An IT risk assessment can classify information assets by criticality, sensitivity, and impact on operations. For most entities, comprehensive IT risks evaluations should be iterative and adaptive processes. Therefore, adequate IT risk management normally requires quarterly risk assessments to ensure established risk tolerance levels are maintained. Simultaneously, risk assessments should be considered whenever there is a change in the entity’s operations or use of technology, or when outside influences affect operations. However, unless mandated by law or regulation, risk assessment costs should not outweigh benefits derived from managerial due diligence.
“View Part I of the Managing the Dynamic Uncertainties of IT series here“