Risk Assessment is defined by the International Standards Organisation/ IEC Guide 73 as a process that involves identifying events that, if they occur, might adversely impact the achievement of goals and objectives. Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management assesses events from two perspectives—likelihood and impact—and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and a residual basis, after the application of mitigation strategies.
Vulnerability Assessment Process
Vulnerability refers to the susceptibility of the entity to a risk event in relation to the entity’s preparedness, agility, and adaptability. Vulnerability is related to impact and likelihood. The more vulnerable the entity is to the risk, the higher the impact will be should the event occur. If controls and the risk responses are weak, then the likelihood of an event increases. Assessing vulnerability allows entities to gauge how well they are managing risks.
A vulnerability assessment is the process designed to identify, quantify and prioritize areas in which systems, organization or supply chain is particularly open to risk or attack. In other words, it is a form of risk assessment specifically designed to identify weak points in the risk profile. Vulnerability assessments are often performed on IT systems, energy, and water supply systems, transportation and logistics systems.