence.

23.2 Risk Assessment

Figure 23.2 Online Order Processing Risk Assessment

		As shown that the probability of a power failure accruing in a one year period is 30 percent.
		Loss of order transactions while power is down could range from $5,000 to $200, 00 for each occurrence, depending on how long processing is halted.
		The probability of embezzlement occurring over a yearly period is about 5 percent, with potential losses ranging from $1,000 to $50,000 for each occurrence.
		Users' errors have 98 percent chance of occurring over a yearly period, with losses ranging from $200 to $40,000 for each occurrence.
		If the risks to the firm have been assessed, controls can able to minimize the risk of power failures and user errors which lead to low-anticipated annual losses.