Risk Identification and risk assessment (risk analysis and risk prioritization) concepts, decisions we take in our private lives, the processes we manage in our business life, companies or organizations within the life cycle of all business processes that occur before the potential risks to identify, estimate and manage these risks by assessing the risks has become one of the most important processes for determining the resources required for the project.

There are many different methods for risk management, risk assessment (risk analysis, risk prioritization) and risk improvement processes related to how risks can be managed according to sectors, standards and requirements in the world.

In this article, I made a very simple, simple and understandable language with the help of a simple, simple and understandable language that everyone in the sector has done before and I can find something for their own process when they read, Risk Identification, Risk Assessment, Risk Improvement. I’ll be talking about a sample process.

Risk; an event that is likely to occur and the effect that will occur if this occurs.

What are the key elements that make up the risk?

Threats that create the likelihood of occurrence of an event and the weaknesses of these threats to emerge are vulnerabilities. So our basic elements are Threats and Vulnerabilities.

So how do we determine our risks?

We need to ask questions and get answers when determining our risks.


What happens, Which event happens if this process does not occur, is interrupted?

The answers to these questions will give us the basic elements that make up the risk, the Threats and the weaknesses that these threats use to emerge. This is the approach in a general risk assessment.

However, we should ask the risk assessment in a way that is appropriate to the essence of these situations, as shown in the case examples below.


1- When assessing risk through Personal Data Processing Inventory that you have prepared in relation to the Protection of Personal Data, the issues required by law should be well understood and the questions should be asked firstly.

What if, under the law on the protection of personal data, in which event the company can take the penalty?

What happens, Which event occurs if personal data, Personal data violation can occur?

What if, in which event, our personal data may be out of the company without permission?

What if, in which event, our personal data can be captured by unauthorized people?

What if, in which event our personal data can be accessed, unauthorized people can be captured?

2- If you are making a risk assessment with respect to the ISO 27001 Information Security Management System, you should make a risk assessment based on the losses of Privacy, Integrity and Accessibility of your Information Assets.

After the inventory of our Information Assets is prepared, we should ask questions that we can evaluate the loss of confidentiality, integrity loss and accessibility of our information through this inventory and we should get answers.


Loss of privacy; What happens, Unauthorized access to our confidential information held on our X server, which event can occur? Can you get in the hands of unauthorized people? Can be captured by unauthorized people? Unauthorized, can be taken out of the company unauthorized? Unauthorized copies can be taken? etc

Loss of integrity; What happens, what event happens if the integrity of our confidential information is compromised? The integrity of our work files in the electronic environment, contained within the ERP program, inside the USB memory and disks, and the information contained in the Backup cartridges, is damaged. etc.

Loss of accessibility; What happens, I cannot access the information in the physical or electronic environment I need when I need it? etc.

After the phase of the determination of the risks, we will be going to a value determination stage regarding the possibility of the risks that we have identified at this stage and the effect of the occurrence.

You can use the 5X5 = 25 matrix that the world frequently uses in the determination process. You will also achieve the result of using this matrix, as well as the process of risk rating, ie prioritization (risk severity).

During the valuation phase, we must establish our risk criteria that we will use at the same time as the risk rating (the severity level of the risk).

For example, we can use the 25 commonly used matrix in the world as in the example below in order for us to be able to value risk and at the same time to make a risk rating (the severity of risk);


As shown in the Table above, we evaluate the probability of the risk related to the risk by the probability of being 1-5, and if the threat is realized, the effect is determined by 1-5. What does it mean if I give a rating of 1 to 5 for the effect of risk or if the threat occurs? What does 2 mean? In order to answer the questions, we need to have 1 to 5 risk criteria for each value.

For example;


Very Low (1)    : The risk is very low.

Low (2)             : Risk of occurrence is low.

Medium (3)     : The probability of the realization of the risk is moderate.

High (4)           : High risk of occurrence

Very High (5) : The realization of the risk is inevitable.


Very Low (1)      : Losses are almost non-existent.

Low (2)               : Minor faults, small scale financial losses and minor customer complaints may occur on a small scale.

Medium (3)       : Corporate Reputation Loss, short-term cuts in Business Continuity, small-scale security breach, legal or customer audit, customer sanctions, financial losses in the middle, customer dissatisfaction, such as short-term use of systems can be affected.

High (4)             : Corporate Reputation Loss, Customer Loss, Long Term Interruption in Business Continuity, Privacy Infringements, Legal and Customer sanctions, Significant financial losses, systems may be used for a long time such as becoming unusable effects.

Very High (5)   : Corporate Reputation Loss, to the extent that threatens the life of the company Customer Losses, Important Legal, Customer sanctions, Business Continuity Long-term interruptions and information (data) losses, Privacy Violations, Systems become unusable for a long time, Large-scale financial losses effects may occur.

NOTE: You can consider the impact assessment entirely on the basis of financial impacts or, as you wish, you can also take into account the categories such as Financial Impact, Business Continuity Impact, Legal Impact, Customer Effect, Corporate Reputation and Image Effect.

According to the 25-scale matrix we have used above, our risk formula has emerged;

RISK = Probability of Threat X Effect of Threat

When making risk prioritization (risk severity level), we can use the risk priority criteria presented by the 25th matrix we chose to use. So, which of my risks are the risks I should take priority for me? We have found the answer to the question and according to him the criteria we can start action.



After establishing our criteria, one of the most important stages; risk determination, risk criteria, risk assessment (risk analysis, risk prioritization) stages of the identified threats of the identified risks and the weaknesses used for the emergence of these threats to reduce the likelihood of the threat and the effects of the controls (measures).

For example; Our threat is that the machine we use in production is malfunctioning and become useless.

In order to determine the weakness, we ask our question again;

What happens, what happens if our machine fails, become unusable?

What controls (measures) do we have and implement when we reduce the likelihood that our threat will be achieved by using these vulnerabilities for our weaknesses? This will give us the controls (measures) that we have applied to, which reduces the probability of having answers to our question.

Sample Answers;

We have daily cleaning and maintenance activities and we have periodic maintenance plans.

We have continuous training on the use of machinery to our operators. All our operators are competent in this regard.

We ask our question again in determining the controls that reduce the impact of our threat.

What are the controls and controls that will reduce the impact of the event if this threat occurs despite the controls (precaution) applied to prevent our machine from malfunctioning and the non-use of the threat?

Sample Answers;

There’s another one of the same machines. We carry the work on that machine.

Although this machine is not in capacity, we can continue doing the same job on two different machines.

We have a maintenance contract. Within 6 hours there is no intervention and parts guarantee. We wait for this period and continue with the fault. etc.

For the threats of the risks that we have identified later, we are evaluating our risks (risk analysis and risk prioritization) by taking into account the controls (measures) and risk criteria we are applying to reduce the likelihood and impact of these threats.

According to our results, we plan and implement risk improvement (risk processing) actions for our prioritized risks according to the degree of risk improvement required.


As a result of the risk assessment, we need to plan and implement an action plan to improve an unacceptable risk.

There are 4 methods that we will use for the risk improvement action in the Risk Improvement phase. We can do any risk improvement activity by choosing one of the following methods.

Risk Reduction: The implementation of appropriate controls (measures) to reduce the risk and reduce the risk level.

Acceptance of Risk: It is the decision to accept the current risk as it is. Acceptance of risk can only be preferred if it is not possible to implement the controls required to reduce the risk, or that the financial costs to be incurred for the controls to be applied exceeds the impact size of the operational work to be performed.

Risk Disclosure: Insuring or transferring the risk to someone else in case of risk.

Risk Avoidance: It is the risk to decide whether to initiate or continue the activity that causes risk.


ISO 27001 Lead Auditor Trainer