An IT risk assessment consists of risk identification and risk analysis. For not-for-profit entities, risk identification includes examining external factors such as technological developments and economic changes; while considering internal factors such as personnel quality, the nature of the entity’s activities, and the characteristics of information processing. Wherefore, risk analysis involves estimating the significance of risks, assessing the likelihood of risks occurring, and considering how to manage the risks. To this end, documenting overall and detail control perimeters aids in assessing risk analysis process datum and decisions.
“View Part I of the Not-for-profit Risk Management series here“