How to Build a Risk Assessment Program from Scratch | Arté

Every organization handles sensitive data, relies on technology, and faces cyber threats — but not every organization has a structured way of understanding and managing those risks. A risk assessment program is the foundation of any serious information security effort. It's how you move from reacting to incidents to proactively managing your security posture. If you're starting from scratch, this guide walks you through the key steps to build a program that's practical, defensible, and scalable. Step 1: Choose a Framework A framework gives your program structure and credibility. You don't need to invent your own methodology — established frameworks exist for exactly this purpose: ISO 27001 — The international standard for information security management. Widely recognized, especially in Europe and regulated industries. NIST Cybersecurity Framework (CSF) — Flexible and widely adopted, particularly in North America. Strong focus on identifying, protecting, detecting, responding, and recovering. SOC 2 — Common for SaaS and technology companies, focused on trust service criteria. NIS 2 Directive — Mandatory for essential and important entities operating in the EU. Pick the framework that aligns with your industry, geography, and regulatory requirements. If you're unsure, ISO 27001 or NIST CSF are solid starting points that map well to most compliance needs. Step 2: Choose Your Approach — Asset-Based or Risk-Based (Scenario-Based) Before diving in, you need to decide how you'll identify risks. There are two main approaches, and the choice significantly affects how quickly you can get started. Asset-Based Approach The traditional method. You start by building a comprehensive inventory of your information assets — databases, servers, applications, endpoints, cloud services — and then identify threats and vulnerabilities for each asset. This approach is thorough and gives you a clear mapping of which risks affect which assets. The downside: it requires building and maintaining an asset database before you can even begin assessing risks. For organizations without mature IT asset management, this prerequisite alone can delay the program by weeks or months. Risk-Based (Scenario-Based) Approach The alternative is to start directly with risks. You select a framework category (such as Access Control, Data Security, or Network Security), identify the risks relevant to that category, and then assign threat sources and vulnerabilities to each risk. No asset inventory is required as a prerequisite. This approach is more accessible, especially for small and mid-sized organizations or teams building their first program. It lowers the barrier to entry — you can start assessing risks on day one rather than spending weeks cataloguing assets first. It also aligns naturally with how frameworks like ISO 27001 and NIST CSF organize their control domains. Both approaches are valid and widely used — ISO/IEC 27005:2022 recognises them as the two standard methods for risk identification. If your organization already maintains a detailed asset register, the asset-based approach may add value. If you're starting from scratch and want to move quickly, the risk-based (scenario-based) approach gets you to actionable results faster. Step 3: Define Your Scope Don't try to assess everything at once. Define clear boundaries: Which business units, departments, or locations are included? Which systems and processes are in scope? What types of data are you protecting (personal data, financial records, intellectual property)? A well-defined scope prevents the program from becoming overwhelming and ensures your first assessment delivers actionable results. Step 4: Identify Risks, Threats, and Vulnerabilities With your scope defined, start identifying risks within each framework category. Threats are the sources of potential harm — external hackers, ransomware, insider threats, natural disasters, supply chain compromises, and more. Consider both deliberate attacks and accidental events. Vulnerabilities are the weaknesses that threats can exploit — unpatched software, weak passwords, missing encryption, lack of security training, inadequate access controls. The combination of a relevant threat and an exploitable vulnerability is what creates risk. A vulnerability with no credible threat is low priority. A threat with no exploitable vulnerability is theoretical. Focus your attention on the combinations that are both realistic and consequential. Step 5: Score Likelihood and Impact For each identified risk, assess two dimensions: Likelihood — How probable is it that this risk will materialize? Consider the threat landscape, your current controls, and historical data. Impact — If it does happen, how severe would the consequences be? Consider financial loss, operational disruption, reputational damage, and regulatory penalties. Most frameworks use a 5x5 risk matrix (scales of 1-5 for both likelihood and impact), producing a risk score from 1 to 25. This gives you four risk levels: Low (1-4) — Acceptable, monitor periodically Medium (5-9) — Manage with standard controls High (10-14) — Requires prompt attention and dedicated controls Critical (15-25) — Immediate action required Avoid gut-feeling scoring. Use threat intelligence, vulnerability data, and historical benchmarks to inform your ratings. The more evidence-based your scoring, the more defensible your risk decisions become. Step 6: Plan Your Risk Treatment For each risk above your acceptable threshold, decide on a treatment strategy: Mitigate — Apply controls to reduce likelihood or impact (most common) Transfer — Shift the risk to a third party (insurance, outsourcing) Avoid — Eliminate the activity that creates the risk Accept — Acknowledge the risk and monitor it (requires management approval) For risks you choose to mitigate, define specific controls — technical measures (firewalls, encryption, MFA), administrative measures (policies, training), or physical measures (access controls, surveillance). Track implementation status and assign ownership. Step 7: Calculate Residual Risk After applying controls, re-evaluate the risk. This is your residual risk — the level of risk that remains after treatment. No combination of controls eliminates risk entirely. The goal is to reduce it to an acceptable level. If residual risk is still too high, you need additional controls or a different treatment strategy. Step 8: Document and Review A risk assessment is not a one-time exercise. Document your findings, decisions, and treatment plans. Establish a review cycle: Quarterly reviews for high and critical risks Annual reviews for the full risk register Event-triggered reviews when significant changes occur (new systems, incidents, regulatory changes) Your risk assessment program should evolve as your organization grows, your threat landscape changes, and your controls mature. Getting Started The hardest part of building a risk assessment program is starting. Don't wait for perfection — begin with your most critical risks, build the discipline of structured assessment, and expand from there. A well-run risk assessment program doesn't just satisfy auditors. It gives your leadership team real visibility into what could go wrong and confidence that the right measures are in place. Start your first risk assessment