Risk assessments can proceed differently in different organizations. A risk assessment of a web server may look substantially different from an assessment that evaluates HIPAA data. However, several things can be included to help ensure success.

The following list identifies several best practices for risk assessment approaches:

• Starting with clear goals and a defined scope—A risk assessment should include a scope statement. The scope statement helps keep the assessment on track and prevents scope creep.
• Enlisting senior management support—Senior management needs to be committed to the risk assessment. Without support, the risk assessment loses value. When risk assessment teams realize the risk assessment isn’t valued, they put less time and effort into it. An assessment without senior managers’ support is almost doomed from the outset.
• Building a strong risk assessment team—The value of the risk assessment is based on the competence and expertise of the risk assessment team. Team members should have expertise in the system. For example, in performing a qualitative analysis, if data is gathered from personnel who aren’t experts, then their opinions won’t be considered as valuable as data gathered from experts. Team members should also understand the methodology used for the risk assessment.
• Repeating the risk assessment regularly—Threats, risks, and vulnerabilities are constantly evolving; therefore, a risk assessment should be repeated on a regular basis. Some federal agencies require risk assessments to be repeated at least every three years. Many organizations create a risk assessment policy, which identifies what the organization is expected to do on a recurring basis and defines generic goals for any risk assessments.
• Defining a methodology to use—By consistently using the same methodology, people become better at it. For example, a company could decide to use qualitative risk assessments on a regular basis. If this is the case, the scales that are used should be defined. When assessments are done the same way repeatedly, they are easier to accomplish and tend to provide higher-quality results.
• Providing a report of clear risks and recommendations—Every risk assessment should end with a report that identifies the findings, which should be clearly stated. Ensuring that the risks are clearly defined is important. Even more important is to ensure that recommendations are clear. The whole purpose of the risk assessment is ultimately to mitigate risks with recommended controls. If the recommendations aren’t clear, the report loses a significant amount of its value.