The analysis section of the risk assessment is when you analyze and evaluate the risks. To do that properly you need a framework which is comprised of three elements:

• Categories –  ‘buckets’ or folders into which you group similar threats.
• Methodology – the formulaic definition of risk you will use for your actual calculations.
• Metrics – the values you will use to describe and ‘measure’ each component and the risk itself.

You must have each of these elements in place to build an effective assessment. Ensure that the framework you are using is fit for purpose and suitable for your organization.

This is also the time you can decide on the tools you want to use whether that’s a spreadsheet, Boston Square or software. Again, ensure it works for your needs and the culture of the organization.

If in doubt, KISS – this is definitely an area where keeping it simple will pay enormous dividends.