Being Aware is Being Prepared

Regular risk assessments are a fundamental part of any substantive risk management process. They help you arrive at an acceptable level of risk while drawing attention to any required control measures. If you don’t assess your risks, they cannot be properly managed, and business is left exposed. The risk assessment process is continual, and should be reviewed regularly to ensure your findings are still relevant. A successful risk assessment process is one that helps you cost-effectively reduce risks and is aligned with your business goals.

Tyler can help you conduct risk assessments on any application, function, or process, including:

Tyler's Collaborative Approach

The Tyler approach to assessing risk is to concentrate on the functionality, the flow of information, and the underlying technology of the defined area. Our methodology is based upon NIST 800-30 Guidance and adapted by us to meet any applicable regulatory or compliance standards. We employ a multi-step process to determine risk level, and if required, appropriate remediation recommendations. Our risk assessment is designed to evaluate the current level of risk, as well.

1. Define the process and service components, and determine viable threats related to the delivery of associated products and services.
   
   
2. Measure the organizational impact if the threat were to be exercised.
   
   
3. Determine the relationship between the significant threats and relevant categories of threat prevention, mitigation, detection, or compensating controls.
   
   
4. Evaluate the adequacy of the controls in each category. The assessment does not include audit or testing of controls.
   
   
5. Determine how likely the threat is to occur, taking into account the control environment.
   
   
6. Calculate the risk level using the quantitative methodology defined in the National Institute of Standards & Technology (NIST) Special Publication 800-30. The NIST methodology considers potential impact and likelihood of occurrence.
   
   
7. Align the threat control categories and NIST risk calculations with the following defined risk categories:
• Strategic risk related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
• Reputational risk related to negative public opinion.
• Operational risk related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
• Transactional risk related to problems with service or product delivery.
• Compliance risk related to violations of laws, rules, or regulations, or from noncompliance with internal policies, procedures, or business standards.
8. Document the residual risk to the organization per risk category, as defined above.
   
   
9. Document risk reduction and security enhancement recommendations.

Reports and Deliverables

The report consists of an Executive Synopsis which provides an accurate picture of the risks associated with the system, application, function, or process included within the engagement. All supporting findings and control details are provided along with any applicable recommendations to reduce risk and/or enhance the security posture of your organization.

Sections include:

• Executive Synopsis
• Section 1: Findings and Recommendations (including management responses, as appropriate)
• Section 2: Risk Assessment Calculations
• Section 3: Control Detail by Category

This report can serve as a foundational document for annual updates, as well as a template for future assessments.