After you have created a risk category, it is now time to set the risk profile of the risk category. The risk profile is divided in risk tolerance and risk criteria.
The risk tolerance is the level of impact and probability that the organisation is willing to tolerate in a certain risk category (e.g. information risk )
You have to identify the risk tolerance related to both business risk and privacy risk, since the organisation’s tolerance can differ between these two types. There are 4 levels of impact and probability. Choose the impact level that matches your organization’s business tolerance and the probability of the risk. It’s important to have this level approved by top management before deciding on how to manage the risks you may identify across the organisation.
- An example of risk tolerance in regards to the business risk:
Impact on the business: low
Description: Management has decided that the business can tolerate a maximum of medium risk when it comes to integrity and availability, however, only a low risk when it comes to confidentiality as the organization deal with a lot of confidential information that can have big reputational consequences and in the end therefore financial is a risk of confidentiality being compromised becomes a reality.
- An exampe of risk tolerance in regards to privacy risk:
Impact on privacy: Very low
Probability of the risk: Very unlikely
Description: Management tolerates only a low level for privacy risks as it is part of the organization’s DNA to protect both customers and employees in the best way possible at all costs.
The above method is used again when defining the risk criteria. This is where you define the definitions of the different levels of risks that you will be used when defining the risk profile. The critierias will be visible when processes, activtities, systems or contracts are risk assessed (See picture below)
Following is an example of impact and probability definitions.
- Business risk impact and the probability
Very low impact can be defined as: Negligible impact, only a few internal staff notices, no significant costs.
Low impact can be defined as: Slight disturbance of business operations. Back to normal > 1 day. The incident is only noticed by internal staff and a few externals. The general public is not informed. Minor regulatory issues. Potential costs are noticeable but do not threaten profit. 10.000-1 M/EUR.
High impact can be defined as. Substantial disturbance of business operation. Incident noticed by external parties and media coverage. Potential costs have a significant influence on profit. 1 Mio – 10 M/EUR.
Very high can be defined as: Recovery procedures not efficient to fully restore normal business operations. Confidence of affected parties are likely to be lost. Potential costs surmount financial reserves. Above 10 M/EUR.
Very unlikely probability can be defined as: Not expected to occur for years less than 1 %.
Unlikely probability can be defined as: Expected to occur at least annually 1-10 %.
Likely probability can be defined as: Expected to occur at least monthly 10-50%.
Very likely probability can be defined as: Expected to occur at least weekly more than 50%.
- Privacy risk impact and the probability
The above-mentioned method can be used for setting the risk profile of the privacy risks too.
Example of a privacy risk impact criteria:
Very low impact definition: Negligible impact on data subjects. Only a few data subjects were involved. Only public and generic personal data are involved. No financial or reputational effects on data subjects.
Low impact definition: Slight impact on data subject’s freedom of actions, reputation.
0-500 data subjects involved. Generic personal data involved.
Hight impact definition:
Substantial impact on data subject’s freedom of actions, reputation, health, or legal rights.
500-1000 subjects involved
Semi-sensitive personal data or personal identification involved or generic data linked in a way that makes it possible to deduce information about individual’s behavior.
Very high impact definition:
Severe impact on data subject’s freedom of actions, reputation, health, or legal rights.
1000+ data subjects involved. Sensitive personal data involved or generic data linked in a way that makes it possible to deduce private information about individual’s behavior.
Example of a privacy risk probability criteria:
Very unlikely probability: Not expected to occur for years. Less than 1 % chance.
Unlikely probability: Expected to occur at least annually 1-10 % chance.
Likely probability: Expected to occur at least monthly 10-50% chance.
Very likely probability: Expected to occur at least weekly more than 50% chance.
When finished defining your companies risk tolerance and risk criteria click save.
Under the Sheet, Risk Scenarios, you can see which risk categories are related to the category.